R0106-HP MSR Router Series Security Configuration Guide(V7)

{ VLAN name.

The VLAN name represents the VLAN description on the access device.

{ Combination of VLAN ID and VLAN name.

In the string, some VLANs are represented by their IDs, and some VLANs are represented by

their names.

{ VLAN group name.

For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.

{ VLAN ID with suffix.

The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged

members or not. For example, 2u indicates that the ports assigned to VLAN 2 are untagged

members.

NOTE:

The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN

assignment.

Unsupported VLAN types

Do not specify the following types of VLANs for VLAN authorization. The access device does not assign

them to 802.1X users.

• VLANs that have not been created.

• Dynamically-learnt VLANs.

• Reserved VLANs.

VLAN selection and assignment

If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the

VLAN ID format. Table 5 d

escribes the VLAN selection and assignment rules for a group of authorization

VLANs.

Table 5 VLAN selection and assignment for a group of authorization VLANs

VLAN t

es in a

rou

VLAN selection

and assi

nment

rules

Authorized VLANs specified by

IDs or names

The device selects a VLAN to be the authorization VLAN of a user,

depending on whether the port has other online users:

• If the port does not have other online users, the device selects the VLAN

with the lowest ID from the group of VLANs.

• If the port has other online users, the device selects the VLAN by using

the following process:

a. The device selects the VLAN that has the fewest number of online

802.1X users.

b. If two VLANs have the same number of online 802.1X users, the

device selects the VLAN with the lower ID.

The device follows the rules in Table 6 to handle VLAN assig

nment.