Local-Area Networks and LAN Switching - CCIE Routing and Switching Exam Certification Guide

Information Technology Reference

In-Depth Information

IEEE 802.1x Configuration

IEEE 802.1x port-based authentication is configured by enabling AAA authentication,

configuring the RADIUS server parameters, and enabling 802.1x on the interface. Example 4-

24 enables 802.1x authentication on an FE interface. The aaa authentication dot1x default

group radius command enables IEEE 802.1x authentication on the switch. In Example 4-24,

the RADIUS server has an IP address of 1.1.1.1, and the RADIUS key is ccie-key. The interface

is configured to use 802.1x authentication with the dot1x port-control auto command.

Example 4-24 802.1x Configuration Example

aaa new-model

aaa authentication dot1x default group radius

!

radius-server host 1.1.1.1 auth-port 1812 key ccie-key

!

interface fastethernet 1/1

dot1x port-control auto

1.1.1.1

Private VLANs

Private VLANs provide isolation for ports that are configured within the private VLAN

structure. You can use private LANs when hosts on the same segment do not need to

communicate with each other but do need to communicate with the same router or firewall.

Private VLANs provide isolation at Layer 2 of the OSI model.

Private VLANs consist of the following VLANs:

•

Primary VLAN—Receives frames from the promiscuous port and forwards it to ports in

the primary, isolated, and community VLANs.

•

Isolated VLAN—All ports in this VLAN can communicate only with the promiscuous

port. Isolated ports cannot communicate with other isolated ports. Isolated VLANs are

secondary VLANs.

•

Community VLAN—All ports in this VLAN can communicate with each other and with

the promiscuous port. Community VLANs are secondary VLANs.

Private VLAN Configuration

To configure private VLANs, create the primary and secondary VLANs, bind secondary

VLANs to the primary VLAN, and assign ports. Then, the secondary VLANs are mapped to the

promiscuous port.

Example 4-25 shows a simple configuration of private VLANs. The set vlan command creates

the primary and secondary VLANs. Use the set pvlan primary secondary mod/port command

to bind secondary VLANs to the Primary VLAN and to associate ports. Finally, use the set

Search WWH ::

Custom Search

Home