The 802.1X Trusted Mac Address Synchronization Function; Supplicant System Checking - 3Com 5500-SI Configuration Manual
5500 series
Hide thumbs
Also See for 5500-SI:
- Datasheet (9 pages) ,
- Getting started manual (148 pages) ,
- Quick reference manual (59 pages)
Table of Contents
Advertisement
402
C
21: 802.1
HAPTER
The 802.1x Trusted MAC
Address Synchronization
Function
802.1x Supplicant
System Checking
C
X
ONFIGURATION
Configuration procedure
1 Enter system view.
<S5500> system-view
2 Create VLAN 2.
[S5500] vlan 2
3 Enter Ethernet1/0/1 port view.
[S5500] interface ethernet1/0/1
4 Configure the port to operate in port-based authentication mode.
[S5500-Ethernet1/0/1] dot1x port-method portbased
5 Configure Guest VLAN for the port.
[S5500-Ethernet1/0/1] dot1x guest-vlan 2
Trusted MAC address here refers to the MAC address of a supplicant system that
passes 802.1x authentication and MAC address-based authentication. In this case,
the MAC address becomes a trusted Mac address. The 802.1x trusted MAC Address
synchronization function propagates the trusted MAC addresses in IRF (intelligent
resilient framework) if the corresponding supplicant systems pass the authentication
performed by IRF-enabled switches.
In an IRF that does not support the 802.1x trusted MAC address synchronization
■
function, an authentication operation is only performed in the unit where the port
with the supplicant system attached resides in. And after the supplicant system
passes the authentication, its MAC address is not propagated to other units (That
is, the MAC address can only be recognized by the unit the supplicant system
directly connected to.) This may result in broadcast storms in the fabric.
In an IRF that supports the 802.1x trusted MAC address synchronization function,
■
the MAC address of an authenticated supplicant system is propagated in all units
of the fabric. And when the supplicant system logs off, all the units in the fabric
remove the corresponding MAC address. That is, trusted MAC addresses are
synchronized in all units whenever supplicant systems join in or leave a fabric.
When accompanied by a CAMS server, a Switch 5500 can check for:
Supplicant systems logging in through proxies
■
Supplicant systems logging in through IE proxies
■
Whether or not a supplicant system logs in with more than one network adapters
■
installed in it being active
A Switch 5500 can optionally take the following measures against any of the three
cases:
Disconnecting the supplicant system and sending Trap packets (This can be
■
achieved by using the dot1x supp-proxy-check logoff command.)
Sending Trap packets without disconnecting the supplicant system (This can be
■
achieved by using the dot1x supp-proxy-check trap command.)
To achieve this function, following are to meet for 802.1x clients and CAMS.
The 802.1x clients are capable of detecting multiple network adapters, proxies,
■
and IE proxies.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
