Guest Vlans; Limitations Using The Guest Vlan; Guest Vlan Configuration - D-Link xStack DES-3800 Series User Manual

Guest VLANs

On 802.1x security enabled networks, there is a need for non
802.1x supported devices to gain limited access to the network,
due to lack of the proper 802.1x software or incompatible
devices, such as computers running Windows 98 or lower
operating systems, or the need for guests to gain access to the
network without full authorization. To supplement these
circumstances, this switch now implements Guest 802.1x
VLANs. These VLANs should have limited access rights and
features separate from other VLANs on the network.
To implement Guest 802.1x VLANs, the user must first create a
VLAN on the network with limited rights and then enable it as an
802.1x guest VLAN. Then the administrator must configure the
guest accounts accessing the Switch to be placed in a Guest
VLAN when trying to access the Switch. Upon initial entry to the
Switch, the client wishing services on the Switch will need to be
authenticated by a remote RADIUS Server or local authentication
on the Switch to be placed in a fully operational VLAN. If
authenticated and the authenticator posseses the VLAN
placement information, that client will be accepted into the fully
operational target VLAN and normal switch functions will be
open to the client. If the authenticator does not have target VLAN
placement information, the client will be returned to its
originating VLAN. Yet, if the client is denied authentication by
the authenticator, it will be placed in the Guest VLAN where it
has limited rights and access. The adjacent figure should give the
user a better understanding of the Guest VLAN process.

Limitations Using the Guest VLAN

1. Guest VLANs are only supported for port-based VLANs. MAC-based VLANs cannot undergo this procedure.
2. Ports supporting Guest VLANs cannot be GVRP enabled and vice versa.
3. A port cannot be a member of a Guest VLAN and a static VLAN simultaneously.
4. Once a client has been accepted into the target VLAN, it can no longer access the Guest VLAN.
5. If a port is a member of multiple VLANs, it cannot become a member of the Guest VLAN.

Guest VLAN Configuration

In the Security menu, open the 802.1X folder and click
Guest VLAN, which will display the following window for
the user to configure. Remember, to set a guest 802.1x
VLAN, the user must first configure a normal VLAN which
can be enabled here for Guest VLAN status. Guest VLANs
cannot be configured unless 802.1x is first globally enabled.
The following fields may be modified to enable the guest 802.1x VLAN:
Parameter Description
VLAN Name Enter the pre-configured VLAN name to create as a guest 802.1x VLAN.
Operation Allows the user to enable or disable ports for the 802.1x VLAN, using the Port List stated below.
Port List Set the port list of ports to be enabled for the guest 802.1x VLAN using the pull down menus.
Click Apply to implement the guest 802.1x VLAN. Once properly configured, the Guest VLAN Name and associated ports will
be listed in the lower part of the window, as seen in the example above.
xStack DES-3800 Series Layer 3 Stackable Fast Ethernet Managed Switch
Figure 11- 18. Guest VLAN Authentication Process
Figure 11- 19. Guest VLAN Configuration window
216