Home » Cisco Manuals » Networking » Cisco WS-X6K-SUP1A-2GE-RF » Manual Viewer

Cisco WS-X6K-SUP1A-2GE-RF Software Guide - Page 417

Using a Non-Kerberized Login Procedure, Understanding How 802.1x Authentication Works

View all Cisco WS-X6K-SUP1A-2GE-RF manuals

Add to My Manuals
Save this manual to your list of manuals

Page 417 highlights

Chapter 21 Configuring Switch Access Using AAA Understanding How Authentication Works Using a Non-Kerberized Login Procedure If you use a non-Kerberized login procedure to log in to the switch, the switch takes care of authentication to the KDC on behalf of the login client. However, the user password is now transferred in clear text from the login client to the switch. Note A non-Kerberized login can be performed through a modem or terminal server through the in-band management port. Telnet does not support non-Kerberized login. If you launch a non-Kerberized login, the following process takes place: 1. The switch prompts you for a username and password. 2. The switch requests a TGT from the KDC so that you can be authenticated to the switch. 3. The KDC sends an encrypted TGT to the switch, which contains your identity, KDC's identity, and TGT's expiration time. 4. The switch tries to decrypt the TGT with the password that you entered. If the decryption is successful, you are authenticated to the switch. 5. If you want to access other network services, the KDC must be contacted directly for authentication. To obtain the TGT, you can run the program "kinit," the client software provided with the Kerberos package. Figure 21-2 shows the non-Kerberized login process. Figure 21-2 Non-Kerberized Telnet Connection Host (Telnet client) Kerberos server (contains KDC) 1 2 3 55510 Catalyst switch Understanding How 802.1x Authentication Works IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. 802.1x authenticates each user device connected to a switch port before making available any services offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port. 78-13315-02 Catalyst 6000 Family Software Configuration Guide-Releases 6.3 and 6.4 21-7

