Unidirectional State - Cisco Catalyst 4500 Series Configuration Manual

About 802.1X Port-Based Authentication
For details on how to configure 802.1X with Unidirectional Controlled Port, see the
802.1X with Unidirectional Controlled Port" section on page

Unidirectional State

A unidirectional controlled port is typically configured when a connected host might enter a sleeping
mode or power-down state. When either occurs, the host does not exchange traffic with other devices in
the network. A host connected to the unidirectional port cannot send traffic to the network; it can only
receive traffic from other devices in the network.
When you configure a port as unidirectional (with the authentication control-direction in interface
configuration command), the port will receive traffic in VLANs on that port, but it is not put into a
spanning-tree forwarding state. If a VLAN contains only unauthenticated ports, any SVI on that VLAN
will be in a down state, during which packets will not be routed into the VLAN. For the SVI to be up,
and so enable packets to be routed into the VLAN, at least one port in the VLAN must either be
authenticated or in the spanning-tree forwarding state.
Bidirectional State
When you configure a port as bidirectional by using the authentication control-direction both
interface configuration command (or the dot1x control-direction both interface configuration
command for Cisco IOS Release 12.2(46) or earlier), the port is access-controlled in both directions. In
this state, except for EAPOL packets, a switch port does not receive or send packets.
Using 802.1X with VLAN User Distribution
An alternative to dynamically assigning a VLAN ID or a VLAN name is to assign a VLAN group name.
The 802.1X VLAN User Distribution feature allows you to distribute users belonging to the same group
(and characterized by a common VLAN group name) across multiple VLANs. You usually do this to
avoid creating an overly large broadcast domain.
For example, with this feature, you can download a common VLAN group name (similar to ENG-Group,
for all the users belonging to the engineering organization) from the authentication server to all the
access-layer switches. The VLAN group name is then individually mapped to a different VLAN on each
access-layer switch. The same VLAN number need not be spanned across separate switches. Similarly,
the VLANs does not need to be renamed at the edge devices.
When the authentication server returns more than one VLAN group name or VLANs, this feature
attempts to distribute users evenly across those groups. It internally maintains the count of users assigned
to each VLAN on that switch by authentication or port security. Based on this information, this feature
assigns a newly authenticated user to the least loaded VLAN on that switch among all the VLANs or
VLAN group names obtained from the RADIUS server.
This VLAN distribution considers the load of all the valid VLANs only during initial user authentication,
and not during reassignment. When some of the existing authenticated users are removed, the feature
does not attempt to redistribute the remaining authenticated users. Group distribution does not guarantee
perfect load distribution all the time.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-16
Chapter 44 Configuring 802.1X Port-Based Authentication
44-64.
"Configuring
OL-25340-01