cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2200
Views
5
Helpful
4
Replies

Switchport mode general functionality in c9300

ozorgnax1
Level 1
Level 1

Hi

 

I am currently upgrading my old Cisco Small Business SG300 series switches to Cat 9k (9300/9200) and have them running 16.9.4.

 

I am using the very practical functionality of switchport mode general and mapping macs to vlans supported on SG switches.

 

Users in my company use different cheap no name, "dumb" switches that have no .1q functionality and thus just switches the vlan the port it is put in, to every host.

 

With switchport general I can the map macs to vlans and put different hosts in different vlans, although they basically are using the same switchport when communicating with my cisco infrastructure.

 

I need some way to configure the same functionality on Cat 9k switches.

I have been looking at 802.1x, but as I see it the authenticated ports are put in ONE vlan and do not differentiate between multiple hosts on the same port, just authenticating or not authenticating the port.

 

Please can you give me some advice regarding this?

 

Alternatively I will have to go out and buy something like 2960-8 port switches and run 802.1x on everything, but I'd rather not have that expense on ports where security is not an issue.

------

This config on SM300 swithces allows me to put the port in vlan 220 but a host with mac the mapped mac address is tagged with vlan 25 instead. If a switch is connected to the port with multiple hosts, every device works and is put in the mapped or unmapped vlan.

 

vlan database
map mac FF:03:e1:00:00:00 24 macs-group 1

 

switchport mode general
switchport general allowed vlan add 25,220 untagged
switchport general map macs-group 1 vlan 25

switchport general pvid 220

1 Accepted Solution

Accepted Solutions

pieterh
VIP
VIP

>>> I have been looking at 802.1x, but as I see it the authenticated ports are put in ONE vlan and do not differentiate between multiple hosts on the same port, just authenticating or not authenticating the port. <<<

above is not completely true,

you can configure multiple-host authentication on a port, so each host authenticates separarately

in addition with dynamic vlan assignment using av-pair from the authentication server the host is assigned a vlan

But  i'm not sure if this solves your question where the packets come in using an dumb switch.

 

this document

Configure MAC-based VLAN Groups on a Switch through the CLI

limits the supporting switches to

Applicable Devices

  • Sx350 Series
  • SG350X Series
  • Sx500 Series
  • Sx550X Series

View solution in original post

4 Replies 4

pieterh
VIP
VIP

>>> I have been looking at 802.1x, but as I see it the authenticated ports are put in ONE vlan and do not differentiate between multiple hosts on the same port, just authenticating or not authenticating the port. <<<

above is not completely true,

you can configure multiple-host authentication on a port, so each host authenticates separarately

in addition with dynamic vlan assignment using av-pair from the authentication server the host is assigned a vlan

But  i'm not sure if this solves your question where the packets come in using an dumb switch.

 

this document

Configure MAC-based VLAN Groups on a Switch through the CLI

limits the supporting switches to

Applicable Devices

  • Sx350 Series
  • SG350X Series
  • Sx500 Series
  • Sx550X Series

Of course different devices can connect to the same port one at a time and get the radius assigned vlan, but what would happen if I connected a dumb switch to that port and first connected a device that authenticates to vlan 10 and then connect a device that authenticates to vlan 20? Wouldnt all packets get tagget to vlan 10?

Have you got a configuration example?

I am uncertain what will happen with multiple-host authentication, but I will clearly have to test it.

Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco