Using 802.1X With Voice Vlan Ports; Using 802.1X With Vlan Assignment - Cisco WS-C3560-48PS-S Software Configuration Manual

Understanding 802.1X Port-Based Authentication
•
•
•
•
For more information about enabling port security on your switch, see the
section on page

Using 802.1X with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
Each port that you configure for a voice VLAN is associated with a PVID and a VVID. This
configuration allows voice traffic and data traffic to be separated onto different VLANs.
The IP phone uses the VVID for its voice traffic regardless of the authorized or unauthorized state of the
port. This allows the phone to work independently of 802.1X authentication.
When you enable the single-host mode, multiple IP phones are allowed on the VVID; only one 802.1X
client is allowed on the PVID. When you enable the multiple-hosts mode and when an 802.1X user is
authenticated on the primary VLAN, additional clients on the voice VLAN are unrestricted after 802.1X
authentication succeeds on the primary VLAN.
A voice VLAN port becomes active when there is link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1X is enabled on a voice VLAN port, the switch drops packets from
unrecognized IP phones more than one hop away.
When 802.1X is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
For more information about voice VLANs, see

Using 802.1X with VLAN Assignment

The RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server
database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of
the client connected to the switch port. You can use this feature to limit network access for certain users.
Catalyst 3560 Switch Software Configuration Guide
9-6
When you manually remove an 802.1X client address from the port security table by using the no
switchport port-security mac-address mac-address interface configuration command, you should
re-authenticate the 802.1X client by using the dot1x re-authenticate interface interface-id
privileged EXEC command.
When an 802.1X client logs off, the port transitions to an unauthenticated state, and all dynamic
entries in the secure host table are cleared, including the entry for the client. Normal authentication
then takes place.
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries
are removed from the secure host table.
Port security and a voice VLAN can be configured simultaneously on an 802.1X port that is in either
single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier (VVID)
and the port VLAN identifier (PVID).
20-7.
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
Chapter 9 Configuring 802.1X Port-Based Authentication
Chapter 14, "Configuring Voice VLAN."
"Configuring Port Security"
78-16156-01