Section	Page
Catalyst 6000 Family Software Configuration Guide	1
contents	3
Audience	27
Organization	27
Related Documentation	29
Conventions	30
Obtaining Documentation	31
Cisco.com	31
Documentation CD-ROM	31
Ordering Documentation	31
Documentation Feedback	32
Obtaining Technical Assistance	32
Cisco.com	32
Technical Assistance Center	32
Cisco TAC Website	33
Cisco TAC Escalation Center	33
Obtaining Additional Publications and Information	34
Product Overview	35
Command-Line Interfaces	37
Catalyst Command-Line Interface	37
ROM-Monitor Command-Line Interface	37
Switch Command-Line Interface	38
Accessing the Switch CLI	38
Accessing the CLI through the Console Port	38
Accessing the CLI through Telnet	39
Accessing the MSFC from the Switch	39
Accessing the MSFC from the Console Port	40
Accessing the MSFC from a Telnet Session	40
Working With the Command-Line Interface	41
Switch CLI Command Modes	41
Designating Modules, Ports, and VLANs on the Command Line	41
Designating MAC Addresses, IP Addresses, and IP Aliases	42
Command Line Editing	42
History Substitution	43
Accessing Command Help	44
MSFC Command-Line Interface	44
Cisco IOS Command Modes	44
Getting a List of IOS Commands and Syntax	45
Cisco IOS Command-Line Interface	46
Accessing Cisco IOS Configuration Mode	46
Viewing and Saving the Cisco IOS Configuration	47
Bringing Up an MSFC Interface	47
Configuring the Switch IP Address and Default Gateway	49
Understanding the Switch Management Interfaces	49
Understanding Automatic IP Configuration	50
Automatic IP Configuration Overview	50
Understanding How DHCP Works	50
Understanding How BOOTP and RARP Work	51
Preparing to Configure the IP Address and Default Gateway	52
Booting the MSFC for the First Time	52
Default IP Address and Default Gateway Configuration	53
Assigning the In-Band (sc0) Interface IP Address	53
Configuring Default Gateways	54
Configuring the SLIP (sl0) Interface on the Console Port	55
Using BOOTP, DHCP, or RARP to Obtain an IP Address	57
Renewing and Releasing a DHCP-Assigned IP Address	58
Configuring Ethernet, Fast Ethernet, and Gigabit Ethernet Switching	59
Understanding How Ethernet Works	59
Switching Frames Between Segments	60
Building the Address Table	60
Understanding How Port Negotiation Works	60
Default Ethernet, Fast Ethernet, and Gigabit Ethernet Configuration	61
Setting the Port Configuration	62
Setting the Port Name	62
Setting the Port Speed	63
Setting the Port Duplex Mode	63
Configuring IEEE 802.3X Flow Control	64
Enabling and Disabling Port Negotiation	65
Changing the Default Port Enable State	65
Setting the Port Debounce Timer	66
Configuring a Timeout Period for Ports in errdisable State	67
Configuring the Jumbo Frame Feature	69
Configuring the Jumbo Frame Feature on the Supervisor Engine	69
Configuring the Jumbo Frame Feature on MSFC2	70
Checking Connectivity	71
Configuring Ethernet VLAN Trunks	73
Understanding How VLAN Trunks Work	73
Trunking Overview	73
Trunking Modes and Encapsulation Types	74
802.1Q Trunk Restrictions	76
Default Trunk Configuration	77
Configuring a Trunk Link	77
Configuring an ISL Trunk	77
Configuring an 802.1Q Trunk	78
Configuring an ISL/802.1Q Negotiating Trunk Port	79
Defining the Allowed VLANs on a Trunk	79
Disabling a Trunk Port	80
Example VLAN Trunk Configurations	81
ISL Trunk Configuration Example	81
ISL Trunk Over EtherChannel Link Example	82
802.1Q Trunk Over EtherChannel Link Example	85
Load-Sharing VLAN Traffic Over Parallel Trunks Example	88
Disabling VLAN 1 on Trunks	95
Disabling VLAN 1 on a Trunk Link	95
Configuring EtherChannel	97
Understanding How EtherChannel Works	97
Understanding Administrative Groups	98
Understanding EtherChannel IDs	98
Understanding Port Aggregation Protocol	98
Understanding Frame Distribution	99
EtherChannel Configuration Guidelines	100
Configuring EtherChannel	101
Configuring an EtherChannel	101
Setting the EtherChannel Port Mode	101
Setting the EtherChannel Port Path Cost	102
Setting the EtherChannel VLAN Cost	102
To set the EtherChannel VLAN cost, perform this task in privileged mode:	103
Configuring EtherChannel Frame Distribution	104
Displaying EtherChannel Traffic Utilization	104
Displaying Outgoing Ports for a Specified Address or Layer 4 Port Number	104
Disabling an EtherChannel	105
Configuring IEEE 802.1Q Tunneling	107
Understanding How 802.1Q Tunneling Works	107
802.1Q Tunneling Configuration Guidelines	108
Configuring Support for 802.1Q Tunneling	109
Configuring the Switch to Support 802.1Q Tunneling	109
Configuring 802.1Q Tunnel Ports	110
Clearing 802.1Q Tunnel Ports	110
Removing Global Support for 802.1Q Tunneling	110
