Dell FCX624-E Laptop User Manual


  Open as PDF
of 1494
 
1232 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Configuring 802.1X port security
34
To specify an untagged VLAN, use the following.
"U:10" or "U:marketing"
When the RADIUS server specifies an untagged VLAN ID, the port default VLAN ID (or PVID) is
changed from the system DEFAULT-VLAN (VLAN 1) to the specified VLAN ID. The port transmits only
untagged traffic on its PVID. In this example, the port PVID is changed from VLAN 1 (the
DEFAULT-VLAN) to VLAN 10 or the VLAN named "marketing".
The PVID for a port can be changed only once through RADIUS authentication. For example, if
RADIUS authentication for a Client causes a port PVID to be changed from 1 to 10, and then
RADIUS authentication for another Client on the same port specifies that the port PVID be moved
to 20, then the second PVID assignment from the RADIUS server is ignored.
If the link goes down, or the dot1x-mac-session for the Client that caused the initial PVID
assignment ages out, then the port reverts back to its original (non-RADIUS-specified) PVID, and
subsequent RADIUS authentication can change the PVID assignment for the port.
If a port PVID is assigned through the multi-device port authentication feature, and 802.1X
authentication subsequently specifies a different PVID, then the PVID specified through 802.1X
authentication overrides the PVID specified through multi-device port authentication.
To specify tagged VLANs, use the following.
"T:12;T:20" or "T:12;T:marketing"
In this example, the port is added to VLANs 12 and 20 or VLANs 12 and the VLAN named
"marketing". When a tagged packet is authenticated, and a list of VLANs is specified on the
RADIUS server for the MAC address, then the packet tag must match one of the VLANs in the list in
order for the Client to be successfully authenticated. If authentication is successful, then the port
is added to all of the VLANs specified in the list.
Unlike with a RADIUS-specified untagged VLAN, if the dot1x-mac-session for the Client ages out, the
port membership in RADIUS-specified tagged VLANs is not changed. In addition, if multi-device
port authentication specifies a different list of tagged VLANs, then the port is added to the
specified list of VLANs. Membership in the VLANs specified through 802.1X authentication is not
changed.
To specify an untagged VLAN and multiple tagged VLANs, use the following.
"U:10;T:12;T:marketing"
When the RADIUS server returns a value specifying both untagged and tagged VLAN IDs, the port
becomes a dual-mode port, accepting and transmitting both tagged traffic and untagged traffic at
the same time. A dual-mode port transmits only untagged traffic on its default VLAN (PVID) and
only tagged traffic on all other VLANs.
In this example, the port VLAN configuration is changed so that it transmits untagged traffic on
VLAN 10, and transmits tagged traffic on VLAN 12 and the VLAN named "marketing".
For a configuration example, refer to “802.1X Authentication with dynamic VLAN assignment” on
page 1261.
Saving dynamic VLAN assignments to the running-config file
You can configure the Dell PowerConnect device to save the RADIUS-specified VLAN assignments
to the device's running-config file. Enter commands such as the following.
PowerConnect(config)#dot1x-enable
PowerConnect(config-dot1x)#save-dynamicvlan-to-config