Using 802.1X With Voice Vlan Ports - Cisco Catalyst 4500 Series Configuration Manual

About 802.1X Port-Based Authentication

Using 802.1X with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
Each port that you configure for a voice VLAN is associated with a VVID and a PVID. This
configuration allows voice traffic and data traffic to be separated onto different VLANs.
A voice VLAN port becomes active when a link exists whether the port is AUTHORIZED or
UNAUTHORIZED. All traffic exiting the voice VLAN is obtained correctly and appears in the MAC
address table. Cisco IP phones do not relay CDP messages from other devices. If several Cisco IP phones
are connected in a series, the switch recognizes only the one directly connected to it. When 802.1X is
enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than
one hop away.
When 802.1X is enabled on a port, you cannot configure a PVID that is equal to a VVID. For more
information about voice VLANs, see
Observe the following feature interactions:
•
•
•
•
•
•
For details on how to configure 802.1X with voice VLANs, see the
VLAN" section on page
Using Multiple Domain Authentication and Multiple Authentication
Multiple Domain Authentication (MDA) allows both a data device and a voice device, such as an IP
phone (Cisco or third party non-Cisco), to authenticate on the same switch port, which is divided into a
data domain and a voice domain.
Multi Auth allows multiple data devices and a voice device. When a voice VLAN is configured on a
multiple- authentication port, the port can perform authentication in the voice domain as on an MDA
port.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-22
Voice VLAN ID (VVID) to carry voice traffic to and from the IP phone. The VVID is used to
configure the IP phone connected to the port.
Port VLAN ID (PVID) to carry the data traffic to and from the workstation connected to the switch
using the IP phone. The PVID is the native VLAN of the port.
802.1X VLAN assignment cannot assign to the port the same VLAN as the voice VLAN; otherwise,
the 802.1X authentication fails. The same holds true for dynamic VLAN assignment.
802.1X guest VLAN works with the 802.1X voice VLAN port feature. However, the guest VLAN
cannot be the same as the voice VLAN.
802.1X port security works with the 802.1X voice VLAN port feature and is configured per-port.
Two MAC addresses must be configured: one for the Cisco IP phone MAC address on the VVID and
one for the PC MAC address on PVID.
However, you cannot use the 802.1X voice VLAN port feature with 802.1X port security's sticky
MAC address configuration and statically configured MAC address configuration.
802.1X accounting is unaffected by the 802.1X voice VLAN port feature.
When 802.1X is configured on a port, you cannot connect multiple IP phones to a
Catalyst 4500 series switch through a hub.
Because voice VLANs cannot be configured as PVLAN host ports, and because only PVLANs can
be assigned to PVLAN host ports, VLAN assignment cannot assign a PVLAN to a port with a voice
VLAN configured.
44-70.
Chapter 44
Chapter 41, "Configuring Voice Interfaces."
Configuring 802.1X Port-Based Authentication
"Configuring 802.1X with Voice
OL-25340-01