Switching Misc. 1

To authenticate 802.1x clients:
SW1(config)# dot1x system-auth-control
SW1(config)# aaa new-model
SW1(config)# aaa authentication dot1x default group radius
SW1(config)# radius-server host 150.100.220.100 key ipexpert
  • When a PC doesn’t support EAP, it can be placed in a guest-vlan:
    dot1x guest-vlan 200
  • When the authentication is failed:
    dot1x auth-fail vlan 100

Port-security table won’t survive a reload unless using “sticky” parameter.


switchport protected: The ports cannot communicate even with other ports in the same VLAN


Assign a static switching table entry
SW1(config)# mac-address-table {dynamic | static | secure} mac-addr {vlan vlan-id} {interface int1 [int2 … int15] [protocol {ip | ipx | assigned}]

If the destination port is a trunk, you must also specify the destination VLAN number vlan-id.

Set the switching table aging time:
SW1(config)# mac-address-table aging-time seconds [vlan vlan-id]

For VLAN number vlan-id (2 to 1001), entries are aged out of the switching table after seconds (0, 10 to 1,000,000 seconds; default 300 seconds). A value of 0 disables the aging process. The VLAN number is optional. If not specified, the aging time is modified for all VLANs.

Optimize the port as a connection to a single host
SW1(config-if)# switchport host

Several options are set for the port: STP PortFast is enabled, trunk mode is disabledEtherChannel is disabled, and no dot1q trunking is allowed.

Share this!

Author: Mo Moghaddas

Traveler. Casual investor. Hobbyist landscape photographer loving Networks. Blockchain/Cryptocurrency enthusiast. Internet citizen!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.