Configuring Port and System Security 503
5
Allow the switch to dynamically create VLANs when a RADIUS-assigned
VLAN does not exist on the switch.
console(config)#dot1x dynamic-vlan enable
6
Enter interface configuration mode for the downlink ports.
console(config)#interface range te1/0/1-23
7
Set the downlink ports to the access mode because each downlink port
connects to a single host that belongs to a single VLAN.
console(config-if)#switchport mode access
console(config-if)#exit
8
Enter Interface Configuration mode for port 24, the uplink (trunk) port.
console(config)#interface te1/0/24
9
Disable 802.1X authentication on the interface. This causes the port to
transition to the authorized state without any authentication exchange
required. This port does not connect to any end-users, so there is no need
for 802.1X-based authentication.
console(config-if-Te1/0/24)#dot1x port-control
force-authorized
10
Set the uplink port to trunk mode so that it accepts tagged traffic and
transmits it to the connected device (another switch or router).
console(config-if-Te1/0/24)#switchport mode trunk
11
Forbid the trunk from forwarding traffic that has VLAN tags for any VLAN
from 1000–2000, inclusive.
console(config-if-Gi1/0/24)#switchport trunk
allowed vlan remove 1000-2000
console(config-if-Gi1/0/24)#exit
Configuring Authentication Server DiffServ Filter Assignments
To enable DiffServ filter assignment by an external server, the following
conditions must be true:
• The port that the host is connected to must be enabled for MAC-based
port access control by using the following command in Interface Config
mode:
dot1x port-control mac-based
To Next Page
Loading...
