2-91
Catalyst 3550 Multilayer Switch Command Reference
OL-8566-02
Chapter 2 Catalyst 3550 Switch Cisco IOS Commands
dot1x guest-vlan
dot1x guest-vlan
Use the dot1x guest-vlan interface configuration command to specify an active VLAN as an
IEEE
802.1x guest VLAN. Use the no form of this command to return to the default setting.
dot1x guest-vlan vlan-id
no dot1x guest-vlan
Syntax Description
Defaults No guest VLAN is configured.
Command Modes Interface configuration
Command History
Usage Guidelines For each IEEE 802.1x port on the switch, you can configure a guest VLAN to provide limited services
to clients (a device or workstation connected to the switch) not currently running IEEE 802.1x
authentication. These users might be upgrading their system for IEEE 802.1x authentication, and some
hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL)
request/identity frame or when EAPOL packets are not sent by the client.
With Cisco IOS Release 12.2(25)SE and later, the switch maintains the EAPOL packet history. If
another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN
feature is disabled. If the port is already in the guest VLAN state, the port returns to the unauthorized
state, and authentication restarts. The EAPOL history is reset upon loss of link.
Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the EAPOL packet history and
allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL
packets had been detected on the interface. In Cisco IOS Release 12.2(25)SE, you can use the dot1x
guest-vlan supplicant global configuration command to enable this behavior.
However, in Cisco IOS Release 12.2(25)SEE, the dot1x guest-vlan supplicant global configuration
command is no longer supported. You can use a restricted VLAN to allow clients that failed
authentication access to the network by entering the dot1x auth-fail vlan vlan-id interface configuration
command.
vlan-id Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to
4094.
Release Modification
12.1(14)EA1 This command was introduced.
12.2(25)SE The default behavior of this command changed.
To Next Page
Loading...
