Alcatel-Lucent 6600 Switch User Manual


 
Configuring Authenticated VLANs Configuring Authenticated VLANs
OmniSwitch 6600 Family Network Configuration Guide April 2006 page 21-27
Configuring Authentication IP Addresses
Authentication clients connect to an IP address on the switch for authentication. (Web browser clients may
enter a DNS name rather than the IP address; see “Setting Up a DNS Path” on page 21-29). When the
router port is set up for an authenticated VLAN (through the ip interface command), the switch automati-
cally sets up an authentication address for that authenticated VLAN based on the router port address. The
authentication address uses the same mask as the router port address and includes .253 at the end of the
address.
For example, if the router port address for authenticated VLAN 3 is 10.10.2.20, the authentication address
will be 10.10.2.253. This address is modifiable through the avlan auth-ip command; the address,
however, must use the same mask as the router port address. For example:
-> avlan auth-ip 3 10.10.2.80
This changes the authentication address for VLAN 3 to 10.10.2.80. The authentication IP address is also
used for the DNS address (see “Setting Up a DNS Path” on page 21-29).
To display authentication addresses, use the show aaa avlan auth-ip command.
Setting Up the Default VLAN for Authentication Clients
By default, authentication users cannot traffic in the default VLAN prior to authentication; however, the
switch may be configured to enable the default VLAN so that users may traffic in the default VLAN prior
to authentication.
The default VLAN is the default VLAN for the authentication port, the physical port through which
authentication clients are connected to the switch. The authentication port is specified through the vlan
port authenticate command. See “Configuring Authenticated Ports” on page 21-28.
Use the avlan default-traffic command to enable the default VLAN for authentication traffic.
-> avlan default-traffic enable
When this command is enabled, any authentication client initially belongs to the default VLAN of the
authentication port through which the client is connected. After authentication, if a client is removed from
an authenticated VLAN through the aaa avlan no command, the client is moved to the default VLAN.
To disable any default VLAN for authentication traffic, use the disable keyword with the command:
-> avlan default-traffic disable
WARNING: Traffic on default vlan is DISABLED.
Existing users on default vlan are not flushed.
Users now do not belong to and cannot traffic in the default VLAN prior to authentication. Note that any
existing users in the default VLAN are not flushed.