Keyword to specify to deny any source or destination MAC address. Define a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied. Define a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied.
The type is 0 to , specified in hexadecimal. Optional Select a class of service CoS number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware.
A warning message reminds the user if the cos option is configured. Note Though visible in the command-line help strings, appletalk is not supported as a matching condition. To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. This command has no defaults. You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask. When an access control entry ACE is added to an access control list, an implied deny - any - any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets. For more information about named MAC extended access lists, see the software configuration guide for this release.
Traffic matching this list is denied. This example shows how to remove the deny condition from the named MAC extended access list:. This example denies all packets with Ethertype 0x You can verify your settings by entering the show access-lists privileged EXEC command. Permits non-IP traffic to be forwarded if conditions are matched.
Displays access control lists configured on a switch. Use the diagnostic monitor global configuration command to configure the health-monitoring diagnostic testing.
Use the no form of this command to disable testing and return to the default settings. Specify the module number. Specify the time in milliseconds; valid values are 0 to Enable the generation of a syslog message when a health-monitoring test fails. Note If you are running a diagnostic test that has the reload attribute on a switch in a stack, you could potentially partition the stack depending on your cabling configuration.
To avoid partitioning your stack, you should enter the show switch detail privileged EXEC command to verify the stack configuration. This example shows how to configure the specified test to run every 2 minutes:. This example shows how to run the test on the specified switch if health monitoring has not previously been enabled:. This example shows how to set the failure threshold for test monitoring on a switch:.
This example shows how to enable generating a syslog message when any health monitoring test fails:. Use the diagnostic schedule privileged EXEC command to configure the scheduling of diagnostic testing. Use the no form of this command to remove the scheduling and return to the default setting.
Specify the switch number. This command has no default settings. This example shows how to schedule diagnostic testing on a specific date and time for a specific switch:. This example shows how to schedule diagnostic testing to occur weekly at a certain time for a specific switch:.
Use the diagnostic start user command to run the specified diagnostic test. Enter the show diagnostic content command to display the test ID list. Enter the test-id-range as integers separated by a comma and a hyphen for example, 1, specifies test IDs 1, 3, 4, 5, and 6. This example shows how to start a diagnostic test on a specific switch:. This example shows how to start diagnostics test 2 on a switch that will disrupt normal system operation:. This message appears if the test can cause the switch to lose stack connectivity:.
This message appears if the test will cause a stack partition:. Use the dot1x global configuration command to globally enable IEEE Note Though visible in the command-line help strings, the credentials name keywords are not supported. Configure the inaccessible authentication bypass parameters. For more information, see the dot1x critical global configuration command. Enable optional guest VLAN behavior globally on the switch.
IEEE You must enable authentication, authorization, and accounting AAA and specify the authentication method list before globally enabling IEEE A method list describes the sequence and authentication methods to be used to authenticate a user.
Before globally enabling IEEE You can use the guest-vlan supplicant keywords to enable the optional IEEE For more information, see the dot1x guest-vlan command.
This example shows how to globally enable IEEE This example shows how to globally enable the optional guest VLAN behavior on a switch:. You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command. Configures the parameters for the inaccessible authentication bypass feature on the switch. Enables manual control of the authorization state of the port.
Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum allowable authentication attempts before a port is moved to the restricted VLAN. Specify a maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. The range is 1 to 3, the default value is 3. If you reconfigure the maximum number of authentication attempts allowed by the VLAN, the change takes effect after the re-authentication timer expires.
This example shows how to set 2 as the maximum number of authentication attempts allowed before the port is moved to the restricted VLAN on port Sets the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state. Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port. You can configure a restricted VLAN on ports configured as follows:.
You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if it is disabled. If a host is connected through a hub, the port might never receive a link-down event when that host is disconnected, and, as a result, might not detect any new hosts until the next re-authentication attempt occurs. Because the supplicant is not notified of the actual authentication failure, there might be confusion about this restricted network access.
An EAP success message is sent for these reasons:. A supplicant might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication.
Until the supplicant sends the correct username and password combination, the port remains in the restricted VLAN. If you do this, a syslog message is generated. When a restricted VLAN port is moved to an unauthorized state, the authentication process restarts. If the supplicant fails the authentication process again, the authenticator waits in the held state. After the supplicant has correctly re-authenticated, all IEEE The authenticator does not wait in a held state because the restricted VLAN configuration still exists.
