Configuring 802.1X With Acl Assignments - Cisco WS-C6506 Software Manual

Configuring 802.1X Authentication on the Switch
Configuration Guidelines
This section provides the guidelines for configuring 802.1X unidirectional ports:
•
•
•
Using the CLI to Configure an 802.1X Unidirectional or Bidirectional Port
If you specify the in keyword, all the incoming traffic is dropped and the outgoing traffic is allowed. If
you specify the both keyword (the default), all the receiving traffic and transmitting traffic on the port
is dropped. To configure a port as an 802.1X unidirectional port or bidirectional port, perform this task
in privileged mode:
Task
Configure a port as an 802.1X unidirectional port
or bidirectional port.
These examples show how to set a port to unidirectional or bidirectional states and verify the
configuration:
Console> (enable) set port dot1x 3/1 port-control-direction both
Port 3/1 Port Control Direction set to Both.
Console> (enable) set port dot1x 3/1 port-control-direction in
Port 3/1 Port Control Direction set to In.
Console> (enable) show port dot1x 3/1
Port
----- ------------------- ---------- ------------------- -------------
3/1
Port
----- ------------- -----------------
3/1
Console> (enable)

Configuring 802.1X with ACL Assignments

These sections describe how to configure 802.1X with ACL assignments:
•
•
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
40-26
Auxiliary VLANs—To support auxiliary VLANs on a port when you configure the port as a
unidirectional port, the auxiliary VLAN is moved to the spanning-tree forwarding state to ensure
that the connected IP phone is operational immediately. To prevent any disturbance of the incoming
traffic, initially the port VLAN is also moved to the spanning-tree forwarding state and then if any
traffic is seen on the port VLAN, the port is moved to the spanning-tree blocking state to drop all
additional traffic. The connected host is then requested to get authorized to send any traffic.
Guest VLANs—The guest VLANs are supported only on the ports that are configured as
bidirectional ports. If a guest VLAN is enabled on a port, that port cannot be configured as a
unidirectional port, and conversely, a unidirectional port cannot be configured in a guest VLAN.
Port mode—The port mode (single-authentication mode, multiple-host mode, or
multiple-authentication mode) for a port configured as a unidirectional port must be
single-authentication mode (the default port mode).
Auth-State
connecting
Port-Mode Re-authentication
SingleAuth enabled
Overview, page 40-27
802.1X with ACL Assignments Configuration Guidelines, page 40-28
Command
set port dot1x mod/port port-control-direction
[both | in]
BEnd-State Port-Control
idle auto
Shutdown-timeout
----------------
disabled
Chapter 40 Configuring 802.1X Authentication
Port-Status
unauthorized
Control-Mode
admin oper
---------------
In Both
OL-8978-04