Guest vlan, Acl assignment – H3C Technologies H3C WX6000 Series Access Controllers User Manual

35-11

The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned

VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after

a user passes authentication. After the user goes offline, the port returns to the initial VLAN of the port.

With a Hybrid port, the VLAN assignment will fail if you have configured the assigned VLAN to carry

tags.

With a Hybrid port, you cannot configure an assigned VLAN to carry tags after the VLAN has been

assigned.

Guest VLAN

Guest VLAN allows unauthenticated users and users failing the authentication to access a specified

VLAN, where the users can, for example, download or upgrade the client software, or execute some

user upgrade programs. This VLAN is called the guest VLAN.

Depending on the port access control method, a guest VLAN can be a port-based guest VLAN (PGV) or

a MAC-based guest VLAN (MGV):

PGV is supported on a port that uses the access control method of port-based access control.

MGV is supported on a port that uses the access control method of MAC-based access control.

1) PGV

With PGV configured on a port, if no users are successfully authenticated on the port in a certain period

of time (90 seconds by default), the port will be added to the guest VLAN and all users accessing the

port will be authorized to access the resources in the guest VLAN.

The device adds a PGV-configured port into the guest VLAN according to the port’s link type in the

similar way as described in VLAN assignment. When a user of a port in the guest VLAN initiates an

authentication, if the authentication is not successful, the port stays in the guest VLAN; if the

authentication is successful, the port leaves the guest VLAN, and:

If the authentication server assigns a VLAN, the port joins the assigned VLAN. After the user goes

offline, the port returns to its initial VLAN, that is, the VLAN specified for it during port configuration,

or, in other words, the VLAN it was in before it joined the guest VLAN.

If the authentication server does not assign any VLAN, the port returns to its initial VLAN. After the

client goes offline, the port just stays in its initial VLAN.

2) MGV

With MGV configured on a port, users failing the authentication are authorized to access the resources

in the guest VLAN.

If a user in the guest VLAN initiates another authentication process but fails the authentication, the

device will keep the user in the guest VLAN. If the user passes the authentication, the device will add

the user to the assigned VLAN or return the user to its initial VLAN, depending on whether the

authentication server assigns a VLAN.

ACL assignment

ACLs provide a way of controlling access to network resources and defining access rights. When a user

logs in through a port, and the RADIUS server is configured with authorization ACLs, the device will