The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows
the phone to work independently of IEEE 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional
clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts
mode is enabled, the supplicant authentication affects both the PVID and the VVID.
If an IP phone and PC are connected to a switchport, and the port is configured in single- or multi-host
mode, we do not recommend configuring that port in standalone MAC authentication bypass mode. We
recommend only using MAC authentication bypass as a fallback method to 802.1x authentication with
the timeout period set to the default of five seconds.
Note
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first
CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result,
if several IP phones are connected in series, the switch recognizes only the one directly connected to it. When
IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized
IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a switch port, you can configure an access port VLAN that
is also a voice VLAN.
If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and to
which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30
seconds.
Note
IEEE 802.1x Authentication with Port Security
In general, Cisco does not recommend enabling port security when IEEE 802.1x is enabled. Since IEEE 802.1x
enforces a single MAC address per port (or per VLAN when MDA is configured for IP telephony), port
security is redundant and in some cases may interfere with expected IEEE 802.1x operations.
IEEE 802.1x Authentication with Wake-on-LAN
The IEEE 802.1x authentication with wake-on-LAN (WoL) feature allows dormant PCs to be powered when
the switch receives a specific Ethernet frame, known as the
magic packet
. You can use this feature in
environments where administrators need to connect to systems that have been powered down.
When a host that uses WoL is attached through an IEEE 802.1x port and the host powers off, the IEEE 802.1x
port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets
cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.
When the switch uses IEEE 802.1x authentication with WoL, the switch forwards traffic to unauthorized
IEEE 802.1x ports, including magic packets. While the port is unauthorized, the switch continues to block
ingress traffic other than EAPOL packets. The host can receive packets but cannot send packets to other
devices in the network.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
OL-29434-01
237
Configuring IEEE 802.1x Port-Based Authentication
IEEE 802.1x Authentication with Port Security