Home » Cisco Manuals » Bridges & Routers » Cisco WS-C3560E-48PD-SF » Manual Viewer

Cisco WS-C3560E-48PD-SF Command Reference - Page 124

You can con any active VLAN except an Remote Switched Port Analyzer RSPAN VLAN,

View all Cisco WS-C3560E-48PD-SF manuals

Add to My Manuals
Save this manual to your list of manuals

Page 124 highlights

dot1x guest-vlan Chapter 2 Catalyst 3560 Switch Cisco IOS Commands With Cisco IOS Release 12.2(25)SE and later, the switch maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port is returned to the unauthorized state, and authentication is restarted. The EAPOL history is reset upon loss of link. Entering the dot1x guest-vlan supplicant global configuration command disables this behavior. Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted. Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode. You can configure any active VLAN except an Remote Switched Port Analyzer (RSPAN) VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports. After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can change the settings for restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x client type. Examples This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN: Switch(config-if)# dot1x guest-vlan 5 This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client: Switch(config-if)# dot1x timeout quiet-period 3 Switch(config-if)# dot1x timeout tx-period 15 Switch(config-if)# dot1x guest-vlan 2 This example shows how to enable the optional guest VLAN behavior and to specify VLAN 5 as an IEEE 802.1x guest VLAN: Switch(config)# dot1x guest-vlan supplicant Switch(config)# interface gigabitethernet0/1 Switch(config-if)# dot1x guest-vlan 5 You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command. Related Commands Command dot1x show dot1x [interface interface-id] Description Enables the optional guest VLAN supplicant feature. Displays IEEE 802.1x status for the specified port. 2-92 Catalyst 3560 Switch Command Reference 78-16405-05

