D-Link 18 Switch User Manual


 
xStack
®
DES-3200-10/18/28/28F Layer 2 Ethernet Managed Switch User Manual
Guest VLAN Configuration
On 802.1X security enabled networks, there is a need for
non 802.1X supported devices to gain limited access to the
network, due to lack of the proper 802.1X software or
incompatible devices, such as computers running Windows
98 or lower operating systems, or the need for guests to
gain access to the network without full authorization. To
supplement these circumstances, this switch now
implements 802.1X Guest VLANs. These VLANs should
have limited access rights and features separate from other
VLANs on the network.
To implement 802.1X Guest VLANs, the user must first
create a VLAN on the network with limited rights and then
enable it as an 802.1X guest VLAN. Then the administrator
must configure the guest accounts accessing the Switch to
be placed in a Guest VLAN when trying to access the
Switch. Upon initial entry to the Switch, the client wishing
services on the Switch will need to be authenticated by a
remote RADIUS Server or local authentication on the
Switch to be placed in a fully operational VLAN. If
authenticated and the authenticator posseses the VLAN
placement information, that client will be accepted into the
fully operational target VLAN and normal switch functions
will be open to the client. If the authenticator does not have
target VLAN placement information, the client will be
returned to its originating VLAN. Yet, if the client is denied
authentication by the authenticator, it will be placed in the
Guest VLAN where it has limited rights and access. The
adjacent figure should give the user a better understanding
of the Guest VLAN process.
Figure 5 - 22. Guest VLAN Authentication Process
Limitations Using the Guest VLAN
1. Ports supporting Guest VLANs cannot be GVRP enabled and vice versa.
2. A port cannot be a member of a Guest VLAN and a static VLAN simultaneously.
3. Once a client has been accepted into the target VLAN, it can no longer access the Guest VLAN.
4. If a port is a member of multiple VLANs, it cannot become a member of the Guest VLAN.
130