-
Catalyst 6500 Series Software Configuration Guide, 8.7
-
Catalyst 6500 Series Switch Software Configuration Guide (Full-book PDF)
-
Index
-
Preface
-
Product Overview
-
Command-Line Interfaces
-
Configuring the Switch IP Address and Default Gateway
-
Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching
-
Configuring Ethernet VLAN Trunks
-
Configuring EtherChannel
-
Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
-
Configuring VTP
-
Configuring VLANs
-
Configuring InterVLAN Routing
-
Configuring CEF for PFC2/PFC3
-
Configuring MLS
-
Configuring Access Control
-
Configuring NDE
-
Configuring GVRP
-
Configuring MVRP
-
Configuring Dynamic Port VLAN Membership with VMPS
-
Checking Status and Connectivity
-
Configuring Online Diagnostics
-
Administering the Switch
-
Configuring Redundancy
-
Configuring NSF with SSO MSFC Redundancy
-
Modifying the Switch Boot Configuration
-
Working with the Flash File System
-
Working with System Software Images
-
Working with Configuration Files
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring CDP
-
Configuring UDLD
-
Configuring DHCP Snooping and IP Source Guard
-
Configuring NTP
-
Configuring Broadcast Suppression
-
Configuring Layer 3 Protocol Filtering
-
Configuring the IP Permit List
-
Configuring Port Security
-
Configuring Switch Access Using AAA
-
Configuring 802.1x Authentication
-
Configuring MAC Authentication Bypass
-
Configuring Web-Based Proxy Authentication
-
Tracking Host Aging
-
Configuring Network Admission Control
-
Configuring Unicast Flood Blocking
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN, RSPAN and the Mini Protocol Analyzer
-
Using Switch TopN Reports
-
Configuring Multicast Services
-
Configuring QoS
-
Configuring Automatic QoS
-
Configuring ASLB
-
Configuring the Switch Fabric Module
-
Configuring a VoIP Network
-
Configuring MSFC IOS Features
-
Acronyms
-
Table Of Contents
Understanding How Host Aging is Tracked
Configuring IP Device Tracking Globally
Specifying the IP Device Tracking Interval
Specifying the IP Device Tracking Count
Configuring IP Device Tracking on a Port
Enabling or Disabling IP Device Tracking on a Port with 802.1x Authentication
Enabling or Disabling IP Device Tracking on a Port with MAC Authentication Bypass
Enabling or Disabling IP Device Tracking on a Port with Web-Based Proxy Authentication
Enabling or Disabling IP Device Tracking on a Port with EoU
Tracking Host Aging
This chapter describes how to configure IP device tracking with 802.1x, MAC authentication bypass, Web-proxy based authentication and EoU on the Catalyst 6500 series switches.
Note
For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.
Note
Note
Note
Note
This chapter consists of the following sections:
•
•
•
•
•
Understanding How Host Aging is Tracked
Layer 2 authentication features, 802.1x, and MAC authentication bypass install entries into the CAM table to ensure packet switching in the hardware. The CAM entries are static and it cannot be ensured that they are current. The entries age with the hardware if they are not removed by the authentication feature at the end of the session. If a host leaves before the authentication session expires or if the authentication manager is not notified about removing the CAM entry, the stale entry remains in the hardware switching table. Even the Layer 3 protocols, LAN port IP and Web-based proxy authentication have no method to age out the CAM entry if the host leaves before the session expires.
The IP device-tracking feature, which is included in the authentication manager, tracks the existence of the host and removes aged entries in the CAM table. The device-tracking feature ensures that the hardware entries and authentication sessions get aged out. As a result of aging, the hosts are removed from the EARL.
Configuring IP Device Tracking Globally
When enabled, the IP device tracking feature sends out a probe to check if the host is still present. The probe can be sent out at regular intervals for a specified number of times. The default is enabled.
To enable or disable IP device tracking globally, perform this task in privileged mode:
Enable or disable IP device tracking globally.
set ip device-tracking {disable | enable}
This example shows how to enable IP device tracking globally:
Console> (enable) set ip device-tracking enableSuccessfully enabled device tracking.Console> (enable)This example shows how to display the current global configuration of IP device tracking:
Console> (enable) show ip device-trackingDevice tracking mode : EnabledDevice tracking count : 3Device tracking timeout : 30Console> (enable)The following sections describe how to set the probe interval and probe count values:
•
•
Note
Specifying the IP Device Tracking Interval
You can set IP device tracking to send a probe at regular intervals (in seconds). The range is from 5 to 65535 seconds. The default is 30 seconds.
To specify the probe interval, perform this task in privileged mode:
Specify the time period in seconds to send a probe.
set ip device-tracking probe interval interval
This example shows how to set the IP device tracking interval:
Console> (enable) set ip device-tracking probe interval 45Device tracking probe interval set to 45 secs.Console> (enable)Specifying the IP Device Tracking Count
You can configure IP device tracking to send 1 to 10 probes after the host becomes idle. The default is 3 probes.