Section	Page
Catalyst 3560 Switch Command Reference	1
Contents	3
Preface	19
Audience	19
Purpose	19
Conventions	20
Related Publications	20
Obtaining Documentation	21
Cisco.com	21
Product Documentation DVD	22
Ordering Documentation	22
Documentation Feedback	22
Cisco Product Security Overview	23
Reporting Security Problems in Cisco Products	23
Obtaining Technical Assistance	24
Cisco Technical Support & Documentation Website	24
Submitting a Service Request	24
Definitions of Service Request Severity	25
Obtaining Additional Publications and Information	25
Using the Command-Line Interface	27
CLI Command Modes	27
User EXEC Mode	29
Privileged EXEC Mode	29
Global Configuration Mode	29
Interface Configuration Mode	30
config-vlan Mode	30
VLAN Configuration Mode	31
Line Configuration Mode	31
Commands Changed in Cisco IOS 12.2(20)SE	32
Catalyst 3560 Switch Cisco IOS Commands	33
aaa accounting dot1x	33
aaa authentication dot1x	35
action	37
archive download-sw	39
archive tar	42
archive upload-sw	45
arp access-list	47
auto qos voip	49
boot boothlpr	54
boot config-file	55
boot enable-break	56
boot helper	57
boot helper-config-file	58
boot manual	59
boot private-config-file	60
boot system	61
channel-group	62
channel-protocol	65
class	66
class-map	68
clear ip arp inspection log	70
clear ip arp inspection statistics	71
clear ip dhcp snooping database	72
clear ipc	73
clear l2protocol-tunnel counters	74
clear lacp	75
clear mac address-table	76
clear mac address-table move update	78
clear pagp	79
clear port-security	80
clear spanning-tree counters	82
clear spanning-tree detected-protocols	83
clear vmps statistics	84
clear vtp counters	85
cluster commander-address	86
cluster discovery hop-count	88
cluster enable	89
cluster holdtime	91
cluster member	92
cluster outside-interface	94
cluster run	95
cluster standby-group	96
cluster timer	98
define interface-range	99
delete	101
deny (ARP access-list configuration)	102
deny (IPv6 access-list configuration)	104
deny (MAC access-list configuration)	109
dot1x	112
dot1x auth-fail max-attempts	114
dot1x auth-fail vlan	116
dot1x control-direction	118
dot1x critical	120
dot1x default	122
dot1x guest-vlan	123
dot1x host-mode	125
dot1x initialize	127
dot1x max-reauth-req	128
dot1x max-req	129
dot1x multiple-hosts	130
dot1x port-control	131
dot1x re-authenticate	133
dot1x re-authentication	134
dot1x reauthentication	135
dot1x timeout	136
duplex	138
errdisable detect cause	140
errdisable recovery	142
exception crashinfo	145
flowcontrol	146
interface port-channel	148
interface range	150
interface vlan	152
ip access-group	154
ip address	157
ip arp inspection filter vlan	159
ip arp inspection limit	161
ip arp inspection log-buffer	163
ip arp inspection trust	165
ip arp inspection validate	167
ip arp inspection vlan	169
ip arp inspection vlan logging	170
ip dhcp snooping	172
ip dhcp snooping binding	173
ip dhcp snooping database	175
ip dhcp snooping information option	177
ip dhcp snooping information option allow-untrusted	179
ip dhcp snooping limit rate	181
ip dhcp snooping trust	183
ip dhcp snooping verify	184
ip dhcp snooping vlan	185
ip igmp filter	186
ip igmp max-groups	187
ip igmp profile	189
ip igmp snooping	191
ip igmp snooping last-member-query-interval	193
ip igmp snooping querier	195
ip igmp snooping report-suppression	197
ip igmp snooping tcn	199
ip igmp snooping tcn flood	201
ip igmp snooping vlan immediate-leave	202
ip igmp snooping vlan mrouter	203
ip igmp snooping vlan static	205
ip source binding	207
ip ssh	209
ip verify source	211
ipv6 access-list	212
ipv6 mld snooping	215
ipv6 mld snooping last-listener-query-count	217
ipv6 mld snooping last-listener-query-interval	219
ipv6 mld snooping listener-message-suppression	221
ipv6 mld snooping robustness-variable	223
ipv6 mld snooping tcn	225
ipv6 mld snooping vlan	227
ipv6 traffic-filter	229
l2protocol-tunnel	231
l2protocol-tunnel cos	234
lacp port-priority	235
lacp system-priority	237
logging event power-inline-status	239
logging file	240
mac access-group	242
mac access-list extended	244
mac address-table aging-time	246
mac address-table move update	247
mac address-table notification	249
mac address-table static	251
mac address-table static drop	252
macro apply	254
macro description	257
macro global	258
macro global description	261
macro name	262
match (access-map configuration)	264
match (class-map configuration)	266
mdix auto	268
mls qos	270
mls qos aggregate-policer	272
mls qos cos	274
mls qos dscp-mutation	276
mls qos map	278
mls qos queue-set output buffers	282
mls qos queue-set output threshold	284
mls qos rewrite ip dscp	286
mls qos srr-queue input bandwidth	288
mls qos srr-queue input buffers	290
mls qos srr-queue input cos-map	292
mls qos srr-queue input dscp-map	294
mls qos srr-queue input priority-queue	296
mls qos srr-queue input threshold	298
mls qos srr-queue output cos-map	300
mls qos srr-queue output dscp-map	302
mls qos trust	304
mls qos vlan-based	306
monitor session	307
mvr (global configuration)	312
mvr (interface configuration)	315
pagp learn-method	318
pagp port-priority	320
permit (ARP access-list configuration)	322
permit (IPv6 access-list configuration)	324
permit (MAC access-list configuration)	330
police	333
police aggregate	335
policy-map	337
port-channel load-balance	340
power inline	342
power inline consumption	345
priority-queue	347
private-vlan	349
private-vlan mapping	352
queue-set	354
rcommand	355
remote-span	357
renew ip dhcp snooping database	359
rmon collection stats	361
sdm prefer	362
service password-recovery	365
service-policy	367
set	370
setup	372
setup express	375
show access-lists	377
show archive status	380
show arp access-list	381
show auto qos	382
show boot	386
show cable-diagnostics tdr	388
show class-map	391
show cluster	392
show cluster candidates	394
show cluster members	396
show controllers cpu-interface	398
show controllers ethernet-controller	400
show controllers power inline	407
show controllers tcam	409
show controllers utilization	411
show dot1q-tunnel	413
show dot1x	414
show dtp	418
show env	420
show errdisable detect	422
show errdisable flap-values	424
show errdisable recovery	426
show etherchannel	428
show flowcontrol	431
show interfaces	433
show interfaces counters	443
show inventory	445
show ip arp inspection	446
show ip dhcp snooping	449
show ip dhcp snooping binding	450
