Category: Cisco Switches

Trunk between Cisco Catalyst switches and HP Aruba 5400zl R2

When creating a trunk link between a Cisco Catalyst switch and a HP 5400zl R2 switch, it would be a good idea to have it work in LACP mode.  It is quite simple, you just create the bond on both switches and add the VLAN’s you want on to the trunk link. And here is a little configuration example to show how it goes.

On the HP 5400 side just use the following commands:

trunk A24,B24 trk1 lacp
vlan 10 tagged trk1
vlan 20 tagged trk1
vlan 4000 untagged trk1

On the Cisco Catalyst side it requires a few more commands, but isn’t difficult either. Just add interfaces to a channel group and add the VLAN’s on to the channel group, by doing the following:

interface range GigabitEthernet1/0/24,GigabitEthernet2/0/24
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
interface Port-channel1
switchport trunk native vlan 4000
switchport trunk allowed vlan 10,20
switchport mode trun

802.1x Authentication on Cisco Catalyst switches

If any one is wondering how to configure 802.1x authentication on Cisco switches, here is a little list of commands that should help you. I am not going to cover the hassle of configuring NPS service on Windows domain server at the moment, but maybe later on if I get the time for it.

Basics of what you need to do

  1. Configure the radius servers on the switch
  2. Set the switches authentication mode to aaa new-model and configure aaa authentication it self
  3. Configure the VLANS you want to use (not going to cover creating a VLAN here..)
  4. Configure the ports you want the authentication to be required on

The configuration

So lets start configuring the switch (using the command line interface). First log in to the switch a. (I seriously hope you are using SSH not telnet..)

Configuring the radius servers

You should replace the IP addresses ports and passwords to match the ones you are going to use. PS password will be in plain text in the configuration unless you have service password encryption turned on. I am configuring the switch to use 2 radius servers, since its always a good idea to have more than one of them.. In case one fails the switch will try the other one to authenticate the user.

radius server name-of-first-server
 address ipv4 auth-port 1812 acct-port 1813  
 key  YourRadiusPasswordHere

radius server name-of-second-server
 address ipv4 auth-port 1812 acct-port 1813
 key  YourRadiusPasswordHere
aaa new-model 
aaa group server radius MyRadiusServers
 server name name-of-first-server
 server name name-of-second-server

Enabling authentication

Set the user authentication service to use your previously configured radius group radius servers

aaa authentication dot1x default group MyRadiusServers
aaa authorization network default group MyRadiusServers

Enabling user authentication on the ports

After configuring the radius part on the switch it’s time to enable authentication on the ports you want. As an example I enabled them on ports 1-12 leaving the others alone.

interface range gi1/0/1-12
switchport access vlan 5
switchport mode access
authentication event fail action authorize vlan 2
authentication event no-response action authorize vlan 2
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 2

The “switchport access vlan” command sets the VLAN that the user will be put in to incase of a successful authentication, in the case of this example it’s vlan 500.  In other words, it sets the ports default vlan.
The commands starting with “authentication event” set the VLAN where the user ends up in case of authentication failure.
Dot1x timeout it’s not a mandatory command, but a nice thing to set if you want to use authentication fail to send people to some guest network. The thing what I noticed was that the clients that don’t authenticate them selves some times ended up with the auto configure addresses – windows just gave up on trying to get access to the network, when this time out was not set.