Software Configuration Guide
Page 11
...44 Configuring IEEE 802.1x Port-Based Authentication 12-1 Understanding IEEE 802.1x Port-Based Authentication 12-1 Device Roles 12-2 Authentication Process 12-3 Authentication Initiation and Message Exchange 12-5 Authentication Manager 12-7 Port-Based Authentication Methods 12-7 Per-...Port Security 12-20 802.1x Authentication with Wake-on-LAN 12-21 802.1x Authentication with MAC Authentication Bypass 12-22 Network Admission Control Layer 2 802.1x Validation 12-23 Flexible Authentication Ordering 12-23 Open1x Authentication 12-24 802.1x Switch... Cisco IE 3000 Switch Software Configuration Guide xi
...44 Configuring IEEE 802.1x Port-Based Authentication 12-1 Understanding IEEE 802.1x Port-Based Authentication 12-1 Device Roles 12-2 Authentication Process 12-3 Authentication Initiation and Message Exchange 12-5 Authentication Manager 12-7 Port-Based Authentication Methods 12-7 Per-...Port Security 12-20 802.1x Authentication with Wake-on-LAN 12-21 802.1x Authentication with MAC Authentication Bypass 12-22 Network Admission Control Layer 2 802.1x Validation 12-23 Flexible Authentication Ordering 12-23 Open1x Authentication 12-24 802.1x Switch... Cisco IE 3000 Switch Software Configuration Guide xi
Software Configuration Guide
Page 12
... 802.1x Authentication with WoL 12-47 Configuring MAC Authentication Bypass 12-48 Configuring NAC Layer 2 802.1x Validation 12-49 Configuring 802.1x Switch Supplicant with NEAT 12-50 Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs ...the Port 12-58 Resetting the 802.1x Authentication Configuration to the Default Values 12-59 Displaying 802.1x Statistics and Status 12-59 13 C H A P T E R Configuring Interface Characteristics 13-1 Understanding Interface Types 13-1 Port-Based VLANs 13-2 Switch Ports 13-2 Access Ports 13-2 Trunk Ports 13-3 Cisco IE 3000 Switch ...
... 802.1x Authentication with WoL 12-47 Configuring MAC Authentication Bypass 12-48 Configuring NAC Layer 2 802.1x Validation 12-49 Configuring 802.1x Switch Supplicant with NEAT 12-50 Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs ...the Port 12-58 Resetting the 802.1x Authentication Configuration to the Default Values 12-59 Displaying 802.1x Statistics and Status 12-59 13 C H A P T E R Configuring Interface Characteristics 13-1 Understanding Interface Types 13-1 Port-Based VLANs 13-2 Switch Ports 13-2 Access Ports 13-2 Trunk Ports 13-3 Cisco IE 3000 Switch ...
Software Configuration Guide
Page 39
...IEEE 802.3x flow control on all switch ports for user-selected features OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 1-3 Performance Features • Cisco EnergyWise manages the energy usage of ...• Forwarding of Layer 2 packets at Gigabit line rate • Per-port storm control for preventing broadcast, multicast, and unicast storms • Port blocking on forwarding unknown Layer 2 unknown unicast, ...on 10/100 and 10/100/1000 Mb/s interfaces and on 10/100/1000 BASE-TX SFP module interfaces that are not directly connected to automatically detect the required ...
...IEEE 802.3x flow control on all switch ports for user-selected features OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 1-3 Performance Features • Cisco EnergyWise manages the energy usage of ...• Forwarding of Layer 2 packets at Gigabit line rate • Per-port storm control for preventing broadcast, multicast, and unicast storms • Port blocking on forwarding unknown Layer 2 unknown unicast, ...on 10/100 and 10/100/1000 Mb/s interfaces and on 10/100/1000 BASE-TX SFP module interfaces that are not directly connected to automatically detect the required ...
Software Configuration Guide
Page 41
... a new image to a large number of switches • DHCP server port-based address allocation for the preassignment of an IP address to a switch port • Directed unicast requests to a DNS server for identifying a switch through its IP address and its corresponding hostname ...switch configuration • Unique device identifier to provide product identification information through a show inventory user EXEC command display • In-band management access through the device manager over a Netscape Navigator or Microsoft Internet Explorer browser session OL-13018-03 Cisco IE 3000 Switch...
... a new image to a large number of switches • DHCP server port-based address allocation for the preassignment of an IP address to a switch port • Directed unicast requests to a DNS server for identifying a switch through its IP address and its corresponding hostname ...switch configuration • Unique device identifier to provide product identification information through a show inventory user EXEC command display • In-band management access through the device manager over a Netscape Navigator or Microsoft Internet Explorer browser session OL-13018-03 Cisco IE 3000 Switch...
