Guest VLAN on a MHMV Port Usage Scenario

The following example illustrates the configuration of Guest VLAN support with an EAP MHMV port:

  • Clients connect to a switch port through a hub.

  • The initial VLANs are the VLANs on which the ports resides after a switch reboot.

  • EAP is enabled.

  • The port is a member of initial VLANs. The clients cannot access the VLANs since the VLANs are not authenticated. The port default VLAN ID corresponds to one of the initial VLAN IDs.

  • Guest VLAN support is not activated.

The following figure represents the functionality when clients are not authenticated.
Click to expand in new window
Note

Note

The clients cannot access the network as they are not authenticated and Guest VLAN is not configured.

  • Guest VLAN support is activated.

  • The MHMV port is in the initial VLAN stage but gets added to the Guest VLAN ID. The default VLAN ID is updates to correspond to the Guest VLAN ID.

  • All Clients behind the port can access the Guest VLAN.

The following figure represents the functionality when Guest VLAN is activated.
Click to expand in new window
Note

Note

All clients have Guest VLAN access.

  • A client behind the MHMV port gets authenticated. For this usage scenario let us consider PC1 as the authenticated client.

  • The port default VLAN ID is equal to the Guest VLAN ID and remains unchanged.

  • The port is copied into the RADIUS assigned VLAN (if any).

  • The untagged traffic that originates from PC1 (identified by MAC address) can access only the RADIUS assigned VLAN or the initial port default VLAN ID, if the RADIUS VLAN attribute is missing.

  • The remaining clients that send untagged traffic are unauthenticated devices. The unauthenticated devices can access only the Guest VLAN because the port VLAN ID is equal to the Guest VLAN ID.

  • The initial VLANs are accessed by the following devices:

    • Authenticated devices that are missing RADIUS VLAN attributes.

    • Authenticated devices that send corresponding tagged packets.

  • When another client gets authenticated, the authenticated client undergoes the same process as PC1.

The following figure represents the functionality when a client gets authenticated:
Click to expand in new window
Note

Note

PC1 is authenticated with RADIUS VLAN 1. The remain clients have guest VLAN access.

When a client disconnects the following happens:

  • The MAC VLAN rule is removed from the switch.

  • If the RADIUS VLAN attribute was used with the client was authenticated and no other clients are authenticated on that RADIUS VLAN, then the port is removed from the VLAN. If other clients are authenticated on that RADIUS VLAN, then the VLAN MAC rule is deleted.

  • If RADIUS VLAN attribute is not used when the client is authenticated, then only the VLAN MAC rule is deleted.

9037588-00 Rev AA