Re: 802.1x and Voice VLAN

tckoon · ‎06-09-2006

I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.

I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?

interface GigabitEthernet9/48

description temporary port

switchport

switchport access vlan 12

switchport mode access

no ip address

dot1x port-control auto

spanning-tree portfast

CIG01-ENT-SW1(config-if)#switchport voice vlan 14

Command rejected: Gi9/48 is Dot1x enabled port.

Roberto Salazar · ‎06-09-2006

Using IEEE 802.1x Authentication with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:

?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.

?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.

In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.

A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.

When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.

Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:

interface FastEthernet0/1

switchport access vlan 3

switchport mode access

switchport voice vlan 2

no ip address

dot1x port-control auto

spanning-tree portfast

end

Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:

under the interface configure "dot1x host-mode multi-host"

Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform.

tckoon · ‎06-09-2006

Thanks for above information, ya this what I read on CCO.

Ok I had try your advice configure dot1x host mode multi-hist , then i add switchport voice vlan again, the same error message appear.

The switch configured is Catalyst 6509, IOS.

Regards

Roberto Salazar · ‎06-09-2006

Correction, it seems dot1x and vvlan in the same itnerface might be supprted checking on that.

Roberto Salazar · ‎06-09-2006

Okay, this is confirmed. Dot1x and voice vlan in the same port is currently not supported, the latest code is 12.2(18)SXF#. The support is coming in later release, I do not have the release version but it is in the roadmap. The hybrid support it currently:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_5/confg_gd/8021x.htm#1032759