Network-access guest-vlan – PLANET SGSD-1022 User Manual

User’s Manual of SGSD-1022 / SGSD-1022P

SGSW-2840 / SGSW-2840P

When enabled, the VLAN identifiers returned by the RADIUS server will be applied to the port, providing the VLANs have

already been created on the switch. GVRP is not used to create the VLANs.

The VLAN settings specified by the first authenticated MAC address are implemented for a port. Other authenticated MAC

addresses on the port must have same VLAN configuration, or they are treated as an authentication failure.

If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration, the

authentication is still treated as a success, and the host assigned to the default untagged VLAN.

When the dynamic VLAN assignment status is changed on a port, all authenticated addresses are cleared from the

secure MAC address table.

Example

The following

Example

enables dynamic VLAN assignment on port 1.

Console(config)#interface ethernet 1/1

Console(config-if)#network-access dynamic-vlan

Console(config-if)#

network-access guest-vlan

Use this command to assign all traffic on a port to a guest VLAN when network access (MAC authentication) or 802.1X

authentication is rejected. Use the no form of this command to disable guest VLAN assignment.

Syntax

network-access guest-vlan vlan-id

no network-access guest-vlan

Default Setting

Disabled

Command Mode

Interface Configuration

Command Usage

The VLAN to be used as the guest VLAN must be defined and set as active (see “vlan database” on page 4-225).

When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan” to be effective (see “dot1x

intrusion-action”).

Example

Console(config)#interface ethernet 1/1

Console(config-if)#network-access guest-vlan 25

Console(config-if)#

481