X Authentication With Voice Vlan Ports - Cisco WS-CBS3032-DEL Software Configuration Manual

Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
•
•
•
•
•

802.1x Authentication with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This
allows the phone to work independently of IEEE 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
When IP phones are connected to an 802.1x-enabled switch port that is in single host mode, the switch
Note
grants the phones network access without authenticating them. We recommend that you use multidomain
authentication (MDA) on the port to authenticate both a data device and a voice device, such as an IP
phone.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1x authentication is enabled on a voice VLAN port, the switch drops packets
from unrecognized IP phones more than one hop away.
OL-13270-06
If all the RADIUS servers are not available and the client is not connected to a critical port, the
–
switch might not assign clients to the guest VLAN if one is configured.
– If all the RADIUS servers are not available and if a client is connected to a critical port and was
previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.
Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers
are unavailable, the switch puts the critical port in the critical-authentication state in the restricted
VLAN.
802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port.
The access VLAN must be a secondary private VLAN.
Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
Understanding IEEE 802.1x Port-Based Authentication
9-25