When a second host (H2) is connected and gets assigned to VLAN ( V2), the port will have two operational
VLANs (V1 and V2). If H1 and H2 sends untagged ingress traffic, H1 traffic is mapped to VLAN (V1) and
H2 traffic to VLAN (V2), all egress traffic going out of the port on VLAN (V1) and VLAN (V2) are untagged.
If both the hosts, H1 and H2 are logged out or the sessions are removed due to some reason then VLAN (V1)
and VLAN (V2) are removed from the port, and the configured VLAN (V0) is restored on the port.
Scenario two
When a hub is connected to an access port, and the port is configured with an access VLAN (V0). The host
(H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to V1.
When a second host (H2) is connected and gets authorized without explicit vlan policy, H2 is expected to use
the configured VLAN (V0) that is restored on the port. A ll egress traffic going out of two operational VLANs,
VLAN (V0) and VLAN (V1) are untagged.
If host (H2 ) is logged out or the session is removed due to some reason then the configured VLAN (V0) is
removed from the port, and VLAN (V1) becomes the only operational VLAN on the port.
Scenario three
When a hub is connected to an access port in open mode, and the port is configured with an access VLAN
(V0) .
The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to
V1. When a second host (H2) is connected and remains unauthorized, it still has access to operational VLAN
(V1) due to open mode.
If host H1 is logged out or the session is removed due to some reason, VLAN (V1) is removed from the port
and host (H2) gets assigned to VLAN (V0).
The combination of Open mode and VLAN assignment has an adverse affect on host (H2) because it has
an IP address in the subnet that corresponds to VLAN (V1).
Note
Limitation in Multi-auth Per User VLAN assignment
In the Multi-auth Per User VLAN assignment feature, egress traffic from multiple vlans are untagged on a
port where the hosts receive traffic that is not meant for them. This can be a problem with broadcast and
multicast traffic.
•
IPv4 ARPs
: Hosts receive ARP packets from other subnets. This is a problem if two subnets in different
Virtual Routing and Forwarding (VRF) tables with overlapping IP address range are active on the port.
The host ARP cache may get invalid entries.
•
I
Pv6 control packets
: In IPv6 deployments, Router Advertisements (RA) are processed by hosts that
are not supposed to receive them. When a host from one VLAN receives RA from a different VLAN,
the host assign incorrect IPv6 address to itself. Such a host is unable to get access to the network.
The workaround is to enable the IPv6 first hop security so that the broadcast ICMPv6 packets are
converted to unicast and sent out from multi-auth enabled ports.. The packet is replicated for each client
in multi-auth port belonging to the VLAN and the destination MAC is set to an individual client. Ports
having one VLAN, ICMPv6 packets broadcast normally.
•
IP multicast
: Multicast traffic destined to a multicast group gets replicated for different VLANs if the
hosts on those VLANs join the multicast group. When two hosts in different VLANs join a multicast
group (on the same mutli-auth port), two copies of each multicast packet are sent out from that port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1330
Information About 802.1x Port-Based Authentication
Содержание Catalyst 2960 Series
Страница 78: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches lxxviii Contents ...
Страница 96: ......
Страница 184: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 102 Additional References ...
Страница 195: ...P A R T II IP Multicast Routing Configuring IGMP Snooping and Multicast VLAN Registration page 115 ...
Страница 196: ......
Страница 250: ......
Страница 292: ......
Страница 488: ......
Страница 589: ...P A R T VI Cisco Flexible NetFlow Configuring NetFlow Lite page 509 ...
Страница 590: ......
Страница 619: ...P A R T VII QoS Configuring QoS page 539 Configuring Auto QoS page 645 ...
Страница 620: ......
Страница 749: ...P A R T VIII Routing Configuring IP Unicast Routing page 669 Configuring IPv6 First Hop Security page 677 ...
Страница 750: ......
Страница 796: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 714 Additional References ...
Страница 856: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 774 Additional References ...
Страница 1400: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1318 Additional References ...
Страница 1546: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1464 Auto Identity ...
Страница 1596: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1514 Additional References ...
Страница 1604: ......
Страница 1740: ......
Страница 1764: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1682 Additional References ...
Страница 1942: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1860 cli_write ...
Страница 1950: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1868 context_save ...
Страница 2058: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1976 event_register_wdsysmon ...
Страница 2076: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1994 smtp_subst ...
Страница 2090: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2008 sys_reqinfo_syslog_history ...
Страница 2104: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2022 unregister_counter ...
Страница 2105: ...P A R T XII Configuring Cisco IOS IP SLAs Configuring Cisco IP SLAs page 2025 ...
Страница 2106: ......
Страница 2118: ......
Страница 2164: ......