EasyManuals Logo

Cisco Catalyst 4500 Series Administration Guide

Cisco Catalyst 4500 Series
1814 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #1163 background imageLoading...
Page #1163 background image
46-25
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 46 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
• When a port host mode is changed from single- or multihost to multidomain mode, an authorized
data device remains authorized on the port. However, a Cisco IP phone that was allowed on the port
in the voice VLAN is automatically removed and must be reauthenticated on that port.
• Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a
port changes from single- or multihost mode to multidomain mode.
• Switching a port host mode from multidomain to single- or multihost mode removes all authorized
devices from the port.
• If a data domain is authorized first and placed in the guest VLAN, non-802.1X-capable voice
devices need to tag their packets on the voice VLAN to trigger authentication.
• We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a
per-user ACL policy might impact traffic on both the voice and data VLANs of the port. If used,
only one device on the port should enforce per-user ACLs.
Multi-Authentication Per User VLAN Authentication
The Multi-auth Per User VLAN assignment feature allows you to create multiple operational access
VLANs based on VLANs assigned to the clients on the port that has a single configured access VLAN.
The port configured as an access port where the traffic for all the VLANs associated with data domain
is not dot1q tagged, and these VLANs are treated as native VLANs.
The number of hosts per multi-auth port is 8, however there can be more hosts.
Note The Multi-auth Per User VLAN assignment feature is not supported for Voice domain. All clients in
Voice domain on a port must use the same VLAN.
The following scenarios are associated with the multi-auth Per User VLAN assignments:
Scenario One
When a hub is connected to an access port, and the port is configured with an access VLAN (V0).
The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed
to V1. This behavior is similar on a single-host or multi-domain-auth port.
When a second host (H2) is connected and gets assigned to VLAN ( V2), the port will have two
operational VLANs (V1 and V2). If H1 and H2 sends untagged ingress traffic, H1 traffic is mapped to
VLAN (V1) and H2 traffic to VLAN (V2), all egress traffic going out of the port on VLAN (V1) and
VLAN (V2) are untagged.
If both the hosts, H1 and H2 are logged out or the sessions are removed due to some reason then VLAN
(V1) and VLAN (V2) are removed from the port, and the configured VLAN (V0) is restored on the port.
Scenario Two
When a hub is connected to an access port, and the port is configured with an access VLAN (V0). The
host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to
V1.
When a second host (H2) is connected and gets authorized without explicit vlan policy, H2 is expected
to use the configured VLAN (V0) that is restored on the port. All egress traffic going out of two
operational VLANs, VLAN (V0) and VLAN (V1) are untagged.
If host (H2) is logged out or the session is removed due to some reason then the configured VLAN (V0)
is removed from the port, and VLAN (V1) becomes the only operational VLAN on the port.

Table of Contents

Other manuals for Cisco Catalyst 4500 Series

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco Catalyst 4500 Series and is the answer not in the manual?

Cisco Catalyst 4500 Series Specifications

General IconGeneral
SeriesCatalyst 4500 Series
CategorySwitch
Layer SupportLayer 2, Layer 3
Form FactorModular chassis
StackableNo
Chassis Slots3, 6, 7, 10
Power Supply OptionsAC, DC
RedundancyPower supply, Supervisor engine
Network ManagementCisco IOS Software CLI, SNMP, Cisco Prime Infrastructure
FeaturesSecurity, QoS
Port DensityUp to 384 ports per chassis
Security Features802.1X, ACLs, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard
Supervisor Engine8-E

Related product manuals