Prevent hub on a 802.1x switch port

Similar Messages

• AP 802.1X switched port-authentication

  Hi,
  I've setup EAP authentication (PEAP) to authenticate WLAN client on an AP.
  The AP is connected to a switch where the port is not configured for 802.1X.
  On this switched port I enabled, in multi-host, 802.1X to authenticate also the AP as a client, but since it's enabled I've not been able to authenticate anymore the WLAN client due to the fact that the port will not transition to Authorized
  If I connect on the same port a PC using 802.1X,this is working fine..
  Am I missing something to configure on the switch or AP ???
  Any suggestion are appreciated
  Regards
  Omar

  Omar,
  There's a gotcha with this...most likely a trunk issue...
  Here is a snippet for EAPOL guidelines:
  Authentication Configuration Guidelines
  This section provides the guidelines for configuring 802.1x authentication on the switch:
  802.1x will work with other protocols, but we recommend that you use RADIUS with a remotely located authentication server.
  802.1x is supported only on Ethernet ports.
  Software release 7.5(1) supports two in-band management interfaces, sc0 and sc1.
  802.1x authentication always uses the sc0 interface as the identifier for the authenticator when communicating with the RADIUS server.
  802.1x authentication is not supported with the sc1 interface.
  You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port.
  You cannot enable trunking on an 802.1x port.
  You cannot enable 802.1x on a dynamic port until you turn off the DVLAN feature on that port.
  You cannot enable DVLAN on an 802.1x port.
  You cannot enable 802.1x on a channeling port until you turn off the channeling feature on that port. You cannot enable channeling on an 802.1x port.
  You cannot enable 802.1x on a switched port analyzer (SPAN) destination port. You cannot configure SPAN destination on an 802.1x port. However, you can configure an 802.1x port as a SPAN source port.
  You cannot set the auxiliary VLAN to dot1p or untagged and the auxiliary VLAN should not be equal to the native VLAN on the 802.1x-enabled port.
  You cannot enable the multiple-authentication option on an 802.1x-enabled auxiliary VLAN port. Enabling the multiple-host option on an 802.1x-enabled auxiliary VLAN is not recommended.
  Do not assign a guest VLAN equal to an auxiliary VLAN because an 802.1x-enabled auxiliary VLAN port will not be put into the guest VLAN if the auxiliary VLAN on the port is the same as the guest VLAN.
  Here is the url for the link:
  http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d12.html#1029697

• 802.1X Authentication issues when moving between switch ports

  Hi Guys,
  We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
  My configuration we have on the switch ports look as follows:
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  dot1x pae authenticator
  Your help is greatly appreciated.
  Grant

  Hi Neno,
  Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
  Here is the config:
  aaa group server radius customer-nps
   server name radius1
   server name radius2
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius server radius1
   address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
   key 7 05392415365959251C283630083D2F0B3B2E22253A
  radius server radius2
   address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
   key 7 107C2B031202052709290B092719181432190D000C
  interface GigabitEthernet1/0/1
   switchport access vlan 300
   switchport mode access
   switchport voice vlan 2
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication periodic
   authentication timer reauthenticate 28800
   authentication timer inactivity 1800
   mab
   no snmp trap link-status
   mls qos trust cos
   dot1x pae authenticator
   auto qos trust cos
   storm-control broadcast level 1.00
   storm-control multicast level 1.00
   spanning-tree portfast
   spanning-tree bpdufilter enable

• Lwapp capwap AP to act as a supplicant on a 802.1x enabled switch port

  Hi
  All our switchports is configured to validate the connected device with 802.1x
  However when a wireless accesspoint, that is running FlexConnect, is connected I have to make a "mac bypass" on the AP mac addess and add the multihost command to the port config.
  I really like to move away from the mac bypass, but keep the multihost command, and install a certificat on the AP. Have anyone any ideas about how to get the AP itself to auth?

