cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
377
Views
0
Helpful
3
Replies
Highlighted
Beginner

Port-security | Locking Trunk Port To A Specific Device

Hi Everyone,

We a have switch in outside our server room and exposed to users. Switch-port security are enabled and unused ports are shutdown. Our concern is the outlet/s (this switch has an aggregated uplink to the core switch) where that outside switch is plugged in to reach the core switch in the server room. Is there a way to configure the core switch to ONLY accept connection from that outside switch?

 

3 REPLIES 3
Hall of Fame Cisco Employee

Re: Port-security | Locking Trunk Port To A Specific Device

Jon,

This sounds like a need for 802.1X authentication with NEAT (Network Edge Access Technology). The idea is that the exposed switch would need to authenticate via 802.1X to the core switch, and only after successful authentication, the core switch port would become unblocked and move to the trunk state. The support for this feature might not be universally available, though.

If you are interested in this approach, please check out the following docs:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-0_2_se/configuration/guide/scg2960/sw8021x.html#91351

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/15-0_2_se/configuration/guide/scg2960/sw8021x.html#pgfId-1431171

Best regards,
Peter

Beginner

Re: Port-security | Locking Trunk Port To A Specific Device

Thanks for the idea -- sound good.

But can a switch be an 802.1x client? We've done this in past but the client is PC.

 

Tried to goolge how to go about this set up wherein a switch acts as the client -- no luck :(

 

Thanks,

Jon

Hall of Fame Cisco Employee

Re: Port-security | Locking Trunk Port To A Specific Device

Hi Jon,

The second link in my previous post contains configuration examples including how to configure a switch as an 802.1X supplicant (that is the client role in 802.1X):

Switch# configure terminal
Switch(config)# cisp enable
Switch(config)# dot1x credentials test
Switch(config-dot1x)# username suppswitch
Switch(config-dot1x)# password myswitch

Switch(config)# dot1x supplicant force-multicast

Switch(config)# interface gigabitethernet2/0/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# dot1x pae supplicant
Switch(config-if)# dot1x credentials test
Switch(config-if)# end

There is also an example with comments here:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html

Hopefully this helps!

Best regards,
Peter

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards