Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2141
Views
5
Helpful
8
Replies

Switch 2960s does not support port-based ACLs to implement dot1x with Cisco ISE.

Go to solution
KevinYounil1
Level 1
Level 1

‎01-02-2019 09:11 PM

Hi everyone,

I am implementing Cisco ISE 2.4 in LAB environment with a 2960S switch. I am trying to apply a default ACL on access ports to allow DNS and DC access before dot1x authentication. Unfortunately, the existing image does not support port-based ACLs.  Does anyone know which IOS image should I use for this switch to implement dot1X with Cisco ISE?

Existing image is: c2960s-universalk9-mz.152-2.E9.bin

Any help in this regard is highly appreciated.

Thanks,

Kevin 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-02-2019 10:47 PM

This is a known limitation with LAN lite which I suspect you have and you need a LAN base switch for port acls. I remember from the past that you couldn't switch between lite and base on the 2960.

What does "show license" say?

View solution in original post

8 Replies 8

Go to solution
ognyan.totev
Level 5
Level 5

‎01-02-2019 10:36 PM

Hi , i don't understand what mean does not support ,share please with us some port configuration .

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-02-2019 10:47 PM

This is a known limitation with LAN lite which I suspect you have and you need a LAN base switch for port acls. I remember from the past that you couldn't switch between lite and base on the 2960.

What does "show license" say?

Go to solution
ognyan.totev
Level 5
Level 5
In response to Damien Miller

‎01-02-2019 10:52 PM

@Damien MillerI think you are right i don't have problems with mine 2960

Model number                    : WS-C2960X-48FPS-L

 

Feature: lanbase
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Priority: Medium
        License Count: Non-Counted

This is mine switch and i have no problem with it

0 Helpful

Go to solution
KevinYounil1
Level 1
Level 1
In response to Damien Miller

‎01-03-2019 08:58 AM

Thanks Damien,

Do you know which IOS image can I use to resolve this issue?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to KevinYounil1

‎01-03-2019 09:03 AM

You can't upgrade a LAN Lite 2960 to LAN Base, it is fixed when it leaves the factory.
0 Helpful

Go to solution
KevinYounil1
Level 1
Level 1
In response to Damien Miller

‎01-03-2019 10:46 AM

Great, Thank you very much.

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-03-2019 12:00 AM

This is the 1st time to haer that you can't put ACL on port. What happens
if you type 'ip access-g ?' in the port. ? Post the output of show license
feature.
0 Helpful

Go to solution
KevinYounil1
Level 1
Level 1
In response to Mohammed al Baqari

‎01-03-2019 07:01 AM - edited ‎01-03-2019 07:04 AM

When I run ip access-group command, it says this image does not support port-based ACLs. I will attach the output of show license tonight since I don't have access to it now.

0 Helpful
Customers Also Viewed These Support Documents