Using 802.1X With Voice Vlan Ports; Using 802.1X With Vlan Assignment - Cisco 2950 - Catalyst Switch Configuration Manual
Software configuration guide
Hide thumbs
Also See for 2950 - Catalyst Switch:
- Command reference manual (686 pages) ,
- Software configuration manual (674 pages) ,
- Software manual (376 pages)
Table of Contents
Advertisement
Chapter 10
Configuring 802.1x Port-Based Authentication
Using 802.1x with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
Each port that you configure for a voice VLAN is associated with a PVID and a VVID. This
configuration allows voice traffic and data traffic to be separated onto different VLANs.
When you enable the single-host mode, only one 802.1x client is allowed on the primary VLAN; other
workstations are blocked. When you enable the multiple-hosts mode and an 802.1x client is
authenticated on the primary VLAN, additional clients on the voice VLAN are unrestricted after 802.1x
authentication succeeds on the primary VLAN.
A voice VLAN port becomes active when there is link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1x is enabled on a voice VLAN port, the switch drops packets from
unrecognized Cisco IP phones more than one hop away.
When 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
For more information about voice VLANs, see
Using 802.1x with VLAN Assignment
For switches running the EI, you can limit network access for certain users by using VLAN assignment.
After successful 802.1x authentication of a port, the RADIUS server sends the VLAN assignment to
configure the switch port. The RADIUS server database maintains the username-to-VLAN mappings,
which assigns the VLAN based on the username of the client connected to the switch port.
When configured on the switch and the RADIUS server, 802.1x with VLAN assignment has these
characteristics:
•
•
•
•
•
•
•
78-11380-10
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
If no VLAN is supplied by the RADIUS server or if 802.1x authorization is disabled, the port is
configured in its access VLAN after successful authentication.
If 802.1x authorization is enabled but the VLAN information from the RADIUS server is not valid,
the port returns to the unauthorized state and remains in the configured access VLAN. This prevents
ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error.
Configuration errors could include a VLAN specified for a routed port, a malformed VLAN ID, a
nonexistent or internal (routed port) VLAN ID, or attempted assignment to a voice VLAN ID.
If 802.1x authorization is enabled and all information from the RADIUS server is valid, the port is
placed in the specified VLAN after authentication.
If the multiple-hosts mode is enabled on an 802.1x port, all hosts are placed in the same VLAN
(specified by the RADIUS server) as the first authenticated host.
If port security is enabled on an 802.1x port with VLAN assignment, the port is placed in the
RADIUS server assigned VLAN.
If 802.1x is disabled on the port, it is returned to the configured access VLAN.
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is
placed in the configured access VLAN.
Understanding 802.1x Port-Based Authentication
Chapter 19, "Configuring Voice VLAN."
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
10-7
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
