Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Trunked VOIP access port with 802.1x

I am currently researching 802.1x port authenication. Our currently access layer switches are 3750 with PoE. The port are currently configured with 802.1q trunking (a voice and data vlan) and QOS enabled. IOS level of 12.1.19. When setting up 802.1x port it is requiring the port to be set to switchport mode access, removing the trunking and QOS settings. Is there a way to have 802.1q and 802.1x configured together and maint. QOS for voice on a 3750 PoE switch?

New Member

Re: Trunked VOIP access port with 802.1x

hi jeff

Using IEEE 802.1x with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:

•VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.

•PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.

Before Cisco IOS Release 12.1(14)EA1, a switch in single-host mode accepted traffic from a single host, and voice traffic was not allowed. In multiple-hosts mode, the switch did not accept voice traffic until the client was authenticated on the primary VLAN, thus making the IP phone inoperable until the user logged in.

With Cisco IOS Release 12.1(14)EA1 and later, the IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows the phone to work independently of IEEE 802.1x authentication.

In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.

A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x is enabled on a voice VLAN port, the switch drops packets from unrecognized IP phones more than one hop away.

When IEEE 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.

Note If you enable IEEE 802.1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.

For more information about voice VLANs, see "Configuring Voice VLAN."

New Member

Re: Trunked VOIP access port with 802.1x

I have also seen this information on Cisco web site. In our configuration we have two VLAN's assign to each access port using 802.1q trunking. We did this to allow us to connect the IP phone inline with the PC and also manage our IP addressing for data connections and voice connections on seperate address ranges. Do you know of a way to still have the PVID and VVID to still go to seperate VLAN's with an 802.1x port authenication configuration. The reason I am looking for such a possible solution, because I would have enormous task to change the entire addressing scheme of our company. Currently the 802.1x generic configuration Cisco has give both the phone on VVID and PC on the PVID on the same VLAN and address range.

CreatePlease to create content