Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
0
Helpful
3
Replies

Port-security | Locking Trunk Port To A Specific Device

Jon Eyes
Level 1
Level 1

‎01-24-2018 03:52 PM - edited ‎03-08-2019 01:33 PM

Hi Everyone,

We a have switch in outside our server room and exposed to users. Switch-port security are enabled and unused ports are shutdown. Our concern is the outlet/s (this switch has an aggregated uplink to the core switch) where that outside switch is plugged in to reach the core switch in the server room. Is there a way to configure the core switch to ONLY accept connection from that outside switch?

 

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎01-25-2018 12:31 AM

Jon,

This sounds like a need for 802.1X authentication with NEAT (Network Edge Access Technology). The idea is that the exposed switch would need to authenticate via 802.1X to the core switch, and only after successful authentication, the core switch port would become unblocked and move to the trunk state. The support for this feature might not be universally available, though.

If you are interested in this approach, please check out the following docs:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-0_2_se/configuration/guide/scg2960/sw8021x.html#91351

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-0_2_se/configuration/guide/scg2960/sw8021x.html#pgfId-1431171

Best regards,
Peter

0 Helpful

Jon Eyes
Level 1
Level 1
In response to Peter Paluch

‎01-30-2018 05:37 PM

Thanks for the idea -- sound good.

But can a switch be an 802.1x client? We've done this in past but the client is PC.

 

Tried to goolge how to go about this set up wherein a switch acts as the client -- no luck :(

 

Thanks,

Jon

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Jon Eyes

‎01-30-2018 06:01 PM

Hi Jon,

The second link in my previous post contains configuration examples including how to configure a switch as an 802.1X supplicant (that is the client role in 802.1X):

Switch# configure terminal
Switch(config)# cisp enable
Switch(config)# dot1x credentials test
Switch(config-dot1x)# username suppswitch
Switch(config-dot1x)# password myswitch

Switch(config)# dot1x supplicant force-multicast

Switch(config)# interface gigabitethernet2/0/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# dot1x pae supplicant
Switch(config-if)# dot1x credentials test
Switch(config-if)# end

There is also an example with comments here:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html

Hopefully this helps!

Best regards,
Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card