Cisco Cisco Catalyst 2960X-48FPS-L Switch White Paper
© 2015 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information
Page 7 of 19
White Paper
PACL/VACL/DACL policy co-existing on ingress - traffic is filtered based on the order
ACLs are applied (PACL, VACL and then DACL)
DACL downloaded only for Data client on MDA mode (no DACL for voice)
Client access - fully qualified domain name (FQDN) ACL with multiple domain names
Download different DACL/Filter-ID for multiple sessions on the MA ports
Download 64 ACE DACL for multiple sessions on the MA port
Per user ACL for data users
Policies Use Cases
VLAN policy changes for existing sessions during re-authentication
Filter-ID on multiple MA and MDA ports
Security Tag (SGT) on multiple MA and MDA ports and single-host (Note: In Multi-host
only first host is visible, all other hosts get tagged with same SGT)
Local policy precedence change over server policy and vice versa
Policy replace, replace all and merge as part of re-authentication
Concurrent Dot1X, MAB, and Web Authentication policy
SXP speaker and listeners
SGACL enforcement on 3750X, 3850 and 4500
Multiple CTS Dot1X links (L2, L3 and ether-channel) between Cat3K and Cat4k with
various Security Association Protocol (SAP) modes (gcm-encrypt, gmac, null and no-
encap)
encap)
HA/SSO and Feature Interaction Use Cases
HA with radius port connected to Master unit - authentication after reload
Webauth fails due to wrong credentials or timeout and fallback to MAB authentication
Client stays authorized and accessible (critical auth) to network if AAA server is dead
Open authentication in single host mode with authentication violation replace
CDP Bypass - Phones and PC connected to port with authentication - host mode as
single-host and multi-host
DHCP IP’s released and renewed - IP is released from one client and another client re-
uses the same IP address
uses the same IP address
Input queue counters appropriately increment/decrement with central Webauth profile
configured on ISE for MAB clients
Client mac address re-learnt on the new port with re-authentication. If mac-move is
disabled the new port will not learn the mac address and will result in security violation
Guest VLA
N clients initiate EAP but doesn’t respond to EAP-Request
Traffic permitted/denied based on VLAN map for restricted VLAN (auth-fail vlan)
Critical VLAN for new and existing session on MA and MDA ports with local re-auth
timer configured
– validate user profile in effect