Dot1X Guest-Vlan - Cisco Catalyst 2950 Command Reference Manual

Chapter 2 Catalyst 2950 and 2955 Cisco IOS Commands

dot1x guest-vlan

Use the dot1x guest-vlan interface configuration command to specify an active VLAN as an
IEEE 802.1x guest VLAN for switches running the enhanced software image (EI). Use the no form of
this command to return to the default setting.
Syntax Description vlan-id
Defaults
No guest VLAN is configured.
Command Modes Interface configuration
Command History Release
12.1(14)EA1
12.1(22)EA2
Usage Guidelines You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to
clients (a device or workstation connected to the switch) not currently running IEEE 802.1x
authentication. These users might be upgrading their system for IEEE 802.1x authentication, and some
hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN
when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL)
request/identity frame or when EAPOL packets are not sent by the client.
Before Cisco IOS Release 12.1(22)EA2, the switch did not maintain the EAPOL packet history and
allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL
packets had been detected on the interface. You can use the dot1x guest-vlan supplicant global
configuration command to enable this behavior.
With Cisco IOS Release 12.1(22)EA2 and later, the switch maintains the EAPOL packet history. If
another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN
feature is disabled. If the port is already in the guest VLAN state, the port is returned to the unauthorized
state, and authentication is restarted. The EAPOL history is reset upon loss of link.
Entering the dot1x guest-vlan supplicant global configuration command disables this behavior.
Any number of non-IEEE-802.1x-capable clients are allowed access when the switch port is moved to
the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is
configured, the port is put into the unauthorized state in the user-configured access VLAN, and
authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
OL-10102-01
dot1x guest-vlan vlan-id
no dot1x guest-vlan
Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1
to 4094.
Modification
This command was introduced.
This command was modified to change the default guest VLAN behavior.
Catalyst 2950 and Catalyst 2955 Switch Command Reference
dot1x guest-vlan
2-95