Guest Vlan - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Table 6 VLAN manipulation
Port access control
method
Port-based
MAC-based
A hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not
reconfigure the port as a tagged member in the VLAN.
On a port with periodic online user reauthentication enabled, the MAC-based VLAN feature does not
take effect on a user who has been online since before this feature was enabled. The access device
creates a MAC-to-VLAN mapping for the user when the following requirements are met:
•
The user passes reauthentication.
•
The authorization VLAN for the user is changed.
For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN
Switching Configuration Guide.
Guest VLAN
The 802.1X guest VLAN on a port accommodates users who have not performed 802.1X
authentication. Users in the guest VLAN can access a limited set of network resources, such as a
software server, to download antivirus software and system patches. Once a user in the guest VLAN
passes 802.1X authentication, it is removed from the guest VLAN and can access authorized
network resources.
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control
method.
•
On a port that performs port-based access control:
Authentication status
A user has not passed
802.1X authentication.
A user in the 802.1X guest
VLAN fails 802.1X
authentication.
VLAN manipulation
The device assigns the first authenticated user's authorization VLAN to the
port as the port VLAN (PVID). All subsequent 802.1X users can access the
VLAN without authentication.
When the first authenticated user logs off, the previous PVID is restored,
and all other online users are logged off.
•
If the port is a hybrid port with MAC-based VLAN enabled, the device
maps the MAC address of each user to the authorization VLAN. The
PVID of the port does not change. When a user logs off, the
MAC-to-VLAN mapping for the user is removed.
•
If the port is an access, trunk, or MAC-based VLAN-disabled hybrid
port, the device assigns the first authenticated user's authorization
VLAN to the port as the PVID. If a different VLAN is authorized to a
subsequent user, the user cannot pass the authentication. To ensure
successful authentication of subsequent users, authorize the same
VLAN to all 802.1X users on these ports.
VLAN manipulation
The device assigns the 802.1X guest VLAN to the port as the PVID. All
802.1X users on this port can access only resources in the guest
VLAN.
If no 802.1X guest VLAN is configured, the access device does not
perform any VLAN operation.
If an 802.1X Auth-Fail VLAN (see
device assigns the Auth-Fail VLAN to the port as the PVID. All users on
this port can access only resources in the Auth-Fail VLAN.
If no Auth-Fail VLAN is configured, the PVID on the port is still the
802.1X guest VLAN. All users on the port are in the guest VLAN.
78
"Auth-Fail
VLAN") is available, the
Advertisement
Table of Contents
Troubleshooting
