Cisco Systems 3560 802.1x Authentication with Voice VLAN Ports, 802.1x Authentication with Port Security

10-21

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

802.1x Authentication with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:

• VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone

connected to the port.

• PVID to carry the data traffic to and from the workstation connected to the switch through the IP

phone. The PVID is the native VLAN of the port.

The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This

allows the phone to work independently of 802.1x authentication.

In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,

additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.

When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the

VVID.

A voice VLAN port becomes active when there is a link, and the device MAC address appears after the

first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.

As a result, if several IP phones are connected in series, the switch recognizes only the one directly

connected to it. When 802.1x authentication is enabled on a voice VLAN port, the switch drops packets

from unrecognized IP phones more than one hop away.

When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a

voice VLAN.

Note If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which

a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.

For more information about voice VLANs, see Chapter 13, “Configuring VLANs.”

802.1x Authentication with Port Security

You can configure an 802.1x port with port security in either single-host or multiple-hosts mode. (You

also must configure port security on the port by using the switchport port-security interface

configuration command.) When you enable port security and 802.1x authentication on a port, 802.1x

authentication authenticates the port, and port security manages network access for all MAC addresses,

including that of the client. You can then limit the number or group of clients that can access the network

through an 802.1x port.

These are some examples of the interaction between 802.1x authentication and port security on the

switch:

• When a client is authenticated, and the port security table is not full, the client MAC address is added

to the port security list of secure hosts. The port then proceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry

in the secure host table (unless port security static aging has been enabled).

A security violation occurs if the client is authenticated, but the port security table is full. This can

happen if the maximum number of secure hosts has been statically configured or if the client ages

out of the secure host table. If the client address is aged, its place in the secure host table can be

taken by another host.

If the security violation is caused by the first authenticated host, the port becomes error-disabled and

immediately shuts down.