This example shows how to configure a restricted VLAN on port You can verify your configuration by entering the show dot1x [ interface interface-id ] privileged EXEC command. Configures the number of authentication attempts allowed before assigning a supplicant to the restricted VLAN. Use the dot1x control-direction interface configuration command to enable the IEEE Use the both keyword or the no form of this command to return to the default setting, bidirectional mode.
This example shows how to enable unidirectional control:. This example shows how to enable bidirectional control:. You can verify your settings by entering the show dot1x all privileged EXEC command. The show dot1x all privileged EXEC command output is the same for all switches except for the port names and the state of the port.
If a host is attached to the port but is not yet authenticated, a display similar to this appears:. If you enter the dot1x control-direction in interface configuration command to enable unidirectional control, this appears in the show dot1x all command output:.
If you enter the dot1x control-direction in interface configuration command and the port cannot support this mode due to a configuration conflict, this appears in the show dot1x all command output:. Displays control-direction port setting status for the specified interface.
Use the dot1x credentials global configuration command to configure a profile on a supplicant switch. You must have another switch set up as the authenticator for this switch to be the supplicant. This example shows how to configure a switch as a supplicant:. Use the dot1x critical global configuration command to configure the parameters for the inaccessible authentication bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting AAA fail policy.
To return to default settings, use the no form of this command. Specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state. Set the recovery delay period in milliseconds. The range is from 1 to milliseconds. The switch does not send an EAPOL-Success message to the host when the switch successfully authenticates the critical port by putting the critical port in the critical-authentication state. The recovery delay period is milliseconds 1 second.
Use the eapol keyword to specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state.
Use the recovery delay milliseconds keyword to set the recovery delay period during which the switch waits to re-initialize a critical port when a RADIUS server that was unavailable becomes available. The default recovery delay period is milliseconds.
A port can be re-initialized every second. To enable inaccessible authentication bypass on a port, use the dot1x critical interface configuration command. To configure the access VLAN to which the switch assigns a critical port, use the dot1x critical vlan vlan-id interface configuration command.
This example shows how to set as the recovery delay period on the switch:. You can verify your configuration by entering the show dot1x privileged EXEC command. Enables the inaccessible authentication bypass feature, and configures the access VLAN for the feature. Use the dot1x critical interface configuration command to enable the inaccessible-authentication-bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting AAA fail policy.
You can also configure the access VLAN to which the switch assigns the critical port when the port is in the critical-authentication state. To disable the feature or return to default, use the no form of this command. Enable the inaccessible-authentication-bypass recovery feature, and specify that the recovery action is to authenticate the port when an authentication server is available. Specify the access VLAN to which the switch can assign a critical port.
The range is from 1 to The inaccessible-authentication-bypass feature is disabled. To specify the access VLAN to which the switch assigns a critical port when the port is in the critical-authentication state, use the vlan vlan-id keywords.
The specified type of VLAN must match the type of port, as follows:. If the client is running Windows XP and the critical port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated. You can configure the inaccessible bypass feature and port security on the same switch port. This example shows how to enable the inaccessible authentication bypass feature on a port:. Use the dot1x default interface configuration command to reset the IEEE This example shows how to reset the IEEE Use the dot1xfallback interface configuration command to configure a port to use web authentication as a fallback method for clients that do not support IEEE Specify a fallback profile for clients that do not support IEEE You must enter the dot1x port-control auto interface configuration command on a switch port before entering this command.
This example shows how to specify a fallback profile to a switch port that has been configured for IEEE You can configure a guest VLAN on one of these switch ports:. For each IEEE These users might be upgrading their systems for IEEE If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts.
Any number of non-IEEE If an IEEE The guest VLAN feature is not supported on trunk ports; it is supported only on access ports. You can change the settings for restarting the IEEE Decrease the settings for the IEEE The amount to decrease the settings depends on the connected IEEE The switch supports MAC authentication bypass. When it is enabled on an IEEE After detecting a client on an IEEE If authorization succeeds, the switch grants the client access to the network.
If authorization fails, the switch assigns the port to the guest VLAN if one is specified. Enables the optional guest VLAN supplicant feature. Use the dot1x host-mode interface configuration command to allow a single host client or multiple hosts on an IEEE Enable MDA on a switch port. This keyword is available only when the switch is running the LAN Base image. Use this command to limit an IEEE In multiple-hosts mode, only one of the attached hosts needs to be successfully authorized for all hosts to be granted network access.
