From: Eric Leung (eric.lwc@gmail.com)
Date: Wed Oct 17 2007 - 22:17:16 ART
Hi Slevin,
The difference between guest VLAN and restricted VLAN is :
1. if the client does not support 802.1x authentication, the switch can
assign a guest vlan for that port to allow the client to download the
802.1xsoftware.
2. if the client DO support 802.1x but the authentication is invalid, then
the switch can also assign VLAN to that port for just limited services.
HTH,
Eric.
2007/10/17, slevin kremera <slevin.kremera@gmail.com>:
>
> Hi experts
> i am confused about this
>
> firstly is it supported on bith 3550 and 3560...i think yes
> secondly in what kind of situation do i need to use this..
>
> from the doc cd
> Configuring a Restricted VLAN
>
> When you configure a restricted VLAN on a switch, clients that are IEEE
> 802.1x-compliant are moved into the restricted VLAN when the
> authentication
> server does not receive a valid username and password. The switch supports
> restricted VLANs only in single-host mode.
>
> Beginning in privileged EXEC mode, follow these steps to configure a
> restricted VLAN. This procedure is optional.
> Usage Guidelines
>
> You can configure a restricted VLAN on ports configured as follows:
>
> single-host (default) mode only
>
> auto mode for authorization
>
> You should enable re-authentication. The ports in restricted VLANs do not
> receive re-authentication requests if re-authentication is disabled. To
> start the re-authentication process, the restricted VLAN must receive a
> link
> down event or an Extensible Authentication Protocol (EAP) logoff event
> from
> the port. If the host is connected through a hub, the port might never
> receive a link down event and might not detect the new host until the next
> re-authentication attempt occurs. Therefore, re-authentication should be
> enabled.
>
> If the user fails authentication, the port is moved to a restricted VLAN,
> and an EAP success message is sent to the user. Because the user is not
> notified of the authentication failure, there might be confusion as to why
> there is restricted access to the network. An EAP success message is sent
> for these reasons:
>
> If the EAP success message is not sent, the user tries to authenticate
> every 60 seconds (the default) by sending an EAP-start message.
>
> Some hosts (for example, devices running Windows XP) cannot implement DHCP
> until they receive an EAP success message.
>
> A user might cache an incorrect username and password combination after
> receiving an EAP success message from the authenticator and re-use that
> information in every re-authentication. Until the user passes the correct
> username and password combination, the port remains in the restricted
> VLAN.
>
> Internal VLANs that are used for Layer 3 ports cannot be configured as a
> restricted VLAN.
>
> You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN.
> If you do this, a syslog message is generated.
>
> When a restricted VLAN port is moved to an unauthorized state, the
> authentication process is restarted. If the user fails the authentication
> process again, the authenticator waits in the held state. After the user
> has
> correctly re-authenticated, all IEEE 802.1x ports are reinitialized and
> treated as normal IEEE 802.1x ports.
>
> When you reconfigure a restricted VLAN to a different VLAN, any ports in
> the
> restricted VLAN are also moved and the ports stay in their current
> authorized state.
>
> When you shut down or remove a restricted VLAN from the VLAN database, any
> ports in the restricted VLAN are immediately moved to an unauthorized
> state
> and the authentication process is restarted. The authenticator does not
> wait
> in a held state because the restricted VLAN configuration still exists.
> While the restricted VLAN is inactive, all authentication attempts are
> counted. As soon as the restricted VLAN becomes active, the port is placed
> in the restricted VLAN.
>
> The restricted VLAN is supported only in single-host mode (the default
> port
> mode).
>
> When a port is placed in a restricted VLAN, the user's MAC address is
> added
> to the MAC address table. If a new MAC address appears on the port, it is
> treated as a security violation.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:15 ART