Home » Cisco Manuals » Bridges & Routers » Cisco NM-8B-U » Manual Viewer

Cisco NM-8B-U User Guide - Page 63

Enabling Periodic Reauthentication

UPC - 074632001001

Add to My Manuals
Save this manual to your list of manuals

Page 63 highlights

16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Configuration Tasks Step 1 Step 2 Command Purpose configure terminal Enters global configuration mode. radius-server host {hostname | Configures the RADIUS server parameters on the switch. ip-address} auth-port port-number key For hostname | ip-address, specify the host name or IP address of the string remote RADIUS server. For auth-port port-number, specify the UDP destination port for authentication requests. The default is 1645. For key string, specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server. Note Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. This key must match the encryption used on the RADIUS daemon. Step 3 Step 4 Step 5 end show running-config copy running-config startup-config If you want to use multiple RADIUS servers, repeat this command. Returns to privileged EXEC mode. Verifies your entries. (Optional) Saves your entries in the configuration file. To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command. You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers by using the radius-server host global configuration command. If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the radius-server key global configuration commands. You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation. Enabling Periodic Reauthentication You can enable periodic 802.1x client reauthentication and specify how often it occurs. If you do not specify a time period before enabling reauthentication, the number of seconds between reauthentication attempts is 3600 seconds. Automatic 802.1x client reauthentication is a global setting and cannot be set for clients connected to individual ports. Beginning in privileged EXEC mode, follow these steps to enable periodic reauthentication of the client and to configure the number of seconds between reauthentication attempts: Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 63

