3Com 4210 PWR Configuration Manual page 274

272 C 22: MAC A
HAPTER
Configuring a Guest
VLAN
n
c
C
UTHENTICATION ONFIGURATION
Different from Guest VLANs described in the 802.1x and System-Guard chapters,
Guest VLANs mentioned in this section refer to Guest VLANs dedicated to MAC
address authentication.
After completing configuration tasks in "Configuring Basic MAC Authentication
Functions" on page 270 for a switch, this switch can authenticate access users
according to their MAC addresses or according to fixed user names and
passwords. The switch will not learn MAC addresses of the clients failing in the
authentication into its local MAC address table, thus prevent illegal users from
accessing the network.
In some cases, if the clients failing in the authentication are required to access
some restricted resources in the network (such as the virus library update server),
you can use the Guest VLAN.
You can configure a Guest VLAN for each port of the switch. When a client
connected to a port fails in MAC address authentication, this port will be added
into the Guest VLAN automatically. The MAC address of this client will also be
learned into the MAC address table of the Guest VLAN, and thus the user can
access the network resources of the Guest VLAN.
After a port is added to a Guest VLAN, the switch will re-authenticate the first
access user of this port (namely, the first user whose unicast MAC address is
learned by the switch) periodically. If this user passes the re-authentication, this
port will exit the Guest VLAN, and thus the user can access the network normally.
CAUTION:
Guest VLANs are implemented in the mode of adding a port to a VLAN. For
■
example, when multiple users are connected to a port, if the first user fails in
the authentication, the other users can access only the contents of the Guest
VLAN. The switch will re-authenticate only the first user accessing this port,
and the other users cannot be authenticated again. Thus, if more than one
client is connected to a port, you cannot configure a Guest VLAN for this port.
After users that are connected to an existing port failed to pass authentication,
■
the switch adds the port to the Guest VLAN. Therefore, the Guest VLAN can
separate unauthenticated users on an access port. When it comes to a trunk
port or a hybrid port, if a packet itself has a VLAN tag and be in the VLAN that
the port allows to pass, the packet will be forwarded perfectly without the
influence of the Guest VLAN. That is, packets can be forwarded to the VLANs
other than the Guest VLAN through the trunk port and the hybrid port, even
users fail to pass authentication.
Table 206 Configure a Guest VLAN
Operation
Enter system view
Enter Ethernet port view
Command
system-view
interface interface-type
interface-number
Description
-
-