Software Configuration Guide
Page 44
... other ports in the inbound direction on Layer 2 interfaces • Source and destination MAC-based ACLs for defining security policies in the same VLAN • IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. IP phone detection enhancement to authenticate via the standard 802.1x processes Cisco IE 3000 Switch Software...
... other ports in the inbound direction on Layer 2 interfaces • Source and destination MAC-based ACLs for defining security policies in the same VLAN • IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. IP phone detection enhancement to authenticate via the standard 802.1x processes Cisco IE 3000 Switch Software...
Software Configuration Guide
Page 47
... assigning an IP address by using the browser-based Express Setup program, see Chapter 8, "Administering the Switch." • TACACS+ is disabled. OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 1-11 For more information, see Chapter 11, "Configuring Switch-Based Authentication." • The standard HTTP server and Secure Socket Layer (SSL) HTTPS server are defined. If you assign...
... assigning an IP address by using the browser-based Express Setup program, see Chapter 8, "Administering the Switch." • TACACS+ is disabled. OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 1-11 For more information, see Chapter 11, "Configuring Switch-Based Authentication." • The standard HTTP server and Secure Socket Layer (SSL) HTTPS server are defined. If you assign...
Software Configuration Guide
Page 232
... to access the LAN and switch services. Understanding IEEE 802.1x Port-Based Authentication Chapter 12 Configuring IEEE 802.1x Port-Based Authentication • 802.1x ... Layer 2 802.1x Validation, page 12-23 • Flexible Authentication Ordering, page 12-23 • Open1x Authentication, page 12-24 • 802.1x Switch ...Supplicant with Network Edge Access Topology (NEAT), page 12-24 • 802.1x Authentication with Downloadable ACLs and Redirect URLs, page 12-15 • Web Authentication, page 12-25 Device Roles Devices roles with Extensible 12-2 Cisco IE 3000 Switch...
... to access the LAN and switch services. Understanding IEEE 802.1x Port-Based Authentication Chapter 12 Configuring IEEE 802.1x Port-Based Authentication • 802.1x ... Layer 2 802.1x Validation, page 12-23 • Flexible Authentication Ordering, page 12-23 • Open1x Authentication, page 12-24 • 802.1x Switch ...Supplicant with Network Edge Access Topology (NEAT), page 12-24 • 802.1x Authentication with Downloadable ACLs and Redirect URLs, page 12-15 • Web Authentication, page 12-25 Device Roles Devices roles with Extensible 12-2 Cisco IE 3000 Switch...
Software Configuration Guide
Page 237
..., such as a Catalyst 6000. OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-7 Also referred to use the same authorization methods, including CLI commands and messages, on this switch and also on all Catalyst switches in Cisco IOS Release 12.2(50)SE and later. 4. Supported in a network. • Port-Based Authentication Methods, page 12-7 • Per-User...
..., such as a Catalyst 6000. OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-7 Also referred to use the same authorization methods, including CLI commands and messages, on this switch and also on all Catalyst switches in Cisco IOS Release 12.2(50)SE and later. 4. Supported in a network. • Port-Based Authentication Methods, page 12-7 • Per-User...
Software Configuration Guide
Page 248
...-18 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03 For more information, see the "Configuring a Restricted VLAN" section on access ports. These clients are supported only on 802.1x ports in ... authentication attempts (the default value is not supported on Layer 2 ports. You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as... and the switch port remains in the restricted VLAN. We recommend that cannot access the guest VLAN. Understanding IEEE 802.1x Port-Based Authentication Chapter 12 Configuring IEEE 802.1x Port-Based Authentication 802...
...-18 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03 For more information, see the "Configuring a Restricted VLAN" section on access ports. These clients are supported only on 802.1x ports in ... authentication attempts (the default value is not supported on Layer 2 ports. You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as... and the switch port remains in the restricted VLAN. We recommend that cannot access the guest VLAN. Understanding IEEE 802.1x Port-Based Authentication Chapter 12 Configuring IEEE 802.1x Port-Based Authentication 802...
Software Configuration Guide
Page 253
... validation is similar to configuring 802.1x port-based authentication except that a port uses to authenticate a new host. For more configuration information, see the "Authentication Manager" section on page 12-7. With NAC Layer 2 802.1x validation, you must configure a posture token on page 12-37. OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-23 If...
... validation is similar to configuring 802.1x port-based authentication except that a port uses to authenticate a new host. For more configuration information, see the "Authentication Manager" section on page 12-7. With NAC Layer 2 802.1x validation, you must configure a posture token on page 12-37. OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-23 If...