  Hi,
  The AP can act as 802.1x supplicant if it is connected to a 802.1x enabled switch port.
  Cisco unified APs however supports only EAP-FAST as the EAP method.
  Here is a config example, hope it'll be useful.
  http://goo.gl/HMbiHL
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Join switch ports together

  cisco 2651XM router
  IOS: c2600-adventerprisek9-mz.124-15.T9.bin
  NM-16-ESW switch fitted
  regarding the switch ports (F1/0 to F1/15):
  is there a command that will join two or more switch ports together and make them act as plain hub ports?

  thanks for your response, but I can't get those commands to work.
  router(config)#monitor session 1 source vlan 1
  SPAN Source Vlan is not supported in this platform
  router(config)#monitor session 1 source int fa 0/1, 0/2, 0/3
  doesn't work either. It doesn't recognise the commas, doesn't recognise spaces, doesn't seem to allow more than one port to be specified - unless I'm doing it wrong.
  if I query what's available this is what I get:
  router(config)#monitor session 1 source int ?
    FastEthernet  FastEthernet IEEE 802.3
    Port-channel  Ethernet Channel of interfaces:
  there doesn't seem to be any way to choose multiple ports.

• Can I use a USB hub to connect to multiple USB ports from one GPIB-USB-HS?

  I have one instrument which has a GPIB-USB-HS connected and the USB cable is connected to a USB hub. Can I have multiple PCs to connect using USB hub at their respective USB ports? If so, how many PCs can I connect using the USB cable?
  I have downloaded the latest NI-VISA from the website.
  Solved!
  Go to Solution.

  You would first need a hub that allows you to switch between multiple pc's and then only one pc at a time would be connected and in control.
  When you buy this special type of hub, one of the specs is how many pc connections it has.

• Can't get switch ports to work

  Okay so I have a basic home lab, 2600 router x2 and 2900 XL switch x 2. I've connected each router together (they "see" each other in cdp), and each router to one switch. My problem is that the interfaces that the router connects to the switch won't accept an ip address, (it says unrecognized command) and the switch lights are off). A "show status" says only the trunk port (22 on each switch) are connected. I've checked the cabling, it works, and the cables are out of the box. What am I missing/forgetting?
  Sorry if i newb :\ I'm Looking forward to going over static routes xD
  Thanks,
  Devlin
  (I looked throught the documentation, maybe I missed it? I did a config reset on the switches. I bought these used, I hope they aren't broken :\)

  No, they don't work, POST is fine (The switches boot normally), CABLING IS FINE, they are NOT admin down
  Switch1#sho run
  Building configuration...
  Current configuration:
  version 12.0
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname Switch1
  ip subnet-zero
  !!!!! Omitted fa ports 1-24
  interface VLAN1
  no ip directed-broadcast
  no ip route-cache
  line con 0
  transport input none
  stopbits 1
  line vty 5 15
  end
  Switch1#sho int status
  Says every port except the ports trunking between the two switches is "not connected"
  !!!!!HERES AN EXAMPLE OF ON OF THE DOWN SWITCHPORTS!!!!!
  Switch1#sho int fa0/1
  FastEthernet0/1 is down, line protocol is down
  Hardware is Fast Ethernet, address is 00b0.647f.6681 (bia 00b0.647f.6681)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Auto-duplex , Auto Speed , 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 1d23h, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1 packets input, 64 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 watchdog, 0 multicast 0 input packets with dribble condition detected
  2 packets output, 424 bytes, 0 underruns
  0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
  Switch1# sh version
  Cisco Internetwork Operating System Software
  IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC8, RELEASE SOFTWAR
  E (fc1)
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Thu 19-Jun-03 13:09 by antonino
  Image text-base: 0x00003000, data-base: 0x0034E2F4
  ROM: Bootstrap program is C2900XL boot loader
  Switch1 uptime is 1 day, 23 hours, 31 minutes
  System returned to ROM by power-on
  System image file is "flash:c2900xl-c3h2s-mz.120-5.WC8.bin"
  cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byt
  es of memory.
  Processor board ID FAA0402G17B, with hardware revision 0x03
  Last reset from power-on
  Processor is running Enterprise Edition Software
  Cluster command switch capable
  Cluster member switch capable
  24 FastEthernet/IEEE 802.3 interface(s)
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 00:B0:64:7F:66:80
  Motherboard assembly number: 73-3425-10
  Power supply part number: 34-0920-01
  Motherboard serial number: FAA04019FEM
  Power supply serial number: NONE
  Model revision number: A0
  Model number: WS-C2924M-XL-EN
  System serial number: FAA0402G17B
  Configuration register is 0xF
  I'm really desperate here I have no idea what the problem is, and I cannot prepare for the exam without being able to assign ip addresses to the switch ports. If anyone can help me I would be EXTREMELY grateful.
  Thanks
  Devlin

