Multihost Mode
When you charge accommodate hubs in your arrangement topology, multihost approach is accessible as an
option. In general, multihost approach does not change the absence operation for 802.1X, and
it is accessible on all Catalyst switches. To accredit multihost approach on a about-face active Cisco
IOS software, admission the afterward command:
dot1x host-mode multi-host
The capital aberration amid single-auth approach and multihost approach is that afterwards a MAC
address is accurate and authorized, any cardinal of MAC addresses abaft a hub can
access the network. As a result, back application multihost approach alone, there is no way to restrict
the cardinal of MAC addresses on a port. The anchorage is accessible for admission by any affiliated host
after the anchorage is accustomed application 802.1X. In effect, multihost approach uses 802.1X to
authenticate a distinct anchorage and again authorizes admission to any added hosts that ability be
connected to the anchorage through a hub.
For switches that abutment 802.1X forth with anchorage security, however, a anchorage can be
authenticated application 802.1X, and again admission can be belted to specific hosts application port
security. Afterwards the antecedent 802.1X authentication, you can use anchorage aegis to bind access
to specific addresses instead of acceptance complete access. Back application anchorage security, all
subsequent non-EAPOL frames are redirected to the anchorage aegis process, and 802.1X has
no added effect. If the aboriginal MAC abode that was accurate through 802.1X
terminates account anon through the use of an EAPOL-Logoff frame, the port
disconnects from the network, and the arrangement becomes aloof to any hosts
connected through the port. With multihost mode, you can use 802.1X affidavit for a
specific anchorage and again use anchorage aegis on the anchorage to booty advantage of appearance such as
aging, abeyance time, abuse mode, and the cardinal of MAC addresses allowed.
In general, hubs present challenges in any port-based access-control band-aid or network
topology. Carefully accede the implications of application hubs; their use is not typically
recommended for an IBNS solution. If a hub-type cartography persists, 802.1X cannot keep
adjacent systems affiliated to hubs from seeing all cartage in all affiliated devices, and the
systems ability accomplishment any cardinal of Layer 2 vulnerabilities. However, if you determine
that hubs are all-important in specific situations, such as in appointment rooms, use multihost
mode with anchorage security. Multihost approach with anchorage aegis provides the best security
possible beneath the circumstances. This aggregate of aegis appearance helps you achieve
the ambition of arrangement security, which is to accommodate the minimum arrangement admission that meets
the network’s anatomic requirements.