HP 6120G/XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 531
interface, unknown-vlans, interface unknown-vlans, no aaa port-access gvrp-vlans
View all HP 6120G/XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 531 highlights
Note Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Syntax: aaa port-access gvrp-vlans -Continued- 2. After you enable dynamic VLAN assignment in an authen tication session, it is recommended that you use the interface unknown-vlans command on a per-port basis to prevent denial-of-service attacks. The interface unknown-vlans com mand allows you to: • Disable the port from sending advertisements of existing GVRP-created VLANs on the switch. • Drop all GVRP advertisements received on the port. For more information, refer to the chapter on "GVRP" in the Advanced Traffic Management Guide. 3. If you disable the use of dynamic VLANs in an authentication session using the no aaa port-access gvrp-vlans command, client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated. (This behavior differs form how static VLAN assignment is handled in an authentication session. If you remove the configuration of the static VLAN used to create a temporary client session, the 802.1X, MAC, or Web authenticated client is deauthenticated.) However, if a RADIUS-configured dynamic VLAN used for an authentication session is deleted from the switch through normal GVRP operation (for example, if no GVRP advertisements for the VLAN are received on any switch port), authenticated clients using this VLAN are deauthenticated. Any port VLAN-ID changes you make on 802.1X-aware ports during an 802.1X authenticated session do not take effect until the session ends. With GVRP enabled, a temporary, untagged static VLAN assignment created on a port by 802.1X authentication is advertised as an existing VLAN. If this temporary VLAN assignment causes the switch to disable a configured (untagged) static VLAN assignment on the port, then the disabled VLAN assignment is not advertised. When the 802.1X session ends, the switch: ■ Eliminates and ceases to advertise the temporary VLAN assignment. ■ Re-activates and resumes advertising the temporarily disabled VLAN assignment. 12-75