Can Layer 3 functions be enabled in the dynamic VLAN and guest VLAN used in 802.1x authentication

16

In versions earlier than V100R006, Layer 3 functions cannot be enabled in the dynamic VLAN and guest VLAN used in 802.1x authentication. In V100R006 and later versions, Layer 3 functions can be enabled in the dynamic VLAN and guest VLAN.

Other related questions:
Do S series switches support dynamic VLAN delivery through the RADIUS server
Dynamic VLAN delivery through the RADIUS server is to deliver VLAN attributes through the RADIUS server to dynamically authorize online users. For S series switches (except the S1700), the S2700SI and S2710SI running V100R006 do not support this function. However, other switch models running V100R006 and all switch models running versions later than V100R006 support this function.

When does the 802.1x dynamic VLAN take effect
Dynamic VLAN takes effect on port-based authentication, only for access interfaces, or hybrid interface with untagged PVID.

Can Layer 2 multicast be configured in dynamic VLANs on an S series switch
Layer 2 multicast cannot be configured in dynamic VLANs on an S series switch.

Why users can access the guest VLAN through an interface that is not in the guest VLAN
When an 802.1x enabled device has the guest VLAN configured: If users connect to an access interface, they are allowed to access the guest VLAN before authenticated. When you run the display this command on the interface, you will find that the interface is not in the guest VLAN. However, the device still adds the guest VLAN tag on the packets from these users. Therefore, these users are allowed to access the guest VLAN. If users connect to a trunk interface, the device changes the VLAN tag in user packets to the guest VLAN tag only when the VLAN tag in user packets is the same as the interface PVID. Then the device allows these users to access the guest VLAN.

How to connect an IP phone to an 802.1x authentication-enabled interface of an S series switch
You can connect an IP phone to an 802.1x authentication-enabled interface of an S series switch (a non-S1700 switch). 802.1x authentication is not mandatory for IP phone access. For details about how to implement 802.1x authentication for IP phone access, see Example for Connecting IP Phones to Switches Through the PVID of the Voice VLAN ID. The following describes IP phone access without 802.1x authentication in NAC common mode. For switches running V200R009C00, the configuration model of NAC unified mode changes. Query the appropriate product manual based on the switch model and version. - Bind an IP phone's MAC address to the access interface. If a device's MAC address is statically bound to an 802.1x authentication-enabled interface, the device's traffic is directly passed. You can statically bind an IP phone's MAC address to an 802.1x authentication-enabled interface, so that the IP phone can access the network without 802.1x authentication. However, this solution requires that you statically bind the MAC address of each IP phone to the interface, causing heavy configuration workload and inconvenient maintenance. [HUAWEI] vlan batch 10 20 //Create the data service VLAN 10 and the voice service VLAN 20. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 20 //Configure the interface to allow tagged packets from IP phones in VLAN 20 to pass through. [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] mac-address static 0003-0003-0003 gigabitethernet 1/0/1 vlan 20 //Bind the IP phone's MAC address to the 802.1x authentication-enabled interface. - Use MAC address bypass authentication. [HUAWEI] vlan batch 10 20 //Create the data service VLAN 10 and the voice service VLAN 20. [HUAWEI] dot1x enable [HUAWEI] voice-vlan mac-address 0003-0000-0000 mask ffff-0000-0000 description phone1 //Configure the device to automatically identify the MAC address range of the IP phone. [HUAWEI] mac-authen domain noauth_phone mac-address 0003-0000-0000 mask ffff-0000-0000 //Configure the authentication domain noauth_phone for the IP phone's MAC address range. [HUAWEI] aaa [HUAWEI-aaa] authentication-scheme noauth+M271 [HUAWEI-aaa-authen-noauth] authentication-mode none [HUAWEI-aaa-authen-noauth] quit [HUAWEI-aaa] domain noauth_phone //Configure the authenticatio+M271n domain noauth_phone and set the authentication scheme of this domain to none authentication. [HUAWEI-aaa-domain-noauth_phone] authentication-scheme noauth [HUAWEI-aaa-domain-noauth_phone] quit [HUAWEI-aaa] quit [HUAWEI] interface gigabitethernet1/0/1 //Enter the view of the interface to which the IP phone connects. [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [HUAWEI-GigabitEthernet1/0/1] port hybrid tagged vlan 20 //Configure the interface to allow tagged packets from IP phones in VLAN 20 to pass through. [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [HUAWEI-GigabitEthernet1/0/1] voice-vlan 20 enable [HUAWEI-GigabitEthernet1/0/1] voice-vlan legacy enable [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass //Configure the switch to perform MAC address bypass authentication for the IP phone if it fails 802.1x authentication.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top