Cisco 3560x-24p 参考指南
2-168
Catalyst 3750-X and 3560-X Switch Command Reference
OL-21522-02
Chapter 2 Catalyst 3750-X and 3560-X Switch Cisco IOS Commands
dot1x guest-vlan
dot1x guest-vlan
Use the dot1x guest-vlan interface configuration command on the switch stack or on a standalone switch
to specify an active VLAN as an IEEE 802.1x guest VLAN. Use the no form of this command to return
to the default setting.
to specify an active VLAN as an IEEE 802.1x guest VLAN. Use the no form of this command to return
to the default setting.
dot1x guest-vlan vlan-id
no dot1x guest-vlan
Syntax Description
Defaults
No guest VLAN is configured.
Command Modes
Interface configuration
Command History
Usage Guidelines
You can configure a guest VLAN on one of these switch ports:
•
A static-access port that belongs to a nonprivate VLAN.
•
A private-VLAN port that belongs to a secondary private VLAN. All the hosts connected to the
switch port are assigned to private VLANs, whether or not the posture validation was successful.
The switch determines the primary private VLAN by using the primary- and
secondary-private-VLAN associations on the switch.
switch port are assigned to private VLANs, whether or not the posture validation was successful.
The switch determines the primary private VLAN by using the primary- and
secondary-private-VLAN associations on the switch.
For each IEEE 802.1x port on the switch, you can configure a guest VLAN to provide limited services
to clients (a device or workstation connected to the switch) not running IEEE 802.1x authentication.
These users might be upgrading their systems for IEEE 802.1x authentication, and some hosts, such as
Windows 98 systems, might not be IEEE 802.1x-capable.
to clients (a device or workstation connected to the switch) not running IEEE 802.1x authentication.
These users might be upgrading their systems for IEEE 802.1x authentication, and some hosts, such as
Windows 98 systems, might not be IEEE 802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL)
request/identity frame or when EAPOL packets are not sent by the client.
when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL)
request/identity frame or when EAPOL packets are not sent by the client.
The switch maintains the EAPOL packet history. If another EAPOL packet is detected on the interface
during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest
VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history
is reset upon loss of link.
during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest
VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history
is reset upon loss of link.
To allow clients that failed authentication access to the network, you can use a restricted VLAN by
entering the dot1x auth-fail vlan vlan-id interface configuration command.
entering the dot1x auth-fail vlan vlan-id interface configuration command.
vlan-id
Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1
to 4094.
to 4094.
Release
Modification
12.2(53)SE2
This command was introduced.