I'm also going thorugh the process of testing my dot1x for a large scale deployment.
The handshake process happens almost immediately in my test network, the port is authenticated as quickly as portfast can bring it up. Again, this is in my test network without traffic shaping and user traffic, although I don't expect it to be an issue.
On the 3500's I've tested so far I have been running 12.2(25) IOS, and the same with the 3750's. I haven't found any documentation (or needed to find any) regarding specific IOS versions. I imagine as long as the switch supports aaa commands and dot1x commands you should be fine. Although I have read about problems with radius server authentication on 3500's and certain IOS versions.
As far as the Cisco documentation goes on the data allowed before the port is authenticated, it is correct when it says EAPOL and STP are passed. But CDP is not.
Although it is interesting to note that with wireshark running on my test machines the STP packets are listed as EAP protocol on ports with dot1x authentication enabled. So both of your documents are technically correct minus the CDP.
The traffic was seen on a 3750 series switch running IOS 12.2(25), I did not verify this information is correct for other switches.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...