We a have switch in outside our server room and exposed to users. Switch-port security are enabled and unused ports are shutdown. Our concern is the outlet/s (this switch has an aggregated uplink to the core switch) where that outside switch is plugged in to reach the core switch in the server room. Is there a way to configure the core switch to ONLY accept connection from that outside switch?
This sounds like a need for 802.1X authentication with NEAT (Network Edge Access Technology). The idea is that the exposed switch would need to authenticate via 802.1X to the core switch, and only after successful authentication, the core switch port would become unblocked and move to the trunk state. The support for this feature might not be universally available, though.
If you are interested in this approach, please check out the following docs:
Thanks for the idea -- sound good.
But can a switch be an 802.1x client? We've done this in past but the client is PC.
Tried to goolge how to go about this set up wherein a switch acts as the client -- no luck :(
The second link in my previous post contains configuration examples including how to configure a switch as an 802.1X supplicant (that is the client role in 802.1X):
Switch# configure terminal Switch(config)# cisp enable Switch(config)# dot1x credentials test Switch(config-dot1x)# username suppswitch Switch(config-dot1x)# password myswitch Switch(config)# dot1x supplicant force-multicast Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# dot1x pae supplicant Switch(config-if)# dot1x credentials test Switch(config-if)# end
There is also an example with comments here:
Hopefully this helps!