R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

100

VLAN t

es in a

rou

VLAN selection

and assi

nment

rules

Authorized VLAN IDs include

suffixes

3. The device selects the leftmost VLAN ID without a suffix, or the leftmost

VLAN ID suffixed by u as an untagged VLAN, whichever is more

leftmost.

4. The device assigns the untagged VLAN to the port as the PVID, and it

assigns the remaining as tagged VLANs. If no untagged VLAN is

assigned, the PVID of the port does not change. The port permits traffic

from these tagged and untagged VLANs to pass through.

For example, the authentication server sends the string 1u 2t 3 to the access

device for a user. The device assigns VLAN 1 as an untagged VLAN and

other VLANs as tagged VLANs. VLAN 1 becomes the PVID.

NOTE:

ssi

n VLAN IDs with suffixes only to hybrid or trunk ports that perform port-based access control.

Table 6 describes how the access device handles VLANs (except for the VLANs specified with suffixes)

on an 802.1X-enabled port.

Table 6 VLAN manipulation

Port access control method VLAN mani

ulation

Port-based

The device assigns the authorization VLAN to the port as the port VLAN (PVID).

The authenticated 802.1X user and all subsequent 802.1X users can access

the VLAN without authentication.

When the user logs off, the previous PVID is restored, and all other online users

are logged off.

MAC-based

• If the port is a hybrid port with MAC-based VLAN enabled, the device maps

the MAC address of each user to the authorization VLAN. The PVID of the

port does not change. When a user logs off, the MAC-to-VLAN mapping for

the user is removed.

• If the port is an access, trunk, or MAC-based VLAN-disabled hybrid port,

the device assigns the first authenticated user's authorization VLAN to the

port as the PVID. If a different VLAN is authorized to a subsequent user, the

user cannot pass the authentication. To ensure successful authentication of

subsequent users, authorize the same VLAN to all 802.1X users on these

ports.

A hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not

reconfigure the port as a tagged member in the VLAN.

On a port with periodic online user reauthentication enabled, the MAC-based VLAN function does not

take effect on a user who has been online before this function is enabled. The access device creates a

MAC-to-VLAN mapping for the user when the following requirements are met:

• The user passes reauthentication.

• The authorization VLAN for the user is changed.

For more information about VLAN configuration and MAC-based VLANs, see Layer 2—LAN Switching

Configuration Guide.

Guest VLAN

Only ports that perform port-based access control support the guest VLAN.