Section	Page
16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series	1
Feature Overview	2
Layer 2 Ethernet Interfaces	2
Switch Virtual Interfaces	5
Routed Ports	5
VLAN Trunk Protocol	5
EtherChannel	7
802.1x Port-Based Authentication	8
Spanning Tree Protocol	12
Cisco Discovery Protocol	24
Switched Port Analyzer	24
Network Security with ACLs	25
Quality of Service	29
Maximum Number of VLAN and Multicast Groups	35
IP Multicast Support	35
IGMP Snooping	35
Global Storm-Control	38
Per-Port Storm-Control	40
Port Security	40
Ethernet Switching in Cisco AVVID Architecture	40
Stacking	41
Flow Control	41
Using Flow-Control Keywords	41
Fallback Bridging	42
Benefits	43
Restrictions	43
Related Features and Technologies	44
Related Documents	44
Supported Platforms	45
Supported Standards, MIBs, and RFCs	45
Prerequisites	46
Configuration Tasks	46
Configuring Layer 2 Interfaces	47
Configuring a Range of Interfaces	47
Defining a Range Macro	48
Verifying Configuration of a Range of Interfaces	48
Configuring Layer 2 Optional Interface Features	48
Interface Speed and Duplex Configuration Guidelines	48
Configuring the Interface Speed	49
Configuring the Interface Duplex Mode	49
Verifying Interface Speed and Duplex Mode Configuration	49
Configuring a Description for an Interface	50
Configuring an Ethernet Interface as a Layer 2 Trunk	50
Verifying an Ethernet Interface as a Layer 2 Trunk	51
Configuring an Ethernet Interface as a Layer 2 Access	52
Verifying an Ethernet Interface as a Layer 2 Access	52
Configuring VLANs	52
Configuring VLANs	53
Verifying the VLAN Configuration.	53
Deleting a VLAN from the Database	53
Verifying VLAN Deletion	54
Configuring VLAN Trunking Protocol	54
Configuring the VTP Server	54
Configuring a VTP Client	55
Disabling VTP (VTP Transparent Mode)	55
Configuring VTP version 2	55
Verifying VTP	56
Configuring Layer 2 EtherChannels (Port-Channel Logical Interfaces)	56
Configuring Layer 2 EtherChannels (Port-Channel Logical Interfaces)	56
Verifying Layer 2 EtherChannels	57
Configuring EtherChannel Load Balancing	58
Verifying EtherChannel Load Balancing	58
Removing an Interface from an EtherChannel	59
Configuring Removing an EtherChannel	59
Verify Removing an EtherChannel	59
Configuring 802.1x Authentication	59
Understanding the Default 802.1x Configuration	60
Enabling 802.1x Authentication	61
Configuring the Switch-to-RADIUS-Server Communication	62
Enabling Periodic Reauthentication	63
Changing the Quiet Period	64
Changing the Switch-to-Client Retransmission Time	64
Setting the Switch-to-Client Frame-Retransmission Number	65
Enabling Multiple Hosts	66
Resetting the 802.1x Configuration to the Default Values	66
Displaying 802.1x Statistics and Status	66
Configuring Spanning Tree	67
Enabling Spanning Tree	67
Verify Spanning Tree	67
Configuring Spanning Tree Port Priority	68
Verify Spanning Tree Port Priority	68
Configuring Spanning Tree Port Cost	68
Verifying Spanning Tree Port Cost	69
Configuring the Bridge Priority of a VLAN	69
Verifying the Bridge Priority of a VLAN	70
Configuring the Hello Time	70
Configuring the Forward-Delay Time for a VLAN	70
Configuring the Maximum Aging Time for a VLAN	70
Configuring the Root Bridge	71
Configuring BackboneFast	71
Disabling Spanning Tree	72
Verifying that Spanning Tree is Disabled	72
Configuring MAC Table Manipulation - Port Security	72
Enabling Known MAC Address Traffic	73
Verifying the MAC Address Secure Configuration	73
Creating a Static or Dynamic Entry in the MAC Address Table	73
Verifying the MAC Address Table	74
Configuring Aging Timer-timer	74
Verifying the Aging Timer	74
Configuring Cisco Discovery Protocol	74
Enabling Cisco Discovery Protocol	75
Verifying the CDP Global Configuration	75
Enabling CDP on an Interface	75
Verifying the CDP Interface Configuration	75
Verifying CDP Neighbors	76
Monitoring and Maintaining CDP	76
Configuring Switched Port Analyzer	76
Specifying the Switched Port Analyzer Session	77
Configuring SPAN Destinations	77
Removing Sources or Destinations from a SPAN Session	77
Configuring Network Security with ACLs	78
Unsupported Features	78
Creating Standard and Extended IP ACLs	78
ACL Numbers	79
Creating a Numbered Standard ACL	80
Creating a Numbered Extended ACL	80
Creating Named Standard and Extended ACLs	83
Including Comments About Entries in ACLs	85
Applying the ACL to an Interface	85
Displaying ACLs	86
Configuring Quality of Service (QoS)	86
Understanding the Default QoS Configuration	87
Configuring Classification Using Port Trust States	87
Configuring the Trust State on Ports and SVIs within the QoS Domain	87
Configuring the CoS Value for an Interface	89
Configuring a QoS Policy	90
Classifying Traffic by Using ACLs	91
Classifying Traffic by Using Class Maps	93
Classifying, Policing, and Marking Traffic by Using Policy Maps	94
Configuring CoS Maps	96
Configuring the CoS-to-DSCP Map	96
Configuring the DSCP-to-CoS Map	96
Displaying QoS Information	97
Configuring Power Management on the Interface	98
Verifying Power Management on the Interface	98
Configuring IP Multicast Layer 3 Switching	98
Enabling IP Multicast Routing Globally	99
Enabling IP PIM on Layer 3 Interfaces	99
Verifying IP Multicast Layer 3 Hardware Switching Summary	100
Verifying the IP Multicast Routing Table	101
Configuring IGMP Snooping	102
Enabling or Disabling IGMP Snooping	102
Enabling IGMP Immediate-Leave Processing	103
Statically Configuring an Interface to Join a Group	103
Configuring a Multicast Router Port	104
Configuring Global Storm-Control	104
Enabling Global Storm-Control	105
Verifying Global Storm-Control	105
Configuring Per-Port Storm-Control	106
Enabling Per-Port Storm-Control	106
Disabling Per-Port Storm-Control	107
Configuring Separate Voice and Data Subnets	107
Voice Traffic and VVID	108
Configuring a Single Subnet for Voice and Data	108
