Cisco S49ES-12231SG= Manuel D’Utilisation
© 2006 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 2 of 7
Layer 2 redirection cannot be enabled on the same input interface with Policy-Based Routing (PBR) or Virtual Route Forwarding (VRF)-lite. ACL-
based classification for Layer 2 redirection is not supported.
MAC Authentication Bypass
MAC authentication bypass is an enhancement to Cisco Network Admission Control (NAC 2.0) Layer 2 802.1x. It provides network access to
agentless devices without 802.1x supplicant capabilities, such as printers. Upon detecting a new MAC address on a switch port, the switch will
proxy an 802.1x authentication request based on the device’s MAC address. A database of MAC addresses is maintained by the RADIUS server for
such devices. The device’s network access is either granted or denied by the RADIUS server and is enforced by the switch. Per-port reauthentication
of MAC addresses is also supported. MAC authentication bypass is typically deployed on switch ports connected to managed agentless devices
without the 802.1x supplicant functionality.
802.1x Inaccessible Authentication Bypass
802.1x inaccessible authentication bypass is an enhancement to Cisco NAC 2.0 Layer 2 802.1x. In the event that the authentication, authorization,
and accounting (AAA) servers are unreachable or nonresponsive, 802.1x user authentication typically fails with the port closed, and the user is
denied access. 802.1x inaccessible authentication bypass provides a configurable alternative on the switch to grant a critical port network access in
a locally specified VLAN. After the AAA servers become reachable again, those ports will either remain critically authorized or be reinitialized.
802.1x inaccessible authentication bypass can be enabled on a per-port basis for access ports, private VLAN host ports, or routed ports. 802.1x
inaccessible authentication bypass is typically enabled on ports connected to critical devices, minimizing business impact for the duration of the
AAA server outage.
802.1x Unidirectional Controlled Port
802.1x unidirectional controlled port allows the Wake-on-LAN (WoL) magic packets to reach a workstation attached to an unauthorized 802.1x
switch port. WoL is typically used to push out OSs or software updates from a central server to workstations at night. When a workstation is
powered down at night, the 802.1x switch port is not authenticated. The 802.1x unidirectional controlled port feature enables the one-way WoL
magic packets to power on the sleeping workstation for the 802.1x authentication. It expands the WoL operations to workstations attached to 802.1x
switch ports.
Private VLAN Promiscuous Trunk
Private VLANs (PVLANs) are an effective means of conserving IP address space while isolating Layer 2 traffic for devices residing within the same
subnet. A promiscuous port in a PVLAN is an upstream port, carrying traffic between the upstream device in a primary VLAN and the downstream
devices in secondary VLANs. Private VLAN promiscuous trunk extends the promiscuous port to a 802.1Q trunk port, carrying multiple primary
VLANs (hence multiple subnets). Private VLAN promiscuous trunk is typically used to offer different services or content on different primary
VLANs to isolated subscribers. Secondary VLANs cannot be carried over the private VLAN promiscuous trunk.
MAC Address Notification
MAC address notification monitors the MAC addresses that are learned by, aged out, or removed from the switch. Notifications are sent out or
retrieved using the CISCO-MAC-NOTIFICATION MIB. It is typically used by a central network management application to collect such MAC
address notification events for host moves. User-configurable MAC table utilization thresholds can be defined to notify any potential DoS or man-
in-the-middle attack.
Voice VLAN Sticky Port Security
Port security restricts the MAC addresses allowed or the maximum number of MAC addresses on a switch port. Sticky port security extends port
security by saving the dynamically learned MAC addresses in the running configuration to survive port link down and switch reset. Voice VLAN