• Switch port in dot1x multi-auth mode stops passing traffic

  Dear All,
  I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
  interface GigabitEthernet2/34
  switchport mode access
  ip arp inspection limit rate 30
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  dot1x pae authenticator
  dot1x timeout tx-period 5
  dot1x max-reauth-req 6
  spanning-tree portfast
  ip verify source vlan dhcp-snooping
  end
  It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
  Did anyone experience a simmilar problem? Any advice?
  Thanks.
  Mirek

  We have the same issue on 3750E switch running 12.2.(58)SE

• 802.1x Blocking port (many deviсes to one port)

  Hello!
  On ports of the Cisco 3750 there is authentication on 802.1x (Mab). I connect the "stupid" switch (that doesn't work with 802.1x) to port and logs of Radius-server and Cisco show that it was authenticated. Then I connect the device (laptop or PC) to the "stupid" switch, then the port is blocked. However PC passes authentication at direct connection to the Cisco.
  I know that in 802.1x is provided blocking of port at connection of many MAC-addresses to one port. 
  "Stupid" switch must be in vlan, and the devices (that are connected to switch) must be in the same vlan. Maybe they must be authenticated on Radius-server or maybe I have to create ACL with their MAC-addresses...
  How it can be solved? Help me, please.
  P.S. Multi-auth is enabled.

  Hi,
  Along with all the other bits and pieces to invoke 802.1x on the switch
  May be try adding this to the interface to "stupid"
  interface gigabitethernet2/0/1
  description *** LINK TO STUPID ***
  dot1x port-control auto
  dot1x host-mode multi-host
  end
  from the 12.2.55 config guide
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/sw8021x.html#wp1271507
  Regards
  Alex

• How to search/Scan Vlan of cisco switch ports

  Can any one tell me how i can scan/search vlans of cisco switch port through any monitoring tool (orion/solarwinds).
  Consider this scenario as i have no access to switch and i want to know below things:
  1-Vlans created on switch?
  2-which switch port belongs to which vlan id?
  Thanks

  Hi,
  You can do it only with hub in between and also please note that when sniffing with Wireshark on Windows the OS would remove VLAN tag so you may need to use Linux machine.
  Regards,
  Aleksandra

• Why would you NOT enable Loop Guard on switch ports?

  Hello
  Why would you NOT enable Loop Guard on switch ports?
  It is disabled by default on all ports.
  Since it prevents loops, in the absence of receiving BPDUs on non-designated ports, why would it not be enabled by default?

  Ziffy wrote:
  The Galaxy S4 supports Google Wallet, but yet you block it from being used. Why exactly? This is not right. I suggest you enable it before you start losing customers. Is there anybody out there that would like to start a petition? Perhaps look into whether or not this is actually legal? Seems like unfair practices to me. Thoughts?
  Good luck with that.  FCC already did and have left it alone...  My theory is because... Google charges carriers to use allow devices to use it.  At one point Sprint paid to go exclusive for wallet.  FCC can't force you to buy your competitors product.

• Time Capsule, NAS and Switch port issues

  I purchased a Time Capsule yesterday I can get the wifi to work but I am having some other issues.
  I need to be able to attach an exisiting Western Digital NAS drive to the TC through ethernet. When I connect it, it shows up in the finder but will not connect.
  I also need to be able to connect a Switch port into the TC as well. The switch runs ethernet thoughout the building to wall jacks as well as running a dedicated PC server.
  When I plug both these devices into the ISP modem/router they work but the TC wont recognize them.
  Am I missing some settings or steps that I need to take to make this work?

  Did you put the TC into bridge mode.. ??
  If it is a router.. all kinds of bad things can happen.. like dhcp server is working and double NAT preventing access.. much like you describe.
  Setup the TC in isolation from the network. before you plug it in.
  Bridge in v5 utility.. (if you run lion it is easy to download and install is still preferred).
  Bridge in v6 utility go to the Network tab and change it from DHCP and NAT to off bridge mode.
  Picture pending if you need it.

