Authentication configuration for L3 Switch

Unanswered Question
Apr 7th, 2009

There are 2 switches: one is Layer 3 switch and access Switch.

Need to add new Vlan (vlan200) that will be used to provide the users access to the server. And need to restrict access to vlan (vlan100) in the following manner:

1. User connecting to access Switch's port must be authenticated before they are given access to the network. Authentication is to be done via Radius server:

Radius Server host:

Radius Key: CISCO

Authentication should be implemented as close to the host device possible.

2. Devices on vlan100 are restricted to in the address of

Packets from devices in the address range of should be passed on vlan100

Packets from devices in any other address range should be dropped on vlan100

Filtering should be implemented as close to the server farm as possible

Config for the Access Switch


aaa new-model

radius-server host key CISCO

aaa authentication dot1x default group radius

aaa authentication network default group radius

dot1x system- authentication-control


int range fa0/1 - 20

switchport mode access

dot1x port-control auto

switchport access vlan 100


Config for the Layer 3 Switch


ip access-list extended checklist

permit ip


vlan access-map allow vlan100

match ip address checklist

action forward


or can i user it this way

access-list 10 permit


ip access-group 10 in


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Leo Laohoo Tue, 04/07/2009 - 16:56

Errr ...

1. dot1x port-control auto is for NAC. Do you have a NAC server?

2. Where's your trunk?

3. What interface do you intend to apply "ip access-group 10 in"?

lmanavalan Tue, 04/07/2009 - 17:21

Yep, there is a RADIUS server installed.

Trunk is also configured between Layer 3 switch (gi0/48)and access switch (gi0/1).

And ip access-group 10 in on the Layer 3 switch (gi0/48)interface


This Discussion