Guest VLANs for Non-802.1x Supplicants
For those supplicants that are not 802.1x devices—do not send/receive EAP frames—an optional guest VLAN feature is available to allow traffic from these devices on an 802.1x port. If the user-defined guest VLAN is not available, then traffic from a non-802.1x device is dropped.
The switch determines whether or not a device is an 802.1x supplicant by sending EAP-Request/Identity frames on the 802.1x port every 0.5 seconds for a configurable number of times. If no EAP frames are received from a device after the specified number of attempts, the device is determined to be a non-802.1x supplicant and is learned on the guest VLAN configured for that port. If no guest VLAN is available, then the non-802.1x supplicant is blocked from accessing the 802.1x port and no further attempts are made to solicit EAP frames from the device.
Note the following when using guest VLANs:
•802.1x supplicants that fail authentication are not eligible for guest VLAN access. This type of VLAN access is only for those devices identified as non-802.1x supplicants that have not made any attempt to authenticate.
•Once a non-802.1x supplicant is learned on a guest VLAN, it is no longer eligible for Group Mobility classification and assignment.
•If a non-802.1x supplicant device becomes 802.1x capable when it is a member of a guest VLAN, upon authentication the device is automatically moved from the guest VLAN to the appropriate 802.1x spec- ified VLAN. Disconnecting the device from the 802.1x port is not required in this scenario.
•If an authenticated 802.1x supplicant becomes non-802.1x capable, the device is moved to an existing guest VLAN after the device is rebooted.
By default a guest VLAN is not configured on an 802.1x port. For information about how to configure a guest VLAN, see “Configuring a Guest VLAN” on page 1-14. For information about how to set the number of times an unknown device is polled for identification, see “Configuring the Supplicant Polling Retry Count” on page 1-15.
New Section, page 22-11
The following section should be added to page 22-11:
Configuring a Guest VLAN
To configure a guest VLAN for an 802.1x port, use the 802.1x guest-vlancommand with the relevant slot/ port number and specify an existing VLAN ID. For example:
-> 802.1x 3/1 guest-vlan 5
This command associates guest VLAN 5 with 802.1x port 3/1. When a non-802.1x supplicant is identified on this port, the source MAC address of the supplicant is learned in VLAN 5. This MAC address is then aged according to the aging timer value for VLAN 5.
To remove a guest VLAN from an 802.1x port, use the disable option with the 802.1x guest-vlancommand. Note that it is not necessary to specify the guest VLAN ID with this command. For example:
-> 802.1x 3/1 guest-vlan disable
Note the following when configuring a guest VLAN:
•The guest VLAN option is only available for 802.1x ports operating in the auto mode.