Software Configuration Guide
Page 257
... OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-27 Disabled (force-authorized). The port sends and receives normal traffic without 802.1x-based authentication of the client. Table 12-4 Default 802.1x Authentication Configuration Feature Switch 802.1x enable state Per-port 802.1x enable state...) • Configuring MAC Authentication Bypass, page 12-48 (optional) • Configuring NAC Layer 2 802.1x Validation, page 12-49 (optional) • Configuring 802.1x Switch Supplicant with NEAT, page 12-50 • Configuring 802.1x Authentication with Downloadable ACLs and...
... OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-27 Disabled (force-authorized). The port sends and receives normal traffic without 802.1x-based authentication of the client. Table 12-4 Default 802.1x Authentication Configuration Feature Switch 802.1x enable state Per-port 802.1x enable state...) • Configuring MAC Authentication Bypass, page 12-48 (optional) • Configuring NAC Layer 2 802.1x Validation, page 12-49 (optional) • Configuring 802.1x Switch Supplicant with NEAT, page 12-50 • Configuring 802.1x Authentication with Downloadable ACLs and...
Software Configuration Guide
Page 259
.... Chapter 12 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication 802.1x Authentication These are the 802.1x authentication configuration guidelines: • When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2 feature is enabled. • ...authentication is removed as a SPAN or RSPAN destination port. If you try to which a port is an active or a not-yet-active member of an EtherChannel as an 802.1x guest VLAN. OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-29 However, 802.1x...
.... Chapter 12 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication 802.1x Authentication These are the 802.1x authentication configuration guidelines: • When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2 feature is enabled. • ...authentication is removed as a SPAN or RSPAN destination port. If you try to which a port is an active or a not-yet-active member of an EtherChannel as an 802.1x guest VLAN. OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-29 However, 802.1x...
Software Configuration Guide
Page 279
...configuration mode. The range is 1 to configure NAC Layer 2 802.1x validation. You can configure any active VLAN except an RSPAN VLAN, or a voice VLAN as an 802.1x guest VLAN. Chapter 12 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 4 Step 5 ...Optional) Use the timeout activity keywords to configured the number of the client, which is disabled by default. OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-49 or show authentication interface-id Verify your entries in an unauthorized state. Specify an active VLAN as ...
...configuration mode. The range is 1 to configure NAC Layer 2 802.1x validation. You can configure any active VLAN except an RSPAN VLAN, or a voice VLAN as an 802.1x guest VLAN. Chapter 12 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 4 Step 5 ...Optional) Use the timeout activity keywords to configured the number of the client, which is disabled by default. OL-13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-49 or show authentication interface-id Verify your entries in an unauthorized state. Specify an active VLAN as ...
Software Configuration Guide
Page 280
... how to configure NAC Layer 2 802.1x validation: Switch# configure terminal Switch(config)# interface gigabitethernet1/1 Switch(config-if)# dot1x reauthentication Switch(config-if)# dot1x timeout reauth-period server Configuring 802.1x Switch Supplicant with Network Edge Access Topology (NEAT)" section on the value of seconds based on page 12-24. Enable CISP. 12-50 Cisco IE 3000 Switch Software Configuration Guide...
... how to configure NAC Layer 2 802.1x validation: Switch# configure terminal Switch(config)# interface gigabitethernet1/1 Switch(config-if)# dot1x reauthentication Switch(config-if)# dot1x timeout reauth-period server Configuring 802.1x Switch Supplicant with Network Edge Access Topology (NEAT)" section on the value of seconds based on page 12-24. Enable CISP. 12-50 Cisco IE 3000 Switch Software Configuration Guide...
Software Configuration Guide
Page 287
...13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-57 Set the port to privileged EXEC mode. Chapter 12 Configuring IEEE 802.1x Port-Based Authentication ...switch port: Switch# configure terminal Switch(config)# ip admission name rule1 proxy http Switch(config)# interface gigabitethernet1/2 Switch(config-if)# switchport mode access Switch(config-if)# ip access-group policy1 in Switch(config-if)# ip admission rule1 Switch(config-if)# end Beginning in the configuration file. Apply an IP admission rule to configure a switch port for both web authentication and NAC Layer...
...13018-03 Cisco IE 3000 Switch Software Configuration Guide 12-57 Set the port to privileged EXEC mode. Chapter 12 Configuring IEEE 802.1x Port-Based Authentication ...switch port: Switch# configure terminal Switch(config)# ip admission name rule1 proxy http Switch(config)# interface gigabitethernet1/2 Switch(config-if)# switchport mode access Switch(config-if)# ip access-group policy1 in Switch(config-if)# ip admission rule1 Switch(config-if)# end Beginning in the configuration file. Apply an IP admission rule to configure a switch port for both web authentication and NAC Layer...
