Netgear M5300-28G-POE+ (GSM7228PSv1h2) - 12-Port Managed Gigabit Switch Ratgeber Für Administratoren
Security Management
370
Managed Switches
Create a Guest VLAN
The guest VLAN feature allows a switch to provide a distinguished service to dot1x unaware
clients (not rogue users who fail authentication). This feature provides a mechanism to allow
visitors and contractors to have network access to reach an external network with no ability to
surf the internal LAN
clients (not rogue users who fail authentication). This feature provides a mechanism to allow
visitors and contractors to have network access to reach an external network with no ability to
surf the internal LAN
RADIUS server
Switch
Host
Guest 1
Guest 2
1/0/1
1/0/24
1/0/12
1/0/6
.
Figure 36. Guest VLAN
If a port is in port-based mode, and a client that does not support 802.1X is connected to an
unauthorized port that has 802.1X enabled, the client does not respond to the 802.1X
requests from the switch. The port remains in the unauthorized state, and the client is not
granted access to the network. If the guest VLAN is configured for that port, then the port is
placed in the configured guest VLAN and the port is moved to the authorized state, allowing
access to the client after a certain amount of time (determined by the guest VLAN period). If
the client attached is 802.1x aware, then this allows the client to respond to 802.1X requests
from the switch.
unauthorized port that has 802.1X enabled, the client does not respond to the 802.1X
requests from the switch. The port remains in the unauthorized state, and the client is not
granted access to the network. If the guest VLAN is configured for that port, then the port is
placed in the configured guest VLAN and the port is moved to the authorized state, allowing
access to the client after a certain amount of time (determined by the guest VLAN period). If
the client attached is 802.1x aware, then this allows the client to respond to 802.1X requests
from the switch.
For a port in MAC-based mode, if a guest VLAN has been configured on the port and if traffic
from an unauthenticated client is detected on the port, the guest VLAN timer is started for that
client. If the client is 802.1x unaware and does not respond to any 802.1x requests, when the
guest VLAN timer expires, the client is authenticated and associated with the guest VLAN.
This ensures that traffic from the client is accepted and switched through the guest VLAN.
from an unauthenticated client is detected on the port, the guest VLAN timer is started for that
client. If the client is 802.1x unaware and does not respond to any 802.1x requests, when the
guest VLAN timer expires, the client is authenticated and associated with the guest VLAN.
This ensures that traffic from the client is accepted and switched through the guest VLAN.
In this example, dot1x is enabled on all the ports so that all the hosts that are authorized are
assigned to VLAN 1. On ports 1/0/1 and 1/0/24, guest VLAN is enabled. If guests connect to
the port, they are assigned to VLAN 2000, so that guests cannot access the internal VLAN,
but can access each other in the guest VLAN.
assigned to VLAN 1. On ports 1/0/1 and 1/0/24, guest VLAN is enabled. If guests connect to
the port, they are assigned to VLAN 2000, so that guests cannot access the internal VLAN,
but can access each other in the guest VLAN.