Network Login over LAG

When NetLogin is enabled on a sharing group, user credentials for the LAG (Link Aggregation Group) are forwarded to AAA server for authentication. Once authenticated, the LAG is moved to the VLAN configured as the destination VLAN for NetLogin, and the learned MAC address is installed over the LAG in the FDB (forwarding database) on the NetLogin‘s destination VLAN.

All NetLogin configurations should be done on the LAG master port. For example:

enable sharing 24 grouping 24, 25, 26

enable netlogin ports 24 mac

For MAC-based authentication (see MAC-Based Authentication), when NetLogin is enabled on a sharing group, software-based learning is enabled for each member port of the sharing group. Similarly, when member ports are removed from the sharing group, software-based learning is disabled on that member port.



  • When a LAG is removed, all the NetLogin configurations related to that LAG are removed. Before deleting a sharing group, disable NetLogin on the LAG port.
  • The master port cannot be removed from the LAG.
  • The maximum number of authenticated users per LAG group is 1,024.
  • If OnePolicy is enabled, NetLogin global protocol configurations and NetLogin VLAN configurations are lost, and then the LAG port is authenticated using OnePolicy by enabling NetLogin protocols globally.


NetLogin over Multi-switch Link Aggregation Groups (MLAGs) is not supported.