X User Distribution Configuration Guidelines; Ieee 802.1X Authentication With Voice Vlan Ports - Cisco Catalyst 3750-X Software Configuration Manual
Hide thumbs
Also See for Catalyst 3750-X:
- Command reference manual (1244 pages) ,
- Message manual (150 pages) ,
- Getting started manual (22 pages)
Table of Contents
Advertisement
Chapter 11
Configuring IEEE 802.1x Port-Based Authentication
802.1x User Distribution Configuration Guidelines
•
•
•
•
•
•
For more information, see the
IEEE 802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This
allows the phone to work independently of IEEE 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
If an IP phone and PC are connected to a switchport, and the port is configured in single- or multi-host
Note
mode, we do not recommend configuring that port in standalone MAC authentication bypass mode. We
recommend only using MAC authentication bypass as a fallback method to 802.1x authentication with
the timeout period set to the default of five seconds.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops
packets from unrecognized IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal
to a voice VLAN.
If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and
Note
to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30
seconds.
For more information about voice VLANs, see
OL-21521-01
Confirm that at least one VLAN is mapped to the VLAN group.
You can map more than one VLAN to a VLAN group.
You can modify the VLAN group by adding or deleting a VLAN.
When you clear an existing VLAN from the VLAN group name, none of the authenticated ports in
the VLAN are cleared, but the mappings are removed from the existing VLAN group.
If you clear the last VLAN from the VLAN group name, the VLAN group is cleared.
You can clear a VLAN group even when the active VLANs are mapped to the group. When you clear
a VLAN group, none of the ports or users that are in the authenticated state in any VLAN within the
group are cleared, but the VLAN mappings to the VLAN group are cleared.
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
"802.1x User Distribution" section on page
Chapter 17, "Configuring Voice VLAN."
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Understanding IEEE 802.1x Port-Based Authentication
11-22.
11-23
- Quick Links:
- Table of Contents
- Deployment Features
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
