Using Ieee 802.1X With Wake-On-Lan; Unidirectional State; Bidirectional State - Cisco Catalyst 2950 Software Configuration Manual

Understanding IEEE 802.1x Port-Based Authentication
Any number of IEEE 802.1x-incapable clients are allowed access when the switch port is moved to the
guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is
configured, the port is put into the unauthorized state in the user-configured access VLAN, and
authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x
guest VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access
ports.
For configuration steps, see the

Using IEEE 802.1x with Wake-on-LAN

The IEEE 802.1x wake-on-LAN (WoL) feature allows dormant PCs to be powered on based on the
receipt of a specific Ethernet frame, known as the magic packet. This feature is used in environments
where administrators need to connect to systems that have been powered down.
The use of WoL with hosts attached through IEEE 802.1x ports presents a unique problem: when the
host powers down, the IEEE 802.1x port becomes unauthorized. In this state, the port allows only the
receipt and transmission of EAPOL packets Therefore, WoL magic packets cannot reach the host.
Without powering up, the PC is not authenticated and the port is not opened.
The IEEE 802.1x with WoL feature solves this problem by allowing packets to be sent to unauthorized
IEEE 802.1x ports. This feature is also known as the Unidirectional Controlled Port in the IEEE 802.1x
specification.
If PortFast is not enabled on the port, the port is forced to a bidirectional state.

Unidirectional State

When you configure a port as a unidirectional port by using the dot1x control-direction in interface
configuration command, the port changes to the spanning-tree forwarding state.
When WoL is enabled, the connected host is in the sleeping mode or power-down state, and the host does
not exchange traffic with other devices in the network. If the host connected to the unidirectional port
that cannot send traffic to the network, the host can only receive traffic from other devices in the network.
If the unidirectional port receives incoming traffic, the port returns to the bidirectional (default) state,
and the spanning-tree state changes to blocking state. When the port changes to the initialize state, no
traffic other than EAPOL packet is allowed. When the port returns to the bidirectional state, the switch
starts a 5 minute timer. If the port is not authenticated before the timer expires, the port becomes a
unidirectional port.

Bidirectional State

When you configure a port as a bidirectional port by using the dot1x control-direction both interface
configuration command, the port is access-controlled in both directions. In this state, the switch port
does not receive or send packets.
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
9-10
Chapter 9
"Configuring a Guest VLAN" section on page
Configuring IEEE 802.1x Port-Based Authentication
9-21.
78-11380-12