KB.15.15

Example 15 Example

Suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN

22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged

on port A2:

Figure 253 An active VLAN configuration

In Figure 253 (page 355), if RADIUS authorizes an 802.1X client on port A2 with the requirement

that the client use VLAN 22, then:

• VLAN 22 becomes available as Untagged on port A2 for the duration of the session.

• VLAN 33 becomes unavailable to port A2 for the duration of the session (because there can

be only one untagged VLAN on any port).

To view the temporary VLAN assignment as a change in the active configuration, use the show

vlan <vlan-id> command as shown in Figure 254 (page 355) where <vlan-id> is the (static or

dynamic) VLAN used in the authenticated client session.

Figure 254 The active configuration for VLAN 22 temporarily changes for the 802.1X session

However, as shown in Figure 253 (page 355), because VLAN 33 is configured as untagged on

port A2 and because a port can be untagged on only one VLAN, port A2 loses access to VLAN

33 for the duration of the 802.1X session on VLAN 22.

You can verify the temporary loss of access to VLAN 33 by entering the show vlan 33 command

as shown in Figure 255 (page 355).

Figure 255 The active configuration for VLAN 33 temporarily drops port 22 for the 802.1X session

Overview 355