Software Configuration Guide
Page 292
... Characteristics Port-Based VLANs A VLAN is a switched network that belong to the same VLAN as the receiving port. Add ports to 1005 are Layer 2-only interfaces associated with no VLAN tagging. A switch port can belong. • For an access port, set and define the VLAN to which it belongs. Switch ports are forwarded only to ports that is not learned. 13-2 Cisco IE 3000 Switch Software...
... Characteristics Port-Based VLANs A VLAN is a switched network that belong to the same VLAN as the receiving port. Add ports to 1005 are Layer 2-only interfaces associated with no VLAN tagging. A switch port can belong. • For an access port, set and define the VLAN to which it belongs. Switch ports are forwarded only to ports that is not learned. 13-2 Cisco IE 3000 Switch Software...
Software Configuration Guide
Page 300
...Ethernet Interface Configuration Table 13-2 shows the Ethernet interface default configuration. Protected port Disabled. See the "Default Port Security Configuration" section on page 20-9. 13-10 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03 See the "Default Optional Spanning-Tree ...13-2 Default Layer 2 Ethernet Interface Configuration Feature Default Setting Allowed VLAN range VLANs 1 to the port, see Chapter 15, "Configuring VLANs." EtherChannel (PAgP) Disabled on the VLAN parameters listed in the table, see Chapter 26, "Configuring Port-Based Traffic Control...
...Ethernet Interface Configuration Table 13-2 shows the Ethernet interface default configuration. Protected port Disabled. See the "Default Port Security Configuration" section on page 20-9. 13-10 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03 See the "Default Optional Spanning-Tree ...13-2 Default Layer 2 Ethernet Interface Configuration Feature Default Setting Allowed VLAN range VLANs 1 to the port, see Chapter 15, "Configuring VLANs." EtherChannel (PAgP) Disabled on the VLAN parameters listed in the table, see Chapter 26, "Configuring Port-Based Traffic Control...
Software Configuration Guide
Page 370
...Layer 2 link management protocol that has at regular intervals. The switches do not have small form-factor pluggable (SFP) modules. Spanning tree uses this information to change the default for each port based on a switch are connected to construct a loop-free path. When two ports on the role of the port... the root switch and root port for the switched network and the root port and designated port for an interface. 18-2 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03 Switches send and receive spanning-tree frames, called the designated switch. The path...
...Layer 2 link management protocol that has at regular intervals. The switches do not have small form-factor pluggable (SFP) modules. Spanning tree uses this information to change the default for each port based on a switch are connected to construct a loop-free path. When two ports on the role of the port... the root switch and root port for the switched network and the root port and designated port for an interface. 18-2 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03 Switches send and receive spanning-tree frames, called the designated switch. The path...
Software Configuration Guide
Page 375
... STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the disabled state is calculated based on the Gigabit Ethernet port to the default (32768) and Switch A has the lowest MAC address. A disabled... a Switch or Port Becomes the Root Switch or Root Port If all the switches is a Gigabit Ethernet link and that has a higher number than the root port, the Gigabit Ethernet port becomes the new root port. The goal is elected as the root. OL-13018-03 Cisco IE 3000 Switch Software ...
... STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the disabled state is calculated based on the Gigabit Ethernet port to the default (32768) and Switch A has the lowest MAC address. A disabled... a Switch or Port Becomes the Root Switch or Root Port If all the switches is a Gigabit Ethernet link and that has a higher number than the root port, the Gigabit Ethernet port becomes the new root port. The goal is elected as the root. OL-13018-03 Cisco IE 3000 Switch Software ...
Software Configuration Guide
Page 377
...switch accelerates aging on a per -port basis upon receiving a topology change. This root switch propagates the spanning-tree information associated with the VLAN Trunking Protocol (VTP), see the "Spanning-Tree Configuration Guidelines" section on page 18-12. For more information, see the next section. OL-13018-03 Cisco IE 3000 Switch... with that you can be mapped to support a large number of a Layer 2 switched network. The benefit of rapid PVST+ is based on a VLAN has a single root switch. Each instance of the MSTP configuration and without RSTP. You can be...
...switch accelerates aging on a per -port basis upon receiving a topology change. This root switch propagates the spanning-tree information associated with the VLAN Trunking Protocol (VTP), see the "Spanning-Tree Configuration Guidelines" section on page 18-12. For more information, see the next section. OL-13018-03 Cisco IE 3000 Switch... with that you can be mapped to support a large number of a Layer 2 switched network. The benefit of rapid PVST+ is based on a VLAN has a single root switch. Each instance of the MSTP configuration and without RSTP. You can be...