Using 802.1X With Voice Vlan Ports; Supported Topologies - Cisco 4500M Software Manual
Software guide
Hide thumbs
Also See for 4500M:
- Command reference manual (578 pages) ,
- Hardware installation and maintenance manual (143 pages) ,
- Upgrade manual (24 pages)
Table of Contents
Advertisement
Understanding 802.1X Port-Based Authentication
Using 802.1X with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
Each port that you configure for a voice VLAN is associated with a VVID and a PVID. This
configuration allows voice traffic and data traffic to be separated onto different VLANs.
When you enable the single-host mode, only one 802.1X client is allowed on the primary VLAN; other
workstations are blocked. When you enable the multiple-hosts mode and an 802.1X client is
authenticated on the primary VLAN, additional clients on the voice VLAN are unrestricted after 802.1X
authentication succeeds on the primary VLAN.
A voice VLAN port becomes active when there is link, and the device MAC address appears in the
MAC-address table after the first CDP message from the IP phone. Cisco IP phones do not relay CDP
messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch
recognizes only the one directly connected to it. When 802.1X is enabled on a voice VLAN port, the
switch drops packets from unrecognized Cisco IP phones more than one hop away.
When 802.1X is enabled on a port, you cannot configure a PVID that is equal to a VVID. For more
information about voice VLANs, see
Be aware of the following feature interactions:
•
•
•
•
•
Supported Topologies
The 802.1X port-based authentication supports two topologies:
•
•
In a point-to-point configuration (see
802.1X-enabled switch port when the multi-host mode is not enabled (the default). The switch detects
the client when the port link state changes to the up state. If a client leaves or is replaced with another
client, the switch changes the port link state to down, and the port returns to the unauthorized state.
Software Configuration Guide—Release 12.2(25)EW
31-10
Voice VLAN ID (VVID) to carry voice traffic to and from the IP phone. The VVID is used to
configure the IP phone connected to the port.
Port VLAN ID (PVID) to carry the data traffic to and from the workstation connected to the switch
through the IP phone. The PVID is the native VLAN of the port.
802.1X VLAN assignment cannot assign to the port the same VLAN as the voice VLAN; otherwise,
the 802.1X authentication will fail.
802.1X guest VLAN works with the 802.1X voice VLAN port feature. However, the guest VLAN
cannot be the same as the voice VLAN.
802.1X port security works with the 802.1X voice VLAN port feature and is configured per port.
Three secure addresses must be configured: one for the Cisco IP phone MAC address on the VVID,
one for the PC MAC-address on PVID, and a third to allow the Cisco IP phone MAC address on the
PVID.
However, you cannot use the 802.1X voice VLAN port feature with 802.1X port security's sticky
MAC address configuration and 802.1X port-security's statically configured MAC address
configuration.
802.1X accounting is unaffected by the 802.1X voice VLAN port feature.
When 802.1X is configured on a port, you cannot connect multiple IP-phones to a Catalyst 4500
series switch through a hub.
Point to point
Wireless LAN
Chapter 31
Understanding and Configuring 802.1X Port-Based Authentication
Chapter 30, "Configuring Voice Interfaces."
Figure 31-1 on page
31-2), only one client can be connected to the
OL-6696-01
Advertisement
Table of Contents
