Single-Host Mode
Definition:
A port only allows one device to connect and authenticate.
Features:
Most secure; ideal for desktop office devices.
Once one device is authenticated, other devices are blocked from communicating.
Typical use case: Employee laptop directly connected to a switch.
If more than one MAC address is learned on the port, it will trigger err-disable.
Multi-Host Mode
Definition:
A port allows multiple devices to connect, but only the first device is authenticated.
Features:
Subsequent devices can access the network without authentication.
Lower security; suitable for trusted environments.
Typical use case: Switch port connects to a small unmanaged hub or access point (AP).
Multi-Auth Mode
Definition:
A port allows multiple devices, and each must authenticate separately.
Features:
High security; suitable for environments requiring fine-grained control.
Supports 1 voice device (Voice VLAN) and multiple data devices.
Typical use case: Switch port connected to an IP phone, with multiple terminals behind it.
Devices can’t access multiple VLANs; the first authenticated device sets the VLAN, and all others follow that VLAN.
Multi-Domain Mode
Purpose:
Allows a port to connect one voice device (e.g., IP phone) and one data device (e.g., PC), and authenticate each independently.
Advantages:
Voice VLAN and Data VLAN are isolated and operate independently.
Ideal for desktop phone setups to ensure voice and data traffic are securely separated.
Summary Comparison
| Mode Name | Supported Devices | Authentication Method | Voice VLAN Support | Security Level | Typical Use Case |
|---|---|---|---|---|---|
| Single-Host | 1 | Only the first device is authenticated | Not supported |
Medium | Single device access, like office PC |
| Multi-Host | Multiple | Only the first device is authenticated; others share access | Not supported |
Low | Small hub, lab/test environments |
| Multi-Auth | Multiple | Each device must authenticate separately | Supports 1 voice device |
High |
IP phone + multiple terminals |
| Multi-Domain | 2 (1 data + 1 voice) | Separate authentication for voice and data devices | Supports 1 voice device |
Medium |
IP phone + PC with independent auth |
Example Use Case: Desk Setup with IP Phone and PC
Single-Host:
Learns 2 MAC addresses → triggers err-disable (error shutdown).Multi-Host:
If the PC authenticates first, the phone can access the network too.
But if the PC is off, the phone can't access the network.
And if the phone authenticates first, any PC plugged into it will be allowed without authentication, which is insecure.Multi-Auth:
Works; each device authenticates independently.
However, if someone connects a hub behind it, unauthorized access risk increases.Multi-Domain:
Best solution.
Allows 1 voice VLAN device and 1 data VLAN device to authenticate independently and securely.