Specifications
10-5
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
78-11380-07
Chapter 10 Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
Voice VLAN Ports
Multiple VLAN access ports (MVAPs) are ports that belong to two VLANs. This configuration allows
the separating of voice traffic and the data traffic onto different VLANs. A switch port configured with
a voice VLAN has separate VLANs configured for carrying:
• The voice traffic to and from the IP phone.
• The data traffic to and from the workstation connected to the switch through the IP phone.
Thus, each port configured for voice VLAN is associated with a port VLAN identifier (PVID) which is
the native VLAN of the port, and a voice VLAN identifier (VVID) that is used to configure the IP phone
connected to the port.
When 802.1X is enabled on a port that has a voice VLAN, the VLAN remains down on the port
(equivalent to an unauthenticated state) until a CDP message is received from an IP phone. The VLAN
then becomes active, allowing the phone to work independently of 802.1X authentication. The VLAN
becomes inactive on the port if the CDP entry times out or if it is cleared by using the cdp clear table
privileged EXEC command.
A workstation connected to the port uses the PVID and is authenticated through 802.1X as usual. The
IP phone has access to the VVID for its voice traffic irrespective of the authorized or unauthorized state
of the port.
Only one client is allowed on the voice VLAN other workstations or IP phones are blocked. When you
enable the multiple-hosts mode, when an 802.1X user is authenticated on the primary VLAN, additional
clients on the voice VLAN are unrestricted after 802.1X authentication succeeds on the primary VLAN.
When 802.1X is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
Using 802.1X with Port Security
For switches running the enhanced software image (EI), you can enable an 802.1X port for port security
by using the dot1x multiple-hosts interface configuration command. You must also configure port
security on the port by using the switchport port-security interface configuration command. With the
multiple-hosts mode enabled, 802.1X authenticates the port, and port security manages network access
for all MAC addresses, including that of the client. You can then limit the number or group of clients
that can access the network through an 802.1X multiple-host port.
These are some examples of the interaction between 802.1X and port security on the switch:
• When a client is authenticated, and the port security table is not full, the client’s MAC address is
added to the port security list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry
in the secure host table (unless port security static aging has been enabled).
A security violation occurs if the client is authenticated, but port security table is full. This can
happen if the maximum number of secure hosts have been statically configured, or if the client ages
out of the secure host table. If the client’s address is aged out, its place in the secure host table can
be taken by another host. In this case, you should enable periodic reauthentication with a shorter
time period than the port security aging time.
The port security violation modes determine the action for security violations. See the “Security
Violations” section on page 19-5 for more information.