Why users can access the guest VLAN through an interface that is not in the guest VLAN

3

When an 802.1x enabled device has the guest VLAN configured:
If users connect to an access interface, they are allowed to access the guest VLAN before authenticated.
When you run the display this command on the interface, you will find that the interface is not in the guest VLAN. However, the device still adds the guest VLAN tag on the packets from these users. Therefore, these users are allowed to access the guest VLAN.

If users connect to a trunk interface, the device changes the VLAN tag in user packets to the guest VLAN tag only when the VLAN tag in user packets is the same as the interface PVID. Then the device allows these users to access the guest VLAN.

Other related questions:
How to configure a guest VLAN on an S series switch
You can configure the guest VLAN function to enable users to access some network resources without authentication. For example, the users can download client software, upgrade the client, and update the antivirus database. For example, configure the guest VLAN function on GE1/0/1 and GE1/0/5 so that users on the two interfaces can update the antivirus database in real time. Assume that the antivirus database server is in VLAN 10. The configuration is as follows: - Configure multiple interfaces in a batch in the system view. [HUAWEI] dot1x enable [HUAWEI] dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 [HUAWEI] authentication guest-vlan 10 interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 - Configure each interface in the interface view. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] authentication guest-vlan 10 [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface gigabitethernet 1/0/5 [HUAWEI-GigabitEthernet1/0/5] dot1x enable [HUAWEI-GigabitEthernet1/0/5] authentication guest-vlan 10 Note: 1. In V200R005C00 and later versions, the guest VLAN function can be configured only in NAC common mode. 2. A super VLAN cannot be configured as a guest VLAN. 3. The guest VLAN function takes effect only for hybrid interfaces added to the guest VLAN in untagged mode or access interfaces, and does not take effect for other types of interfaces.

Can Layer 3 functions be enabled in the dynamic VLAN and guest VLAN used in 802.1x authentication
In versions earlier than V100R006, Layer 3 functions cannot be enabled in the dynamic VLAN and guest VLAN used in 802.1x authentication. In V100R006 and later versions, Layer 3 functions can be enabled in the dynamic VLAN and guest VLAN.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top