Why users can access the guest VLAN through an interface that is not in the guest VLAN

When an 802.1x enabled device has the guest VLAN configured:
If users connect to an access interface, they are allowed to access the guest VLAN before authenticated.
When you run the display this command on the interface, you will find that the interface is not in the guest VLAN. However, the device still adds the guest VLAN tag on the packets from these users. Therefore, these users are allowed to access the guest VLAN.

If users connect to a trunk interface, the device changes the VLAN tag in user packets to the guest VLAN tag only when the VLAN tag in user packets is the same as the interface PVID. Then the device allows these users to access the guest VLAN.

Scroll to top