Cisco Systems 2940 Using 802.1X with Voice VLAN Ports

8-5

Catalyst 2940 Switch Software Configuration Guide

78-15507-02

Chapter8 Configuring 802.1X Port-B as ed Authentication Understanding 802.1X Port-Based Authentication

In a point-to-point configuration (see Figure 8-1 on page 8-2), only one cl ient can be connec ted to th e

802.1X-enabled switch port. The switch detects the client when the port link s tate changes to th e up state.

If a client leaves or is replaced with another client, the switch changes the port link state to down, and

the port returns to the unauthorized state.

Figure 8-3 shows 802.1X port-based authentication in a wireless LAN. T he 8 02. 1X p ort i s c onfigured

as a multiple-hosts port that becomes authorized as soon as one client is authenticated. When the port is

authorized, all other hosts indirectly attached to the port are granted access to the network. If the port

becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch

denies access to the network to all of the attached clients. In this topology, the wireless access point is

responsible for authenticating the clients attached to it, and the wireless access point acts as a client to

the switch.

Figure8-3 Wireless LAN Example

Using 802.1X with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:

•VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone

connected to the port.

•PVID to carry the data traffic to and from the workstation connected to the switch through the IP

phone. The PVID is the native VLAN of the port.

Each port that you configure for a voice VLAN is associated with a PVID and a VVID. This

configuration allows voice traffic and data traffic to be separated onto different VLANs.

When you enable the single-host mode, only one 802.1X client is allowed on the p rimary VLAN; other

workstations are blocked. When you enable the multiple-hosts mode and an 802.1X client is

authenticated on the primary VLAN, additional clients on the v oice VLAN are unrestr icted aft er 802 .1X

authentication succeeds on the primary VLAN.

A voice VLAN port becomes active when there is link, and the device MAC address appears after the

first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.

As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one dire ctly

connected to it. When 802.1X is enabled on a voice VLAN po rt , t he sw it ch dr ops pa ckets f rom

unrecognized Cisco IP phones more than one hop away.

When 802.1X is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.

For more information about voice VLANs, see Chapter1 5, “Configuring Voice VLAN.”

Wireless clients

Access point

Catalyst 2940

switch

Authentication

server

(RADIUS)

87811