The IEEE 802.1X Authentication with Voice VLAN feature is available only on a switch port.
A voice VLAN port is a special access port associated with two VLAN identifiers:
Voice VLAN identifier (VVID) to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
Port VLAN identifier (PVID) to carry the data traffic to and from the workstation connected to the router through the IP phone. The PVID is the native VLAN of the port.
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows the phone to work independently of IEEE 802.1X authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multihost mode, additional supplicants can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multihost mode is enabled, the supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first Cisco Discovery Protocol message from the IP phone. Cisco IP phones do not relay Cisco Discovery Protocol messages from other devices. As a result, if several IP phones are connected in series, the router recognizes only the one directly connected to it. When IEEE 802.1X authentication is enabled on a voice VLAN port, the router drops packets from unrecognized IP phones more than one hop away.
When IEEE 802.1X authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
If you enable IEEE 802.1X authentication on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the router for up to 30 seconds.