• Jabber and Meida Interface Service - Switch port

  Hi All,
  here is from Cisco:
  Before Cisco Jabber for Windows sends audio media or video media, it checks for Cisco Media Services Interface .
  • If the service exists on the computer , Cisco Jabber for Windows provides flow information to Cisco Media Services Interface . The service then signals the network so that routers classify the flow and provide priority to the Cisco Jabber for Windows traffic.
  • If the service does not exist, Cisco Jabber for Windows does not use it and sends audio media and video media as normal.
  My Question is : what does normal means?
  1- we can identify ports for Jabber in CUCM, then create ACL and apply QoS.in that Case what " Normal Traffic " means?
  2- for MSI, do we need to configure anything on the switch port to work peoperly?
  3- How switch knows which Qos to apply based on what MSI saying? still needs an ACL, if yes, what s apoint of using MSI dfor Qos?
  Thanks,
  Hamed

  This would be EF for voice, AF41 for video/voice, and CS3 for SIP signal. Two things typically cause this to get treated as best effort:
  The Windows PC is not allowing the application to set DSCP markings. Group or local security policy can be used to allow this
  The switch is not trusting the data VLAN. Most SRND material suggests using a policer to limit the amount of EF/AF41/CS3 traffic from the data VLAN and to remark the violation traffic to best effort.
  You'll want to start with the MediaNet Deployment Guide. There is a lot going on to make this work.
  The MSI tells the switch what application and ports are being used. The switch then sets the DSCP marking on that traffic.
  Please remember to rate helpful responses and identify helpful or correct answers.

• Two VLANs on one switch port?

  Currently we have the following
  Cat 4003 with VLAN trunking turned on to multiple switches. Each port in those exterior switches is assigned to a vlan(we have about 60 different vlans).
  What I would like to do is on those exterior switches have two vlans assigned to it.
  We'd like to create a single IP Phone VLAN(let's call it 999) that can span our entire enterprise and would have dhcp deployed on it.
  Each port is connected to an IP phone which has a 2 port switch in them. One port to the wall, one to the pc.
  The switch ports on those phones support vlan tagging
  How would setup an exterior switch to access 2 vlans that connect to 2 port switch on an IP phone?

  To facilitate ease of deployment, use VTP so that you can centrally create the vlans and propagate to each exterior switch. Now I believe you already do have a layer 3 engine or router that does routing between all these vlans. What switches are used on teh exterior ? This is to find out if voice vlan support is available.
  In cat switches, voice vlan is created using command,
  set port auxiliaryvlan vlan
  In IOS based switches,
  int fa0/1
  switchport mode trunk
  switchport trunk encap dot1q
  switchport trunk native vlan
  switchport voice vlan
  switchport priority cos extend 0
  or
  int fa0/1
  switchport mode access
  switchport access vlan
  switchport voice vlan
  I am not sure about support of voice/aux vlan in 4003. We will have check your other switch models/ software versions to determine support for this command.

• Failed while creating virtual Ethernet switch. Failed to connect Ethernet switch port

  Hello Folks
  I am completely stuck with the configuration of my virtual networks. I have one logical switch left to add to one of my Hyper-V 2012 R2 hosts when I started getting the error below when I try to add logical switches to either Hyper-V Host. I have been using
  the document. 'Hybrid Cloud with NVGRE (Cloud OS)' to implement the virtual networking. Basically using the exact configuration that is in the document. I have added the PA Logical Network and the Network adapters and added the logical switch for it to my
  hyper-v 2012 R2 host and everything was fine. I am now trying to add my ISCSI Logical Switch to the host and this is the error I get. My other Hyper-V host I get this error for any logical switch I am trying to add. Can someone help me with this error. I haven't
  been able to find any information about it.
  Also a some quick info on tracing an error like this so I can figure out what is causing it.
  Thsi is my configuration so far
  So as far as I know everything is peachy untill the error below. Dead stop now
  Error (12700)
  VMM cannot complete the host operation on the 08-NY-VHOST01.accounts.ccac-ont.ca server because of the error: Failed while creating virtual Ethernet switch.
  Failed to connect Ethernet switch port (switch name = '******', port name = '88C16766-ED02-4AC0-8CD7-660AC9D424DD', adapter GUID = '{FAF431D8-0124-4E40-BB3B-9234BAA02973}'): The system cannot find the file specified. (0x80070002).
  Unknown error (0x800b)
  Thank you for your time
  Christopher
  Christopher Scannell

  notice your GUID?  you may want to consider ensuring that is the same GUID associated in your database.  Sometimes during data corruption theres a smidge of a chance your sql database kind of either pulls old guids esp if this was reverted to snapshot
  without it being powered off etc.  
  I would try that first.  then i would consider if you get to configure that with your current liscense associated with the host.  I would need way more info to help any further