show ip dhcp snooping database	452
show ip igmp profile	454
show ip igmp snooping	455
show ip igmp snooping groups	458
show ip igmp snooping mrouter	460
show ip igmp snooping querier	462
show ip source binding	464
show ip verify source	466
show ipc	468
show ipv6 access-list	472
show ipv6 mld snooping	474
show ipv6 mld snooping address	476
show ipv6 mld snooping mrouter	478
show ipv6 mld snooping querier	480
show l2protocol-tunnel	482
show lacp	485
show mac access-group	489
show mac address-table	491
show mac address-table address	493
show mac address-table aging-time	495
show mac address-table count	497
show mac address-table dynamic	499
show mac address-table interface	501
show mac address-table move update	503
show mac address-table notification	505
show mac address-table static	507
show mac address-table vlan	509
show mls qos	511
show mls qos aggregate-policer	512
show mls qos input-queue	513
show mls qos interface	515
show mls qos maps	519
show mls qos queue-set	522
show mls qos vlan	524
show monitor	525
show mvr	528
show mvr interface	530
show mvr members	532
show pagp	534
show parser macro	536
show policy-map	539
show port-security	541
show power inline	544
show sdm prefer	546
show setup express	550
show spanning-tree	551
show storm-control	557
show system mtu	559
show udld	560
show version	563
show vlan	565
show vlan access-map	570
show vlan filter	571
show vmps	572
show vtp	575
shutdown	581
shutdown vlan	582
snmp-server enable traps	583
snmp-server host	587
snmp trap mac-notification	591
spanning-tree backbonefast	593
spanning-tree bpdufilter	594
spanning-tree bpduguard	596
spanning-tree cost	598
spanning-tree etherchannel guard misconfig	600
spanning-tree extend system-id	602
spanning-tree guard	604
spanning-tree link-type	606
spanning-tree loopguard default	608
spanning-tree mode	610
spanning-tree mst configuration	612
spanning-tree mst cost	614
spanning-tree mst forward-time	616
spanning-tree mst hello-time	617
spanning-tree mst max-age	618
spanning-tree mst max-hops	619
spanning-tree mst port-priority	621
spanning-tree mst pre-standard	623
spanning-tree mst priority	624
spanning-tree mst root	625
spanning-tree port-priority	627
spanning-tree portfast (global configuration)	629
spanning-tree portfast (interface configuration)	631
spanning-tree transmit hold-count	633
spanning-tree uplinkfast	634
spanning-tree vlan	636
speed	639
srr-queue bandwidth limit	641
srr-queue bandwidth shape	643
srr-queue bandwidth share	645
storm-control	647
switchport	650
switchport access	652
switchport backup interface	654
switchport block	656
switchport host	657
switchport mode	658
switchport mode private-vlan	661
switchport nonegotiate	663
switchport port-security	665
switchport port-security aging	670
switchport priority extend	672
switchport private-vlan	674
switchport protected	676
switchport trunk	678
switchport voice vlan	681
system env temperature threshold yellow	683
system mtu	685
test cable-diagnostics tdr	687
traceroute mac	688
traceroute mac ip	691
trust	693
udld	695
udld port	697
udld reset	699
vlan (global configuration)	700
vlan (VLAN configuration)	706
vlan access-map	712
vlan database	714
vlan dot1q tag native	717
vlan filter	719
vmps reconfirm (privileged EXEC)	721
vmps reconfirm (global configuration)	722
vmps retry	723
vmps server	724
vtp (global configuration)	726
vtp (VLAN configuration)	730
Catalyst 3560 Switch Boot Loader Commands	735
boot	736
cat	738
copy	739
delete	740
dir	741
flash_init	743
format	744
fsck	745
help	746
load_helper	747
memory	748
mkdir	749
more	750
rename	751
reset	752
rmdir	753
set	754
type	757
unset	758
version	760
Catalyst 3560 Switch Debug Commands	761
debug auto qos	762
debug backup	764
debug cluster	765
debug dot1x	767
debug dtp	769
debug etherchannel	770
debug ilpower	772
debug ip dhcp snooping	773
debug ip verify source packet	774
debug interface	775
debug ip igmp filter	777
debug ip igmp max-groups	778
debug ip igmp snooping	779
debug lacp	780
debug mac-notification	781
debug matm	782
debug matm move update	783
debug monitor	784
debug mvrdbg	786
debug nvram	787
debug pagp	788
debug platform acl	789
debug platform backup interface	790
debug platform cpu-queues	791
debug platform device-manager	793
debug platform dot1x	794
debug platform etherchannel	795
debug platform fallback-bridging	796
debug platform forw-tcam	797
debug platform frontend-controller	798
debug platform ip arp inspection	800
debug platform ip dhcp	801
debug platform ip igmp snooping	802
debug platform ip multicast	804
debug platform ip unicast	806
debug platform led	808
debug platform matm	809
debug platform messaging application	811
debug platform phy	812
debug platform pm	814
debug platform port-asic	816
debug platform port-security	817
debug platform qos-acl-tcam	818
debug platform remote-commands	819
debug platform resource-manager	820
debug platform snmp	821
debug platform span	822
debug platform supervisor-asic	823
debug platform sw-bridge	824
debug platform tcam	825
debug platform udld	828
debug platform vlan	829
debug pm	830
debug port-security	832
debug qos-manager	833
debug spanning-tree	834
debug spanning-tree backbonefast	836
debug spanning-tree bpdu	837
debug spanning-tree bpdu-opt	838
debug spanning-tree mstp	839
debug spanning-tree switch	841
debug spanning-tree uplinkfast	843
debug sw-vlan	844
debug sw-vlan ifs	846
debug sw-vlan notification	848
debug sw-vlan vtp	850
debug udld	852
debug vqpc	854
Catalyst 3560 Switch Show Platform Commands	855
show platform acl	856
show platform backup interface	857
show platform configuration	858
show platform etherchannel	859
show platform forward	860
show platform frontend-controller	862
show platform ip igmp snooping	863
show platform ip multicast	865
show platform ip unicast	866
show platform ip unicast vrf compaction	868
show platform ip unicast vrf tcam-label	869
show platform ipv6 unicast	870
show platform layer4op	872
show platform mac-address-table	873
show platform messaging	874
show platform monitor	875
show platform mvr table	876
show platform pm	877
show platform port-asic	878
show platform port-security	883
show platform qos	884
show platform resource-manager	885
show platform snmp counters	887
show platform spanning-tree	888
show platform stp-instance	889
show platform tcam	890
show platform vlan	893

