Configure 802.1X controlled direction (optional)
After you enable 802.1X authentication on specified
ports, you can use the aaa port-access controlled-direction command
to configure how a port transmits traffic before it successfully authenticates
a client and enters the authenticated state.
As documented in the IEEE 802.1X standard, an 802.1X-aware port that is unauthenticated can control traffic in either of the following ways:
In both ingress and egress directions by disabling both the reception of incoming frames and transmission of outgoing frames
Only in the ingress direction by disabling only the reception of incoming frames.
Prerequisite:
As documented in the IEEE 802.1X standard, the
disabling of incoming traffic and transmission of outgoing traffic
on an 802.1X-aware egress port in an unauthenticated state (using
the aaa port-access controlled-direction in command)
is supported only if:
The port is configured as an edge port in the network using the
spanning-tree edge-portcommand.The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.
For information on how to configure the prerequisites
for using the aaa port-access controlled-direction in command,
see “Multiple Instance Spanning-Tree Operation” in the advanced
traffic management guide.
Syntax:
aaa port-access <port-list> controlled-direction <both|in>
both (default): Incoming and
outgoing traffic is blocked on an 802.1X-aware port before authentication
occurs.
in: Incoming traffic is blocked
on an 802.1X-aware port before authentication occurs. Outgoing traffic
with unknown destination addresses is flooded on unauthenticated 802.1X-aware
ports.