72
{
VLAN ID with suffix.
The suffix can be
t
or
u
, which indicates whether the ports assigned to the VLAN are tagged
members. For example,
2u
indicates that the ports assigned to VLAN 2 are untagged
members.
NOTE:
The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN
assignment.
Unsupported VLAN types
Do not specify the following types of VLANs for VLAN authorization. The access device does not assign
these VLANs to 802.1X users.
•
VLANs that have not been created.
•
Dynamically-learned VLANs.
•
Reserved VLANs.
•
Private VLANs.
VLAN selection and assignment
If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the
VLAN ID format.
describes the VLAN selection and assignment rules for a group of authorization
VLANs.
Table 5
VLAN selection and assignment for a group of authorization VLANs
Types of authorized VLANs
VLAN selection and assignment rules
•
VLANs by IDs
•
VLANs by names
•
VLAN group name
The device selects a VLAN as the authorization VLAN for a user,
depending on whether the port has other online users:
•
If the port does not have other online users, the device selects the VLAN
with the lowest ID from the group of VLANs.
•
If the port has other online users, the device selects the VLAN by using
the following process:
a.
The device selects the VLAN that has the fewest number of online
users.
b.
If two VLANs have the same number of online 802.1X users, the
device selects the VLAN with the lower ID.
The device follows the rules in
to handle VLAN assignment.
VLAN IDs with suffixes
4.
The device selects the leftmost VLAN ID without a suffix, or the leftmost
VLAN ID suffixed by
u
as an untagged VLAN, whichever is more
leftmost.
5.
The device assigns the untagged VLAN to the port as the PVID, and it
assigns the remaining as tagged VLANs. If no untagged VLAN is
assigned, the PVID of the port does not change. The port permits traffic
from these tagged and untagged VLANs to pass through.
For example, the authentication server sends the string
1u 2t 3
to the access
device for a user. The device assigns VLAN 1 as an untagged VLAN and
other VLANs as tagged VLANs. VLAN 1 becomes the PVID.
NOTE:
Assign VLAN IDs with suffixes only to hybrid or trunk ports that perform port-based access control.