I am currently researching 802.1x port authenication. Our currently access layer switches are 3750 with PoE. The port are currently configured with 802.1q trunking (a voice and data vlan) and QOS enabled. IOS level of 12.1.19. When setting up 802.1x port it is requiring the port to be set to switchport mode access, removing the trunking and QOS settings. Is there a way to have 802.1q and 802.1x configured together and maint. QOS for voice on a 3750 PoE switch?
A voice VLAN port is a special access port associated with two VLAN identifiers:
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
Before Cisco IOS Release 12.1(14)EA1, a switch in single-host mode accepted traffic from a single host, and voice traffic was not allowed. In multiple-hosts mode, the switch did not accept voice traffic until the client was authenticated on the primary VLAN, thus making the IP phone inoperable until the user logged in.
With Cisco IOS Release 12.1(14)EA1 and later, the IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows the phone to work independently of IEEE 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x is enabled on a voice VLAN port, the switch drops packets from unrecognized IP phones more than one hop away.
When IEEE 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
Note If you enable IEEE 802.1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
For more information about voice VLANs, see "Configuring Voice VLAN."
I have also seen this information on Cisco web site. In our configuration we have two VLAN's assign to each access port using 802.1q trunking. We did this to allow us to connect the IP phone inline with the PC and also manage our IP addressing for data connections and voice connections on seperate address ranges. Do you know of a way to still have the PVID and VVID to still go to seperate VLAN's with an 802.1x port authenication configuration. The reason I am looking for such a possible solution, because I would have enormous task to change the entire addressing scheme of our company. Currently the 802.1x generic configuration Cisco has give both the phone on VVID and PC on the PVID on the same VLAN and address range.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...