Table of Contents
Advertisement
Chapter 8
Configuring IEEE 802.1x Port-Based Authentication
•
•
Using IEEE 802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This
allows the phone to work independently of IEEE 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops
packets from unrecognized IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal
to a voice VLAN.
If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and
Note
to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30
seconds.
For more information about voice VLANs, see
Using IEEE 802.1x Authentication with Port Security
You can configure an IEEE 802.1x port with port security in either single-host or multiple-hosts mode.
(You also must configure port security on the port by using the switchport port-security interface
configuration command.) When you enable port security and IEEE 802.1x authentication on a port,
IEEE 802.1x authentication authenticates the port, and port security manages network access for all
MAC addresses, including that of the client. You can then limit the number or group of clients that can
access the network through an IEEE 802.1x port.
OL-8915-03
Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
Understanding IEEE 802.1x Port-Based Authentication
Chapter 13, "Configuring Voice VLAN."
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
8-15
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
