49-21
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
Using 802.1X with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
• Voice VLAN ID (VVID) to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
• Port VLAN ID (PVID) to carry the data traffic to and from the workstation connected to the switch using the IP phone.
The PVID is the native VLAN of the port.
Each port that you configure for a voice VLAN is associated with a VVID and a PVID. This configuration allows voice traffic
and data traffic to be separated onto different VLANs.
A voice VLAN port becomes active when a link exists whether the port is AUTHORIZED or UNAUTHORIZED. All traffic
exiting the voice VLAN is obtained correctly and appears in the MAC address table. Cisco IP phones do not relay CDP
messages from other devices. If several Cisco IP phones are connected in a series, the switch recognizes only the one directly
connected to it. When 802.1X is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones
more than one hop away.
When 802.1X is enabled on a port, you cannot configure a PVID that is equal to a VVID. For more information about voice
VLANs, see Chapter 46, “Configuring Voice Interfaces.”
Observe the following feature interactions:
• 802.1X VLAN assignment cannot assign to the port the same VLAN as the voice VLAN; otherwise, the 802.1X
authentication fails. The same holds true for dynamic VLAN assignment.
• 802.1X guest VLAN works with the 802.1X voice VLAN port feature. However, the guest VLAN cannot be the same as
the voice VLAN.
• 802.1X port security works with the 802.1X voice VLAN port feature and is configured per-port. Two MAC addresses
must be configured: one for the Cisco IP phone MAC address on the VVID and one for the PC MAC address on PVID.
However, you cannot use the 802.1X voice VLAN port feature with 802.1X port security’s sticky MAC address
configuration and statically configured MAC address configuration.
• 802.1X accounting is unaffected by the 802.1X voice VLAN port feature.
• When 802.1X is configured on a port, you cannot connect multiple IP phones to a
Catalyst 4500 series switch through a hub.
• Because voice VLANs cannot be configured as PVLAN host ports, and because only PVLANs can be assigned to PVLAN
host ports, VLAN assignment cannot assign a PVLAN to a port with a voice VLAN configured.
For details on how to configure 802.1X with voice VLANs, see the “Configuring 802.1X with Voice VLAN” section on
page 49-73.
Using Voice Aware 802.1x Security
You use the voice aware 802.1x security feature to configure the switch to disable only the VLAN on which a security violation
occurs, whether it is a data or voice VLAN. In previous releases, when an attempt to authenticate the data client caused a
security violation, the entire port shut down, resulting in a complete loss of connectivity.
You can use this feature in IP phone deployments where a PC is connected to the IP phone. A security violation found on the
data VLAN results in the shutdown of only the data VLAN. The traffic on the voice VLAN flows through the switch without
interruption.
For information on configuring voice aware 802.1x security, see the “Configuring Voice Aware 802.1x Security” section on
page 49-74
To Next Page
Loading...
Need help?
General