Match case Limit results 1 per page

2-92

Catalyst 3560 Switch Command Reference

78-16405-05

Chapter 2

Catalyst 3560 Switch Cisco IOS Commands

dot1x guest-vlan

With Cisco IOS Release 12.2(25)SE and later, the switch maintains the EAPOL packet history. If another

EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN feature is

disabled. If the port is already in the guest VLAN state, the port is returned to the unauthorized state,

and authentication is restarted.

The EAPOL history is reset upon loss of link.

Entering the

dot1x guest-vlan supplicant

global configuration command disables this behavior.

Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to

the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is

configured, the port is put into the unauthorized state in the user-configured access VLAN, and

authentication is restarted.

Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.

You can configure any active VLAN except an Remote Switched Port Analyzer (RSPAN) VLAN, a

primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is

not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.

After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you

might need to get a host IP address from a DHCP server. You can change the settings for restarting the

IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and

tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1x

authentication process (

dot1x timeout quiet-period

and

dot1x timeout tx-period

interface

configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x

client type.

Examples

This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:

Switch(config-if)#

dot1x guest-vlan 5

This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that

the switch waits for a response to an EAP-request/identity frame from the client before resending the

request, and to enable VLAN 2 as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected

to a DHCP client:

Switch(config-if)#

dot1x timeout quiet-period 3

Switch(config-if)#

dot1x timeout tx-period 15

Switch(config-if)#

dot1x guest-vlan 2

This example shows how to enable the optional guest VLAN behavior and to specify VLAN 5 as an

IEEE 802.1x guest VLAN:

Switch(config)#

dot1x guest-vlan supplicant

Switch(config)#

interface gigabitethernet0/1

Switch(config-if)#

dot1x guest-vlan 5

You can verify your settings by entering the

show dot1x

[

interface

interface-id

] privileged EXEC

command.

Related Commands

Command

Description

dot1x

Enables the optional guest VLAN supplicant feature.

show dot1x

[

interface

interface-id

]

Displays IEEE 802.1x status for the specified port.