9-10
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Using IEEE 802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
• VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
• PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly
connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops
packets from unrecognized Cisco IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal
to a voice VLAN.
For more information about voice VLANs, see Chapter 18, “Configuring Voice VLAN.”
Using IEEE 802.1x Authentication with Port Security
You can configure an IEEE 802.1x port with port security in either single-host or multiple-hosts mode.
(You must also configure port security on the port by using the switchport port-security interface
configuration command.) When you enable port security and IEEE 802.1x on a port, IEEE 802.1x
authentication authenticates the port, and port security manages network access for all MAC addresses,
including that of the client. You can then limit the number or group of clients that can access the network
through an IEEE 802.1x port.
These are some examples of the interaction between IEEE 802.1x authentication and port security on the
switch:
• When a client is authenticated, and the port security table is not full, the client’s MAC address is
added to the port security list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry
in the secure host table (unless port security static aging has been enabled).
A security violation occurs if the client is authenticated, but port security table is full. This can
happen if the maximum number of secure hosts has been statically configured, or if the client ages
out of the secure host table. If the client’s address is aged out, its place in the secure host table can
be taken by another host.
The port security violation modes determine the action for security violations. For more
information, see the
“Security Violations” section on page 21-7.
• When you manually remove an IEEE 802.1x client address from the port security table by using the
no switchport port-security mac-address mac-address interface configuration command, you
should re-authenticate the IEEE 802.1x client by using the dot1x re-authenticate interface
interface-id privileged EXEC command.