Configuring Spanning Tree	113
Understanding How Spanning Tree Protocols Work	113
Understanding How a Topology is Created	114
Understanding How a Switch Becomes the Root Switch	115
Understanding How Bridge Protocol Data Units Work	115
Calculating and Assigning Port Costs	116
Calculating the Port Cost Using the Short Method	116
Calculating the Port Cost Using the Long Method	117
Calculating the Port Cost for Aggregate Links	117
Spanning Tree Port States	117
Blocking State	119
Listening State	119
Learning State	120
Forwarding State	122
Disabled State	123
Understanding PVST+ and MISTP Modes	123
PVST+ Mode	124
MISTP Mode	124
MISTP-PVST+ Mode	125
Bridge Identifiers	125
MAC Address Allocation	125
MAC Address Reduction	125
Using PVST+	127
Default PVST+ Configuration	127
Setting the PVST+ Bridge ID Priority	128
Configuring the PVST+ Port Cost	129
Configuring the PVST+ Port Priority	130
Configuring the PVST+ Default Port Cost Mode	130
Configuring the PVST+ Port Cost for a VLAN	131
Configuring the PVST+ Port Priority for a VLAN	132
Disabling the PVST+ Mode on a VLAN	132
Using MISTP-PVST+ or MISTP	134
Default MISTP and MISTP-PVST+ Configuration	135
Setting MISTP-PVST+ Mode or MISTP Mode	135
Configuring an MISTP Instance	137
Configuring the MISTP Bridge ID Priority	137
Configuring the MISTP Port Cost	138
Configuring the MISTP Port Priority	138
Configuring the MISTP Port Instance Cost	139
Configuring the MISTP Port Instance Priority	139
Enabling an MISTP Instance	140
Mapping VLANs to an MISTP Instance	141
Determining MISTP Instances-VLAN Mapping Conflicts	142
Unmapping VLANs from an MISTP Instance	142
Disabling MISTP-PVST+ or MISTP	143
Configuring a Root Switch	143
Configuring a Primary Root Switch	143
Configuring a Secondary Root Switch	144
Configuring a Root Switch to Improve Convergence	145
Using Root Guard-Preventing Switches from Becoming Root	146
Configuring Spanning Tree Timers	147
Configuring the Hello Time	147
Configuring the Forward Delay Time	148
Configuring the Maximum Aging Time	148
Understanding How BPDU Skewing Works	149
Configuring BPDU Skewing	150
Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard	153
Understanding How PortFast Works	154
Understanding How PortFast BPDU Guard Works	154
Understanding How PortFast BPDU Filter Works	154
Understanding How UplinkFast Works	155
Understanding How BackboneFast Works	156
Understanding How Loop Guard Works	157
Configuring PortFast	159
Enabling PortFast	160
Disabling PortFast	160
Configuring PortFast BPDU Guard	161
Enabling PortFast BPDU Guard	161
Disabling PortFast BPDU Guard	162
Configuring PortFast BPDU Filter	163
Enabling PortFast BPDU Filter	163
Disabling PortFast BPDU Filter	164
Configuring UplinkFast	165
Enabling UplinkFast	165
Disabling UplinkFast	166
Configuring BackboneFast	167
Enabling BackboneFast	167
Displaying BackboneFast Statistics	168
Disabling BackboneFast	168
Configuring Loop Guard	169
Enabling Loop Guard	169
Disabling Loop Guard	169
Configuring VTP	171
Understanding How VTP Works	171
Understanding the VTP Domain	172
Understanding VTP Modes	172
Understanding VTP Advertisements	172
Understanding VTP Version 2	173
Understanding VTP Pruning	173
Default VTP Configuration	175
VTP Configuration Guidelines	175
Configuring VTP	176
Configuring a VTP Server	176
Configuring a VTP Client	176
Disabling VTP (VTP Transparent Mode)	177
Enabling VTP Version 2	178
Disabling VTP Version 2	179
Enabling VTP Pruning	179
Disabling VTP Pruning	180
Displaying VTP	180
Configuring VLANs	183
Understanding How VLANs Work	183
VLAN Ranges	184
Configurable VLAN Parameters	185
Default VLAN Configuration	186
Configuring Normal-Range VLANs	187
Normal-Range VLAN Configuration Guidelines	187
Creating Normal-Range VLANs	187
Modifying Normal-Range VLANs	188
Configuring Extended-Range VLANs	188
Extended-Range VLAN Configuration Guidelines	189
Creating Extended-Range VLANs	189
Mapping VLANs to VLANs	190
Mapping Reserved VLANs to Nonreserved VLANs	191
Deleting Reserved-to-Nonreserved VLAN Mappings	192
Mapping 802.1Q VLANs to ISL VLANs	192
Deleting 802.1Q-to-ISL VLAN Mappings	193
Assigning Switch Ports to a VLAN	194
Deleting a VLAN	195
Configuring Private VLANs	195
Understanding How Private VLANs Work	196
Private VLAN Configuration Guidelines	197
Creating a Primary Private VLAN	200
Viewing the Port Capability of a Private VLAN Port	203
Deleting a Private VLAN	204
Deleting an Isolated, Community, or Two-Way Community VLAN	204
Deleting a Private VLAN Mapping	205
Private VLAN Support on the MSFC	205
Configuring FDDI VLANs	206
Configuring Token Ring VLANs	206