Use the multi-domain keyword to enable MDA on a port. MDA divides the port into both a data domain and a voice domain. Before entering this command, make sure that the dot1x port-control interface configuration command is set to auto for the specified port. This example shows how to enable IEEE Use this command to initialize the IEEE After you enter this command, the port status becomes unauthorized.
There is not a no form of this command. This example shows how to manually initialize a port:. You can verify the unauthorized port status by entering the show dot1x [ interface interface-id ] privileged EXEC command. Use the dot1x mac-auth-bypass interface configuration command to enable the MAC authentication bypass feature.
Use the no form of this command to disable MAC authentication bypass feature. Optional Configure the number of seconds that a connected host can be inactive before it is placed in an unauthorized state.
The timeout inactivity value keywords were added. If you disable MAC authentication bypass from a port after the port has been authenticated with its MAC address, the port state is not affected.
If the port is in the unauthorized state and the client MAC address is not the authentication-server database, the port remains in the unauthorized state. However, if the client MAC address is added to the database, the switch can use MAC authentication bypass to re-authorize the port. If the port is in the authorized state, the port remains in this state until re-authorization occurs.
Clients that were authorized with MAC authentication bypass can be re-authenticated. This example shows how to enable MAC authentication bypass and to configure the switch to use EAP for authentication:. This example shows how to enable MAC authentication bypass and to configure the timeout if the connected host is inactive for 30 seconds:. Use the dot1x max-reauth-req interface configuration command to set the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state.
Sets the number of times that switch retransmits EAPOL-Identity-Request frames to start the authentication process before the port changes to the unauthorized state. If a non If a guest VLAN is configured on the port, after two re-authentication attempts, the port is authorized on the guest vlan by default. The default is 2. The count range was changed.
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state:. Sets the maximum number of times that the switch forwards an EAP frame assuming that no response is received to the authentication server before restarting the authentication process.
Use the dot1x max-req interface configuration command to set the maximum number of times that the switch sends an Extensible Authentication Protocol EAP frame from the authentication server assuming that no response is received to the client before restarting the authentication process. For example, if you have a supplicant in the middle of authentication process and a problem occurs, the authenticator will re-transmit data requests two times before stopping the process.
The range is 1 to 10; the default is 2. This example shows how to set 5 as the number of times that the switch sends an EAP frame from the authentication server to the client before restarting the authentication process:. Use the dot1x pae interface configuration command to configure the port as an IEEE The port is not an IEEE Use the no dot1x pae interface configuration command to disable IEEE When you configure IEEE After the no dot1x pae interface configuration command is entered, the Authenticator PAE operation is disabled.
This example shows how to disable IEEE You can verify your settings by entering the show dot1x or show eap privileged EXEC command. Use the dot1x port-control interface configuration command to enable manual control of the authorization state of the port.
Deny all access through this port by forcing the port to change to the unauthorized state, ignoring all attempts by the client to authenticate.
You must globally enable IEEE The IEEE You can use the auto keyword only if the port is not configured as one of these:. Optional Stack switch number, module, and port number of the interface to re-authenticate.
You can use this command to re-authenticate a client without waiting for the configured number of seconds between re-authentication attempts re-authperiod and automatic re-authentication. This example shows how to manually re-authenticate the device connected to a port:. Enables periodic re-authentication of the client. Use the dot1x reauthentication interface configuration command to enable periodic re-authentication of the client.
You configure the amount of time between periodic re-authentication attempts by using the dot1x timeout reauth-period interface configuration command. This example shows how to disable periodic re-authentication of the client:.
This example shows how to enable periodic re-authentication and to set the number of seconds between re-authentication attempts to seconds:. Manually initiates a re-authentication of all IEEE This example shows how force a supplicant switch to send multicast EAPOL packets to authenticator switch:.
Configure the Configure an interface to act only as a supplicant. Use this command to test the IEEE This example shows how to enable the IEEE It also shows the response received from the queried port verifying that the device connected to it is IEEE The range is from 1 to seconds. You can verify the timeout configuration status by entering the show run privileged EXEC command. Checks for IEEE Use the dot1x timeout interface configuration command to set IEEE Number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client.
Set the number of seconds between re-authentication attempts. Number of seconds that the switch waits for the retransmission of packets by the switch to the authentication server. However, we recommend a minimum setting of Number of seconds that the switch waits for the retransmission of packets by the switch to the IEEE The range is 30 to The range for tx-period keyword was changed, and the reauth-period server keywords were added.
