Open as PDF
Configuring and Managing VLANs 89
You assign a user to a VLAN by setting one of the following attributes on
the RADIUS servers or in the local user database:
Tunnel-Private-Group-ID — This attribute is described in RFC 2868,
RADIUS Attributes for Tunnel Protocol Support.
VLAN-Name — This attribute is a 3Com vendor-specific attribute
You cannot configure the Tunnel-Private-Group-ID attribute in the local
Specify the VLAN name, not the VLAN number. The examples in this
chapter assume the VLAN is assigned on a RADIUS server with either of
the valid attributes. (For more information, see Chapter 21, “Configuring
AAA for Network Users,” on page 433.)
To create a VLAN, you must assign a name to it. VLAN names must be
globally unique across a Mobility Domain to ensure the intended user
connectivity as determined through authentication and authorization.
Every VLAN on a WX switch has both a VLAN name, used for
authorization purposes, and a VLAN number. VLAN numbers can vary
uniquely for each WX switch and are not related to 802.1Q tag values.
You cannot use a number as the first character in a VLAN name.
Roaming and VLANs
WX switches in a Mobility Domain contain a user’s traffic within the VLAN
that the user is assigned to. For example, if you assign a user to VLAN red,
the WX switches in the Mobility Domain contain the user’s traffic within
VLAN red configured on the switches.
The WX switch through which a user is authenticated is not required to
be a member of the VLAN the user is assigned to. You are not required to
configure the VLAN on all WX switches in the Mobility Domain. When a
user roams to a switch that is not a member of the VLAN the user is
assigned to, the switch can tunnel traffic for the user through another
switch that is a member of the VLAN. The traffic can be of any protocol
type. (For more information about Mobility Domains, see Chapter 8,
“Configuring and Managing Mobility Domain Roaming,” on page 153.)