40-41
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 40 Configuring 802.1X Authentication
Configuring 802.1X Authentication on the Switch
Configuring 802.1X Authentication with Private VLANs
Note
For more information on private VLANs, see the
“Configuring Private VLANs on the Switch” section
on page 11-19
.
These sections describe how to configure 802.1X authentication with private VLANs:
•
Overview, page 40-41
•
Port VLANs and 802.1X VLANs, page 40-41
•
Configuration Guidelines, page 40-42
•
Configuring 802.1X Authentication with Private VLANs, page 40-42
Overview
Private VLANs provide a subnet conservation mechanism that allows a port to be conditionally
operational in a VLAN pair without trunking. A private VLAN is composed of an associated primary
VLAN and a secondary VLAN. A primary VLAN can participate in multiple private VLANs, with each
primary VLAN having a different secondary VLAN associated with it. A secondary VLAN must belong
to only one private VLAN. The secondary VLAN must be associated with only one primary VLAN.
Secondary VLAN types are community, isolated, and two-way.
Before software release 8.6(1), an 802.1X port could not be configured in a private VLAN and a private
VLAN port could not participate in 802.1X. With software release 8.6(1) and later releases, you can
enable isolated private VLANs for 802.1X ports that are assigned to a guest VLAN through 802.1X
authentication.
With guest VLANs, you might have ports from different customers residing in the same guest VLAN if
the supplicant is identified as incapable of 802.1X before becoming 802.1X capable. With this behavior,
the traffic from one customer might be accessible to every other customer. To avoid this situation, you
can select different guest VLANs for each port; however, this action consumes multiple VLANs. With
the isolated private VLAN approach, you can configure multiple ports in a VLAN pair and suppress the
traffic interchange between the ports in the same secondary VLAN.
Port VLANs and 802.1X VLANs
With 802.1X, a port can be in a preauthenticated or post-authenticated state. In both states, the port is
associated with a VLAN. The VLANs are referred to as the port VLAN and the 802.1X VLAN. The port
VLAN is the VLAN of the port before a new VLAN has been assigned by 802.1X. The 802.1X VLAN
of the port is the VLAN that is assigned to the port by 802.1X. The port operates in its port VLAN if it
has not been enabled for 802.1X. Once the port is enabled for 802.1X, the port continues to be associated
with its port VLAN although it stops forwarding traffic on the port VLAN. Once 802.1X assigns a new
VLAN to the port, the port becomes operationally associated with the new VLAN (the 802.1X VLAN).
If no VLAN is supplied by the RADIUS server, the port becomes operational in its port VLAN. A
summary of port VLAN and 802.1X VLAN behavior follows:
•
The port VLAN behavior is as follows:
–
Used by ports before 802.1X is enabled
–
Used as a nonoperational port VLAN after 802.1X is enabled