NETGEAR M4100 Switch User Manual


 
286 | Chapter 15. Security Management
ProSafe M4100 and M7100 Managed Switches
Create a Guest VLAN
The guest VLAN feature allows a switch to provide a distinguished service to dot1x unaware
clients (not rogue users who fail authentication). This feature provides a mechanism to allow
visitors and contractors to have network access to reach an external network with no ability to
surf the internal LAN
RADIUS server
Switch
HostGuest 1
Guest 2
1/0/1
1/0/24
1/0/12
1/0/6
.
Figure 30. Guest VLAN
If a port is in port-based mode, and a client that does not support 802.1X is connected to an
unauthorized port that has 802.1X enabled, the client does not respond to the 802.1X
requests from the switch. The port remains in the unauthorized state, and the client is not
granted access to the network. If the guest VLAN is configured for that port, then the port is
placed in the configured guest VLAN and the port is moved to the authorized state, allowing
access to the client after a certain amount of time (determined by the guest VLAN period). If
the client attached is 802.1x aware, then this allows the client to respond to 802.1X requests
from the switch.
For a port in MAC-based mode, if traffic from a unauthenticated client is noticed on a port
then, if guest VLAN has been configured on the port, the guest VLAN timer is started for that
client. If the client is 802.1x unaware and does not respond to any 802.1x requests, when the
guest VLAN timer expires, the client is authenticated and associated with the guest VLAN.
This ensures that traf
fic from the client is accepted and switched through the guest VLAN.
In this example, dot1x is enabled on all the ports so that all the hosts that are authorized are
assigned to VLAN 1. On ports 1/0/1 and 1/0/24, guest VLAN is enabled. If guests connect to
the port, they are assigned to VLAN 2000, so that guests cannot access the internal VLAN,
but can access each other in the guest VLAN.