To authenticate 802.1x clients:
SW1(config)# dot1x system-auth-control SW1(config)# aaa new-model SW1(config)# aaa authentication dot1x default group radius SW1(config)# radius-server host 150.100.220.100 key ipexpert
- When a PC doesn’t support EAP, it can be placed in a guest-vlan:
dot1x guest-vlan 200 - When the authentication is failed:
dot1x auth-fail vlan 100
Port-security table won’t survive a reload unless using “sticky” parameter.
switchport protected
: The ports cannot communicate even with other ports in the same VLAN
Assign a static switching table entry
SW1(config)# mac-address-table {dynamic | static | secure} mac-addr {vlan vlan-id} {interface int1 [int2 … int15] [protocol {ip | ipx | assigned}]
If the destination port is a trunk, you must also specify the destination VLAN number vlan-id.
Set the switching table aging time:
SW1(config)# mac-address-table aging-time seconds [vlan vlan-id]
For VLAN number vlan-id (2 to 1001), entries are aged out of the switching table after seconds (0, 10 to 1,000,000 seconds; default 300 seconds). A value of 0 disables the aging process. The VLAN number is optional. If not specified, the aging time is modified for all VLANs.
Optimize the port as a connection to a single host
SW1(config-if)# switchport host
Several options are set for the port: STP PortFast is enabled, trunk mode is disabled, EtherChannel is disabled, and no dot1q trunking is allowed.