Understanding Token Ring TrBRF VLANs	207
Understanding Token Ring TrCRF VLANs	207
Token Ring VLAN Configuration Guidelines	209
Creating or Modifying a Token Ring TrBRF VLAN	209
Creating or Modifying a Token Ring TrCRF VLAN	210
Configuring InterVLAN Routing	213
Understanding How InterVLAN Routing Works	213
Configuring InterVLAN Routing on the MSFC	214
MSFC Routing Configuration Guidelines	214
Configuring IP InterVLAN Routing on the MSFC	215
Configuring IPX InterVLAN Routing on the MSFC	215
Configuring AppleTalk InterVLAN Routing on the MSFC	216
Configuring MSFC Features	216
Local Proxy ARP	217
WCCP Layer 2 Redirection	217
Auto State Feature	217
Displaying the Auto State Configuration	218
Disabling the Auto State Feature	219
Configuring CEF for PFC2	221
Understanding How Layer 3 Switching Works	221
Layer 3 Switching Overview	222
Understanding Layer 3-Switched Packet Rewrite	222
Understanding IP Unicast Rewrite	223
Understanding IPX Unicast Rewrite	223
Understanding IP Multicast Rewrite	224
Understanding CEF for PFC2	224
CEF for PFC2 Overview	224
Understanding Forwarding Decisions	225
Understanding the FIB	225
Understanding the Adjacency Table	226
Partially and Completely Switched Multicast Flows	227
CEF for PFC2 Examples	227
Understanding NetFlow Statistics	229
NetFlow Statistics Overview	229
NetFlow Table Entry Aging	230
Flow Masks	230
Default CEF for PFC2 Configuration	230
CEF for PFC2 Configuration Guidelines and Restrictions	231
Configuring CEF for PFC2	232
Displaying Layer 3-Switching Entries on the Supervisor Engine	232
Configuring CEF on the MSFC2	234
Configuring IP Multicast on the MSFC2	234
Enabling IP Multicast Routing Globally	234
Enabling IP PIM on an MSFC2 Interface	235
Configuring the IP MMLS Global Threshold	235
Enabling IP MMLS on MSFC Interfaces	235
Displaying IP Multicast Information	236
Displaying IP Multicast Information on the MSFC2	236
Displaying IP MMLS Interface Information	236
Displaying the IP Multicast Routing Table	237
Displaying IP Multicast Details	237
Using Debug Commands	239
Using Debug Commands on the SCP	239
Displaying IP Multicast Information on the Supervisor Engine	240
Displaying IP Multicast Statistics	240
Clearing IP Multicast Statistics	241
Displaying IP Multicast Entries	241
Configuring NetFlow Statistics	242
Specifying the NetFlow Table Entry Aging-Time Value	243
Specifying NetFlow Table IP Entry Fast Aging Time and Packet Threshold Values	244
Setting the Minimum Statistics Flow Mask	244
Excluding IP Protocol Entries from the NetFlow Table	245
Displaying NetFlow Statistics	245
Clearing NetFlow IP and IPX Statistics	246
Clearing All NetFlow Statistics	247
Clearing NetFlow IP Statistics	247
Clearing NetFlow IPX Statistics	248
Clearing NetFlow Statistics Totals	248
Displaying NetFlow Statistics Debug Information	248
Configuring MLS	249
Understanding How Layer 3 Switching Works	249
Understanding Layer 3-Switched Packet Rewrite	250
Understanding IP Unicast Rewrite	250
Understanding IPX Unicast Rewrite	251
Understanding IP Multicast Rewrite	251
Understanding MLS	252
Understanding MLS Flows	252
Understanding the MLS Cache	253
MLS Cache	253
Unicast Traffic	253
Multicast Traffic	253
MLS Cache Aging	253
MLS Cache Size	254
Understanding Flow Masks	254
Flow Mask Modes	254
Flow Mask Mode and show mls entry Command Output	255
Partially and Completely Switched Multicast Flows	256
MLS Examples	256
Default MLS Configuration	258
Configuration Guidelines and Restrictions	259
IP MLS	259
Maximum Transmission Unit Size	259
Restrictions on Using IP Routing Commands with IP MLS Enabled	260
IP MMLS	260
IP MMLS Supervisor Engine Guidelines and Restrictions	260
IP MMLS MSFC Configuration Restrictions	261
Unsupported IP MMLS Features	261
IPX MLS	261
IPX MLS Interaction with Other Features	261
IPX MLS and Maximum Transmission Unit Size	262
Configuring MLS	262
Configuring Unicast MLS on the MSFC	262
Disabling and Enabling Unicast MLS on an MSFC Interface	262
Displaying MLS Information on the MSFC	263
Using Debug Commands on the MSFC	264
Using Debug Commands on the SCP	264
Configuring MLS on Supervisor Engine 1	265
Specifying MLS Aging-Time Value	265
Specifying IP MLS Fast Aging Time and Packet Threshold Values	266
Setting the Minimum IP MLS Flow Mask	267
Displaying CAM Entries on the Supervisor Engine	268
Displaying MLS Information	269
Displaying IP MLS Cache Entries	270
Displaying All MLS Entries	270
Displaying MLS Entries for a Specific IP Destination Address	271
Displaying IPX MLS Entries for a Specific IPX Destination Address	271
Displaying Entries for a Specific IP Source Address	272