To set the probe count, perform this task in privileged mode:
Specify the number of times to check for the existence of a host.
set ip device-tracking probe count count
This example shows how to set the IP device tracking probe count:
Console> (enable) set ip device-tracking probe count 5Device tracking probe count set to 5.Console> (enable)Configuring IP Device Tracking on a Port
The following topics describe how to configure IP device tracking on a port:
•
•
•
•
Enabling or Disabling IP Device Tracking on a Port with 802.1x Authentication
To enable or disable IP device tracking on a module or port with 802.1x authentication, perform this task in privileged mode:
Enable or disable IP device tracking on a module or port with 802.1x authentication. The defualt is disabled.
set port dot1x mod/port ip-device-tracking {disable | enable}
This example shows how to enable IP device tracking on a port with 802.1x authentication:
Console> (enable) set port dot1x 3/1 ip-device-tracking enablePort 3/1 ip-device-tracking option is enabled.Console> (enable)This example shows how to view the current conifguration of IP device tracking on a port with 802.1x authentication:
Console> (enable) show port dot1x 3/13Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------3/13 authenticated idle auto authorizedPort Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------3/13 SingleAuth enabled disabled Both BothPort Posture-Token Critical-Status Termination action Session-timeout----- ------------- --------------- ------------------ ---------------3/13 Healthy no Initialize 3600Port Session-Timeout-Override Url-Redirect----- ------------------------ ---------------------------------------3/13 disabled -Port Critical ReAuth-When IP-Device-Tracking----- -------- ----------- ------------------3/13 disabled 105 enabledConsole> (enable)Enabling or Disabling IP Device Tracking on a Port with MAC Authentication Bypass
To enable or disable IP device tracking on a module or port with MAC authentication bypass, perform this task in privileged mode:
Enable or disable IP device tracking on a module or port with MAC authentication bypass. The default is disabled.
set port mac-auth-bypass mod/port ip-device-tracking {disable | enable}
This example shows how to enable IP device tracking on a port with MAC authentication bypass:
Console> (enable) set port mac-auth-bypass 3/1 ip-device-tracking enablePort 3/1 ip-device-tracking option is enabled.Console> (enable)This example shows how to view the current configuration of IP device tracking on a port with MAC authentication bypass:
Console> (enable) show port mac-auth-bypass 3/1Port Mac-Auth-Bypass State MAC Address Auth-State Vlan----- --------------------- ----------------- ----------------- -----3/1 Enabled 00-00-00-00-00-00 waiting 1Port Termination action Session Timeout Shutdown/Time-Left----- ------------------ --------------- ------------------3/1 initialize 300 NO -Port PolicyGroups----- -------------------------------------------------------------------3/1 -Port Security ACL Sec ACL Type QoS ACL Type----- -------------------------------- ----------------- ----------------3/1 - - -Port QoS Ingress ACL QoS Egress ACL----- -------------------------------- ----------------------------------3/1 - -Port Critical Critical-Status Ip-Device-Tracking----- -------- --------------- ------------------3/1 Disabled - EnabledPort Session-ID----- --------------------------------3/1 -Port Posture Token URL-Redirect----- ------------- ---------------------------------3/1 -Enabling or Disabling IP Device Tracking on a Port with Web-Based Proxy Authentication
To enable or disable IP device tracking on a port with web-based proxy authentication, perform this task in privileged mode:
Enable or disable IP device tracking on a module or port with web-based proxy authentication. The default is enabled.
set port web-auth mod/port ip-device-tracking {disable | enable}
This example shows how to enable IP device tracking on a port with web-based proxy authentication:
Console> (enable) set port web-auth 3/1 ip-device-tracking enablePort 3/1 ip-device-tracking option is enabled.Console> (enable)This example shows how to view the current configuration of IP device tracking on a port with web-based proxy authentication:
Console> (enable) show port web-auth 3/1Port IP-Address Vlan Enabled Web-Auth-State Critical-Status----- --------------- ---- --------- ----------------- ---------------3/1 - 1 enabled - -Port IP-Address Session-Timeout Session-Timeleft Radius-Rcvd-Timeout----- --------------- --------------- ---------------- -------------------3/1 - - - NoPort IP-Address Policy-Groups----- --------------- -------------3/1 - -Port IP-Address Ip-Device-Tracking----- --------------- ------------------3/1 - EnabledEnabling or Disabling IP Device Tracking on a Port with EoU
To enable or disable IP device tracking on a port with EoU, perform this task in privileged mode:
Enable or disable IP device tracking on a module or port with EoU. The default is enabled.
set port eou mod/port ip-device-tracking {disable | enable}
This example shows how to enable IP device tracking on a port with EoU:
Console> (enable) set port eou 3/1 ip-device-tracking enablePort 3/1 ip-device-tracking option is enabled.Console> (enable)This example shows how to view the current configuration of IP device tracking on a port with EoU:
Console> (enable) show port eou 3/1Port EOU-State IP Address MAC Address Critical-Status-------- --------- --------------- ----------------- ---------------3/1 auto - - -Port FSM State Auth Type SQ-Timeout Session Timeout-------- ------------- ----------- ---------- ---------------3/1 - - - -Port Posture URL Redirect-------- ------------ --------------------3/1 - -Port Termination action Session id-------- ------------------ --------------------------------3/1 - -Port PolicyGroups-------- ------------------------------------------------------3/1 -Port Critical Ip-Device-Tracking----- -------- ------------------3/1 disabled enabled
