Alcatel Carrier Internetworking Solutions 6600 User Manual
show 802.1x non-supp
User Documentation Addendum
page 1-14
Release 5.1.6.R02 User Guide Supplement
June 2005
Guest VLANs for Non-802.1x Supplicants
For those supplicants that are not 802.1x devices—do not send/receive EAP frames—an optional guest
VLAN feature is available to allow traffic from these devices on an 802.1x port. If the user-defined guest
VLAN is not available, then traffic from a non-802.1x device is dropped.
VLAN feature is available to allow traffic from these devices on an 802.1x port. If the user-defined guest
VLAN is not available, then traffic from a non-802.1x device is dropped.
The switch determines whether or not a device is an 802.1x supplicant by sending EAP-Request/Identity
frames on the 802.1x port every 0.5 seconds for a configurable number of times. If no EAP frames are
received from a device after the specified number of attempts, the device is determined to be a non-802.1x
supplicant and is learned on the guest VLAN configured for that port. If no guest VLAN is available, then
the non-802.1x supplicant is blocked from accessing the 802.1x port and no further attempts are made to
solicit EAP frames from the device.
frames on the 802.1x port every 0.5 seconds for a configurable number of times. If no EAP frames are
received from a device after the specified number of attempts, the device is determined to be a non-802.1x
supplicant and is learned on the guest VLAN configured for that port. If no guest VLAN is available, then
the non-802.1x supplicant is blocked from accessing the 802.1x port and no further attempts are made to
solicit EAP frames from the device.
Note the following when using guest VLANs:
• 802.1x supplicants that fail authentication are not eligible for guest VLAN access. This type of VLAN
access is only for those devices identified as non-802.1x supplicants that have not made any attempt to
authenticate.
authenticate.
• Once a non-802.1x supplicant is learned on a guest VLAN, it is no longer eligible for Group Mobility
classification and assignment.
• If a non-802.1x supplicant device becomes 802.1x capable when it is a member of a guest VLAN, upon
authentication the device is automatically moved from the guest VLAN to the appropriate 802.1x spec-
ified VLAN. Disconnecting the device from the 802.1x port is not required in this scenario.
ified VLAN. Disconnecting the device from the 802.1x port is not required in this scenario.
• If an authenticated 802.1x supplicant becomes non-802.1x capable, the device is moved to an existing
guest VLAN after the device is rebooted.
By default a guest VLAN is not configured on an 802.1x port. For information about how to configure a
guest VLAN, see
guest VLAN, see
. For information about how to set the
New Section, page 22-11
The following section should be added to page 22-11:
Configuring a Guest VLAN
To configure a guest VLAN for an 802.1x port, use the
command with the relevant slot/
port number and specify an existing VLAN ID. For example:
-> 802.1x 3/1 guest-vlan 5
This command associates guest VLAN 5 with 802.1x port 3/1. When a non-802.1x supplicant is identified
on this port, the source MAC address of the supplicant is learned in VLAN 5. This MAC address is then
aged according to the aging timer value for VLAN 5.
on this port, the source MAC address of the supplicant is learned in VLAN 5. This MAC address is then
aged according to the aging timer value for VLAN 5.
To remove a guest VLAN from an 802.1x port, use the disable option with the 802.1x guest-vlan
command. Note that it is not necessary to specify the guest VLAN ID with this command. For example:
command. Note that it is not necessary to specify the guest VLAN ID with this command. For example:
-> 802.1x 3/1 guest-vlan disable
Note the following when configuring a guest VLAN:
• The guest VLAN option is only available for 802.1x ports operating in the auto mode.