Specifications
Alcatel-Lucent
OS-LS6200 Series Page 21
Solution: The administrator would be able to define VLANs that authorization is not required for them.
Those VLANs would be always available to users, even if the port were unauthorized. These VLANs
are defined as “Unauthenticated” VLANs.
802.1x – Multiple Sessions support
What it is
• 802.1x now supports Multiple Sessions in addition to Single-host and Multiple-hosts
o Single-host: only grant access to ONE host that has been authorized
o Multiple-hosts: multiple hosts that are attached to a single 802.1x-enabled port
will ALL be granted network access as long as one of the attached hosts is
authorized
o Multiple Sessions: enable number of specific hosts that have been authorized, to
get network access (and deny others…) – All authenticated users are classified
in the same Vlan on the port
• Multiple Sessions Filtering is based on the source MAC address
How to use it
• Must enable dot1x port-control mode to “auto”
• System is set to dot1x single-host mode by default
• Use “dot1x multiple-hosts authentication” command to enable this feature
• Note: command “dot1x multiple-hosts” w/o “authentication” means to enable Multiple
Hosts only, which will grant all hosts the network access once one host is authenticated
Transparent 802.1x BPDU forwarding
What it is
• According to IEEE802.1 standards 802.1X BPDUs should never be forwarded. The 802.1X
BPDUs should be handled by the switch in case 802.1X is enabled on the port, or should be
discarded by the switch in all other cases.
• This feature enables 802.1x BPDU flooding, under user control, to bridge 802.1X BPDUs
packets as data packets.
How to use it
• The feature can be enabled only when 802.1X is globally disabled (by the no dot1x system-
auth-control global configuration command)
• If the port is disabled for 802.1X but 802.1X is enabled globally, 802.1X BPDUs would
always be discarded.
802.1X BPDU forwarding description
According to IEEE802.1 standards 802.1X BPDUs should never be forwarded. The 802.1X BPDUs
should be handled by the switch in case 802.1X is enabled on the port, or should be discarded by the
switch in all other cases.
This feature enables, under user control, to bridge 802.1X BPDUs packets as data packets.
The feature can be enabled only when 802.1X is globally disabled (by the no dot1x system-auth-
control global configuration command).
User Control:
Enable/Disable 802.1X BPDU flooding.
References, Notes and Limitations
The feature can be enabled only when 802.1X is globally disabled (by the no dot1x system-auth-
control global configuration command). If the port is disabled for 802.1X but 802.1X is enabled
globally, 802.1X BPDUs would always be discarded.
DHCP Snooping
What it is
DHCP snooping is a DHCP security feature that provides
o network security by filtering untrusted DHCP messages and
o by building and maintaining a DHCP snooping binding database table
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers
DHCP snooping differentiates between untrusted interfaces connected to the end user and
trusted interfaces connected to the DHCP server or another switch
How to use it
The administrator has the following controls for enabling/disabling the feature:
o Global: enable/disable
o Per VLAN: enable/disable
Trusted interfaces are connected to DHCP servers or to switches/hosts that DHCP packet
filtering is not required to trust
Untrusted interfaces are connected to untrusted hosts
By default, all interfaces are untrusted when DHCP snooping is enabled.
Note: In order to enable DHCP snooping on a VLAN, you must enable DHCP snooping on the switch
Functional Description
DHCP snooping is a DHCP security feature that provides network security by filtering untrusted
DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to
as a DHCP snooping binding table. DHCP snooping acts like a firewall between untrusted hosts and
DHCP servers. DHCP snooping differentiates between untrusted interfaces connected to the end user
and trusted interfaces connected to the DHCP server or another switch.
User Controls
The administrator has the following controls for enabling/disabling the feature:
• Global enable/disable of the feature.
• Per VLAN enable/disable of the feature.