Displaying Entries for a Specific IP Flow	272
Displaying IPX MLS Entries for a Specific MSFC	273
Clearing MLS Cache Entries	274
Clearing IPX MLS Cache Entries	274
Displaying IP MLS Statistics	274
Displaying IP MLS Statistics by Protocol	275
Displaying Statistics for MLS Cache Entries	275
Clearing MLS Statistics	276
Displaying MLS Debug Information	276
Configuring IP MMLS	276
Configuring IP MMLS on the MSFC	276
Enabling IP Multicast Routing Globally	277
Enabling IP PIM on MSFC Interfaces	277
Configuring the IP MMLS Global Threshold	278
Enabling IP MMLS on MSFC Interfaces	278
Displaying IP MMLS Interface Information	279
Displaying the IP Multicast Routing Table	279
Monitoring IP MMLS on the MSFC	280
Using Debug Commands on the IP MMLS MSFC	281
Using Debug Commands on the SCP	282
Displaying Global IP MMLS Information on the Supervisor Engine	282
Displaying IP MMLS Configuration Information	282
Displaying IP MMLS Statistics	283
Clearing IP MMLS Statistics	284
Displaying IP MMLS Entries	284
Configuring NDE	287
Understanding How NDE Works	287
Overview of NDE and Integrated Layer 3 Switching Management	287
Traffic Statistics Data Collection	288
Using NDE Filters	289
Default NDE Configuration	289
Configuring NDE	289
Usage Guidelines	290
Specifying an NDE Collector	290
Specifying an NDE Destination Address on the MSFC	291
Specifying an NDE Source Address on the MSFC	291
Enabling NDE	292
Specifying a Destination Host Filter	292
Specifying a Destination and Source Subnet Filter	292
Specifying a Destination TCP/UDP Port Filter	293
Specifying a Source Host and Destination TCP/UDP Port Filter	293
Specifying a Protocol Filter	294
Specifying Protocols for Statistics Collection	294
Removing Protocols for Statistics Collection	294
Clearing the NDE Flow Filter	295
Disabling NDE	295
Removing the NDE IP Address	295
Displaying the NDE Configuration	296
Configuring Access Control	297
Understanding How ACLs Work	297
Hardware Requirements	298
Supported ACLs	298
QoS ACLs	298
Cisco IOS ACLs	299
VACLs	299
VACL Overview	299
ACEs Supported in VACLs	300
Handling Fragmented and Unfragmented Traffic	301
Applying Cisco IOS ACLs and VACLs on VLANs	303
Bridged Packets	303
Routed Packets	303
Multicast Packets	304
Using Cisco IOS ACLs in your Network	305
Hardware and Software Handling of Cisco IOS ACLs with PFC	306
Security Cisco IOS ACLs	307
Reflexive ACLs	307
TCP Intercept	307
Policy Routing	308
WCCP	308
NAT	308
Unicast RPF Check	308
Bridge-Groups	308
Hardware and Software Handling of Cisco IOS ACLs with PFC2	308
Security Cisco IOS ACLs	309
Reflexive ACLs	310
TCP Intercept	310
Policy Routing	310
WCCP	310
NAT	311
Unicast RPF Check	311
Bridge-Groups	311
Using VACLs with Cisco IOS ACLs	311
Guidelines for Configuring Cisco IOS ACLs and VACLs on the Same VLAN Interface	312
Using the Implicit Deny Action	312
Grouping Actions Together	312
Limiting the Number of Actions	312
Avoiding Layer 4 Port Information	313
Estimating Merge Results	313
Examples	313
Example 1	313
Example 2	314
Example 3	314
Example 4	314
Example 5	315
Example 6	315
Example 7	315
Guidelines for Using Layer 4 Operations	316
Determining Layer 4 Operation Usage	316
Determining Logical Operation Unit Usage	317
Using VACLs in your Network	318
Wiring Closet Configuration	318
Redirecting Broadcast Traffic to a Specific Server Port	319
Restricting the DHCP Response for a Specific Server	320
Denying Access to a Server on Another VLAN	321
Restricting ARP Traffic	322
Configuring ACLs on Private VLANs	322
Capturing Traffic Flows	323
Unsupported Features	323
Configuring VACLs	324
VACL Configuration Guidelines	324
VACL Configuration Summary	325
Configuring VACLs From the CLI	325
Creating an IP VACL and Adding ACEs	326
Creating an IPX VACL and Adding ACEs	328
Creating a Non-IP Version 4/Non-IPX VACL (MAC VACL) and Adding ACEs	330
Committing ACLs	331
Mapping a VACL to a VLAN	331
Showing the Contents of a VACL	332
Showing VACL-to-VLAN Mapping	332
Clearing the Edit Buffer	333
Removing ACEs from Security ACLs	333
Clearing the Security ACL Map	333
Displaying VACL Management Information	334
Capturing Traffic Flows on Specified Ports	334
Configuration Guidelines	334
Configuration Examples	335
Configuring VACL Logging	336
Configuration Guidelines	336
Configuration Examples	337
Configuring and Storing VACLs and QoS ACLs in Flash Memory	338
Automatically Moving the VACL and QoS ACL Configuration to Flash Memory	339
Manually Moving the VACL and QoS ACL Configuration to Flash Memory	340
Running with the VACL and QoS ACL Configuration in Flash Memory	341
Moving the VACL and QoS ACL Configuration Back to NVRAM	342

