CCNA Certification

CCNA, CCNP, CCIE Certification News

Cisco CCNA Certification: Port-Based Authentication

To pass your CCNA exam and earn this coveted certification, you must understand the details of port-based authentication.

This knowledge has a great deal of value in production networks as well, since this authentication scheme is regularly implemented. Let’s take a look at this particular CCNA skill.

Consider a situation where you have a server that will be connected to your switch, and you want the port to shut down if a device with a different MAC address that that of the switch attempts to connect to that port. You could also have a situation where you have someone who has a connection to a switch port in his office, and he wants to make sure that only his laptop can use that port.

Both of these examples are real-world situations, and there are two solutions for each. First, we could create a static MAC entry for that particular switch port. I don’t recommend this, mainly because both you and I have better things to do than manage static MAC entries. The better solution is to configure port-based authentication on the switch.

The Cisco switch uses MAC addresses to enforce port security. With port
security, only devices with certain MAC addresses can connect to the port successfully. This is another reason source MACs are looked at before the destination MAC is examined. If the source MAC is non-secure and port-based authentication is in effect, the destination does not matter, as the frame will not be forwarded. In essence, the source MAC address serves as the password.

MAC addresses that are allowed to successfully communicate with the switch port are secure MAC addresses. The default number of secure MAC addresses is 1, but a maximum of 132 secure MACs can be configured.

When a non-secure MAC address attempts to communicate with the switch port, one of three actions will occur, depending on the port security mode. In Protect mode, frames with non-secure MAC addresses are dropped. There is no notification that a violation has occurred. The port will continue to switch frames for the secure MAC address.

In Restrict mode, the same action is taken, but a syslog message is logged via SNMP, which is a messaging protocol used by Cisco routers.

In Shutdown mode, the interface goes into error-disabled state, the port LED will go out, and a syslog message is logged. The port has to be manually reopened. Shutdown mode is the default port-security mode.

Port-based authentication is just one of the many switching skills you’ll have to demonstrate to earn your CCNA certification. Make sure you know the basics shown here, including the action of each particular mode, and you’re on your way to CCNA exam success!



June 9, 2006 Posted by | CCNA, Education, Tech | Leave a comment

Troubleshooting Directly Connected Serial Interfaces

CCNA exam success depends largely on noticing the details, and this is especially true of configurations involving directly connected serial interfaces.

And of course, it´s not enough to notice these details – you´ve got to know what to do about them! A Cisco router is a DTE by default, but directly connecting two DTEs with a DCE/DTE cable is not enough. In the following example, R1 and R3 are directly connected at their Serial1 interfaces. The line goes up briefly after being opened, but the line protocol goes down after about 30 seconds.

R3(config-if)#int s1
R3(config-if)#ip address
R3(config-if)#no shutdown

2d18h: %LINK-3-UPDOWN: Interface Serial1, changed state to up

2d18h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up


2d18h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to down

The problem is that one of the routers needs to act as the DCE in order for the line protocol to come up and stay up. If this were your CCNA / CCNP home lab, you could just go over and look at the DTE/DCE cable to see which router had the DCE end of the cable attached. In this example, though, we don\´t have physical access to the routers. How can we tell which router has the DCE end of the cable attached?

R3#show controller serial 1

HD unit 1, idb = 0x1C44E8, driver structure at 0x1CBAC8

buffer size 1524 HD unit 1, V.35 DCE cable

The show controller command gives us this information. (There´s a lot more output that this with this command, but it´s unimportant for our purposes.) The router with the DCE end of the cable needs to supply a clock rate to the DTE, and we´ll do just that with the interface-level clockrate command.

R3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R3(config)#int serial1
R3(config-if)#clockrate 56000
2d18h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up

In just a few seconds, the line protocol goes up and stays up.

When troubleshooting a connection, always run show interface first. If you see the combination shown below, the connection is physically fine but logically down. That´s generally the result of a needed keepalive not being present. With Frame Relay, it´s probably an LMI issue, but with directly connected serial interfaces the issue is most likely the DCE end of the connection not supplying clockrate.

R3#show interface serial 1

Serial1 is up, line protocol is down

Troubleshooting is a big part of the job, and it´s a big part of the Cisco CCNA and CCNP programs as well. Know your show and debug commands and you´re on your way to passing the CCNA!


June 9, 2006 Posted by | CCNA, CCNP | Leave a comment