The ratelimit-period keyword was introduced. The range for tx-period seconds is incorrect. The correct range is from 1 to The dot1x timeout reauth-period interface configuration command affects the behavior of the switch only if you have enabled periodic re-authentication by using the dot1x reauthentication interface configuration command. During the quiet period, the switch does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.
This example shows how to enable periodic re-authentication and to set as the number of seconds between re-authentication attempts:. This example shows how to enable periodic re-authentication and to specify the value of the Session-Timeout RADIUS attribute as the number of seconds between re-authentication attempts:.
This example shows how to set 30 seconds as the quiet time on the switch:. This example shows how to set 45 seconds as the switch-to-authentication server retransmission time:.
This example shows how to set 45 seconds as the switch-to-client retransmission time for the EAP request frame:. This example shows how to set 30 as the number of seconds that the switch ignores EAPOL packets from successfully authenticated clients:. You can verify your settings by entering the show dot1x privileged EXEC command.
Use the dot1x violation-mode interface configuration command to configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.
Error disables the port or the virtual port on which a new unexpected MAC address occurs. Silently discards packets from any new MAC addresses. This is the default setting. By default dot1x violation-mode protect is enabled. Use the duplex interface configuration command to specify the duplex mode of operation for a port.
Use the no form of this command to return the port to its default value. Enable automatic duplex configuration; port automatically detects whether it should run in full- or half-duplex mode, depending on the attached device mode.
The default is auto for Fast Ethernet and Gigabit Ethernet ports. For information about which SFP modules are supported on your switch, see the product release notes. For Fast Ethernet ports, setting the port to auto has the same effect as specifying half if the attached device does not autonegotiate the duplex parameter.
Switch configure terminal Switch config ip ftp username User Switch config ip ftp password Password Switch config end. Switch copy ftp flash Address or name of remote host []? The last step is to configure the switch to load the new version of IOS.
We have to do this, because otherwise the old version of IOS would be loaded. Finally, we have to save the configuration using the write memory command and restart the device using the reboot command. We can verify that the newer version of IOS is being used. We can also send the file to the other side for backup in the following way:. Switch copy startup-config ftp Address or name of remote host []? Optional Downloads the image files from the TFTP server to the switch, and overwrites the current image.
The download algorithm verifies that the image is appropriate for the switch model and that enough DRAM is present, or it aborts the process and reports an error. If there is not enough space to install the new image and keep the current running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image on the system board flash device flash:.
The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image. For filesystem , use flash: for the system board flash device. For file-url , enter the directory name of the old image. All the files in the directory and the directory are removed. You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type.
Use the upload feature only if the web management pages associated with Device Manager have been installed with the existing image. Uploads the currently running switch image to the TFTP server. The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the file format.
You upload a switch image file to a server for backup purposes. You can use this uploaded image for future downloads to the switch or another switch of the same type. You can copy images files to or from an FTP server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list:. The switch sends the first valid password in this list:. The username and password must be associated with an account on the FTP server.
If you are writing to the server, the FTP server must be properly configured to accept the FTP write request from you. Use the ip ftp username and ip ftp password commands to specify a username and password for all copies. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation.
If the server has a directory structure, the image file is written to or copied from the directory associated with the username on the server. For example, if the image file resides in the home directory of a user on the server, specify that user's name as the remote username. Before you begin downloading or uploading an image file by using FTP, complete these tasks:. For more information, see the documentation for your FTP server. You can download a new image file and overwrite the current image or keep the current image.
To keep the current image, follow Steps 1 to 6 and Step 8. Optional Enters global configuration mode on the switch. This step is required only if you override the default remote username or password. Optional Changes the default remote FTP username.
Optional Downloads the image files from the FTP server to the switch, and overwrites the current image. Optional Downloads the image files from the FTP server to the switch, and saves the current image.
If there is not enough space to install the new image and keep the running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image onto the system board flash device flash:. For file-url , enter the directory name of the old software image.
Announcing Cisco Wireless Catalyst - Created by Sudhagar Singh on PM. We are excited to announce the Second refresh of After previous Created by apsood on PM.
Wireless Config Analyzer Express v 0. Created by Javier Contreras on AM. This version now introduces experimental new feature, "Upgrade Advisor, targeted to one of common case generators: what are the supported versions and how to upgrade my current controllers and APs It supports both AireOS and IOS-XE, covering since Announcing Cisco Wireless 8.
Created by Sudhagar Singh on AM. We are excited to announce the third refresh of 8. While the CCO release of 8. Ask a Question. Find more resources. Project Gallery.
0コメント