Match case Limit results 1 per page

21-7

Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4

78-13315-02

Chapter 21

Configuring Switch Access Using AAA

Understanding How Authentication Works

Using a Non-Kerberized Login Procedure

If you use a non-Kerberized login procedure to log in to the switch, the switch takes care of

authentication to the KDC on behalf of the login client. However, the user password is now

transferred in clear text from the login client to the switch.

Note

A non-Kerberized login can be performed through a modem or terminal server through the in-band

management port. Telnet does not support non-Kerberized login.

If you launch a non-Kerberized login, the following process takes place:

The switch prompts you for a username and password.

The switch requests a TGT from the KDC so that you can be authenticated to the switch.

The KDC sends an encrypted TGT to the switch, which contains your identity, KDC’s identity, and

TGT’s expiration time.

The switch tries to decrypt the TGT with the password that you entered. If the decryption is

successful, you are authenticated to the switch.

If you want to access other network services, the KDC must be contacted directly for authentication.

To obtain the TGT, you can run the program “kinit,” the client software provided with the Kerberos

package.

Figure 21-2

shows the non-Kerberized login process.

Figure 21-2

Non-Kerberized Telnet Connection

Understanding How 802.1x Authentication Works

IEEE 802.1x is a client-server-based access control and authentication protocol that restricts

unauthorized devices from connecting to a LAN through publicly accessible

ports. 802.1x authenticates each user device connected to a switch port before making available

any services offered by the switch or the LAN. Until the device is authenticated, 802.1x access

control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port

to which the device is connected. After authentication is successful, normal traffic can pass through

the port.

Host

(Telnet client)

Kerberos server

(contains KDC)

Catalyst switch

55510