Verifying Switchport Configuration	109
Configuring Ethernet Ports to Support Cisco IP Phones with Multiple Ports	109
IP Addressing	109
Managing the Ethernet Switch Network Module	109
Adding Trap Managers	110
Verifying Trap Managers	110
Configuring IP Information	110
Assigning IP Information to the Switch	110
Specifying a Domain Name and Configuring the DNS	111
Configuring Voice Ports	112
Configuring a Port to Connect to a Cisco 7960 IP phone	113
Disabling Inline Power on a Ethernet switch network module	113
Verifying Inline Power Configuration	114
Enabling Switch Port Analyzer	114
Managing the ARP Table	114
Managing the MAC Address Tables	115
Understanding MAC Addresses and VLANs	115
Changing the Address Aging Time	116
Configuring the Aging Time	116
Verifying Aging-Time Configuration	116
Removing Dynamic Addresses	116
Verifying Dynamic Addresses	117
Adding Secure Addresses	117
Verifying Secure Addresses	117
Configuring Static Addresses	118
Verifying Static Addresses	118
Clearing all MAC Address Tables	119
Configuring Intrachassis Stacking	119
Verifying Intra-chassis Stacking	119
Configuring Flow Control on Gigabit Ethernet Ports	119
Configuring Layer 3 Interfaces	120
Configuring Fallback Bridging	121
Understanding the Default Fallback Bridging Configuration	121
Creating a Bridge Group	121
Preventing the Forwarding of Dynamically Learned Stations	122
Configuring the Bridge Table Aging Time	123
Filtering Frames by a Specific MAC Address	124
Adjusting Spanning-Tree Parameters	124
Monitoring and Maintaining the Network	129
Configuration Examples for the 16- and 36-Port Ethernet Switch Module	130
Range of Interface Examples	130
Single Range Configuration Example	130
Multiple Range Configuration Example	131
Range Macro Definition Example	131
Optional Interface Feature Examples	131
Interface Speed Example	132
Setting the Interface Duplex Mode Example	132
Adding a Description for an Interface Example	132
Configuring an Ethernet Interface as a Layer 2 Trunk Example	132
VLAN Configuration Example	132
VTP Examples	133
VTP Server Example	133
VTP Client Example	133
Disabling VTP (VTP Transparent Mode) Example	133
VTP version 2 Example	133
EtherChannel Load Balancing Example	134
Layer 2 EtherChannels Example	134
EtherChannel Load Balancing Example	134
Removing an EtherChannel Example	134
802.1x Authentication Examples	134
Enabling 802.1x Authentication Example	135
Configuring the Switch-to-RADIUS-Server Communication Example	135
Enabling Periodic Re-Authentication Example	135
Changing the Quiet Period Example	135
Changing the Switch-to-Client Retransmission Time Example	135
Setting the Switch-to-Client Frame-Retransmission Number Example	135
Enabling Multiple Hosts Example	135
Spanning Tree Examples	136
Spanning-Tree Interface and Spanning-Tree Port Priority Example	136
Spanning-Tree Port Cost Example	136
Bridge Priority of a VLAN	137
Hello Time Example	137
Forward-Delay Time for a VLAN Example	137
Maximum Aging Time for a VLAN Example	137
BackboneFast Example	138
Spanning Tree Examples	138
Spanning Tree Root Example	138
Mac Table Manipulation Examples	138
Cisco Discovery Protocol (CDP) Example	138
Switched Port Analyzer (SPAN) Source Examples	139
SPAN Source Configuration Example	139
SPAN Destinations Example	139
Removing Sources or Destinations from a SPAN Session Example	139
Network Security and ACL Configuration Examples	139
Creating Numbered Standard and Extended ACLs Example	139
Creating Named Standard and Extended ACLs Example	140
Including Comments About Entries in ACLs Example	141
Applying the ACL to an Interface Example	141
Displaying Standard and Extended ACLs Example	141
Displaying Access Groups Example	142
Compiling ACLs Example	143
QoS Configuration Examples	144
Classifying Traffic by Using ACL Example	144
Classifying Traffic by Using Class Maps Example	144
Classifying, Policing, and Marking Traffic by Using Policy Maps Example	144
Configuring the CoS-to-DSCP Map Example	145
Configuring the DSCP-to-CoS Map Example	145
Displaying QoS Information Example	145
IGMP Snooping Example	145
Storm-Control Example	147
Ethernet Switching Examples	148
Subnets for Voice and Data Example	148
Inter-VLAN Routing Example	148
Single Subnet Configuration Example	149
Ethernet Ports on IP Phones with Multiple Ports Example	149
Intrachassis Stacking Example	150
Flow Control on Gigabit Ethernet Ports Example	151
Configuring Layer 3 Interfaces Example	153
Fallback Bridging Example	155
Creating a Bridge Group Example	155
Preventing the Forwarding of Dynamically Learned Stations Example	155
Configuring the Bridge Table Aging Time Example	155
Filtering Frames by a Specific MAC Address Example	155
Adjusting Spanning-Tree Parameters Examples	155
Command Reference	157
aaa authentication dot1x	159
class	161
class-map	163
debug dot1x	165
debug eswilp	166
debug ip igmp snooping	167
debug spanning-tree	168
deny (access-list configuration)	170
dot1x default	173
dot1x max-req	174
dot1x multiple-hosts	175
dot1x port-control	176
dot1x re-authenticate	178
dot1x re-authentication	179
dot1x timeout quiet-period	180
dot1x timeout re-authperiod	181
dot1x timeout tx-period	182
ip access-group	183
ip access-list	185
ip igmp snooping	187
ip igmp snooping vlan	189
ip igmp snooping vlan immediate-leave	190
ip igmp snooping vlan mrouter	192
ip igmp snooping vlan static	194
match (class-map configuration)	196
mls qos cos	198
mls qos map	200
mls qos trust	202
permit (access-list configuration)	204
police	207
policy-map	209
service-policy	211
show access-lists	212
show class-map	214
show dot1x	216
show ip access-lists	220
show ip igmp snooping	222
show ip igmp snooping mrouter	224
show mls masks	225
show mls qos interface	227
show mls qos maps	228
show policy-map	230
show spanning-tree	232
show storm-control	235
spanning-tree backbonefast	237
storm-control	238
switchport	240

