X Authentication - Cisco Catalyst 4500 Series Software Configuration Manual
Cisco ios xe release 3.9.xe and cisco ios release 15.2(5)ex
Hide thumbs
Also See for Catalyst 4500 Series:
- Administration manual (1814 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Configuring Port Security with Other Features/Environments
802.1X Authentication
You might want to configure port security with 802.1X authentication to prevent MAC spoofing. 802.1X
is not supported on regular or private VLAN trunks. On access ports and PVLAN host or promiscuous
ports, both port security and 802.1X can be configured simultaneously. When both are configured, hosts
must be 802.1X authenticated before port security can secure the MAC address of the host. Both 802.1X
and port security must approve of the host or a security violation will be triggered. The type of security
violation will depend on which feature rejects the port: if the host is allowed by 802.1X (for example,
because the port is in multihost mode) but is disallowed by port security, the port-security violation
action will be triggered. If the host is allowed by port security but rejected by 802.1X (for example,
because the host is not authorized on a single-host mode port) then the 802.1X security violation action
will be triggered.
802.1X, port-security and VVID can all be configured on the same port.
Note
For more information on the interaction between 802.1X and port security, see "Using 802.1X with Port
Security" on page 18.
Configuring Port Security in a Wireless Environment
If access points are connected to a secure port, do not configure a static MAC address for your users. A
MAC address might move from one access point to another and might cause security violations if both
the access points are connected on the same switch.
Figure 55-3
Figure 55-3
Wireless laptop
associated with AP1
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
55-32
MAC1 <---> IP2, invalid
–
MAC2 <---> IP1, invalid
–
IP traffic with the correct source IP and MAC address binding will be permitted and port security
will dynamically learn its MAC address. IP traffic with source addresses that are not in the binding
will be treated as invalid packets and dropped by port security. To prevent a denial of service attack,
you must configure port security rate limiting for the invalid source MAC address.
illustrates a typical topology of port security in a wireless environment.
Port Security in a Wireless Environment
Switch
AP1
Wireless laptop
"roamed" out AP2
AP2
Chapter 55
Configuring Port Security
Advertisement
Chapters
Table of Contents
Troubleshooting