Match case Limit results 1 per page

16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series

Configuration Tasks

Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ

To delete the specified RADIUS server, use the

no radius-server host

{

hostname

ip-address

} global

configuration command.

You can globally configure the timeout, retransmission, and encryption key values for all RADIUS

servers by using the

radius-server host

global configuration command. If you want to configure these

options on a per-server basis, use the

radius-server timeout

radius-server retransmit

, and the

radius-server key

global configuration commands.

You also need to configure some settings on the RADIUS server. These settings include the IP address

of the switch and the key string to be shared by both the server and the switch. For more information,

refer to the RADIUS server documentation.

Enabling Periodic Reauthentication

You can enable periodic 802.1x client reauthentication and specify how often it occurs. If you do not

specify a time period before enabling reauthentication, the number of seconds between reauthentication

attempts is 3600 seconds.

Automatic 802.1x client reauthentication is a global setting and cannot be set for clients connected to

individual ports.

Beginning in privileged EXEC mode, follow these steps to enable periodic reauthentication of the client

and to configure the number of seconds between reauthentication attempts:

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

radius-server host

{

hostname

ip-address

}

auth-port

port-number

key

string

Configures the RADIUS server parameters on the switch.

For

hostname

ip-address,

specify the host name or IP address of the

remote RADIUS server.

For

auth-port

port-number

, specify the UDP destination port for

authentication requests. The default is 1645.

For

key

string

, specify the authentication and encryption key used

between the switch and the RADIUS daemon running on the RADIUS

server. The key is a text string that must match the encryption key used on

the RADIUS server.

Note

Always configure the key as the last item in the

radius-server

host

command syntax because leading spaces are ignored, but

spaces within and at the end of the key are used. If you use spaces

in the key, do not enclose the key in quotation marks unless the

quotation marks are part of the key. This key must match the

encryption used on the RADIUS daemon.

If you want to use multiple RADIUS servers, repeat this command.

Step 3

end

Returns to privileged EXEC mode.

Step 4

show running-config

Verifies your entries.

Step 5

copy running-config startup-config

(Optional) Saves your entries in the configuration file.