5.2.1 Coexistence of Layer 2 authentication and other functions
The following table describes the specifications for interoperability between Layer 2 authentication and other functionality.
Layer 2 Authentication functionality |
Function name |
Interoperability |
|
---|---|---|---|
IEEE802.1X |
Link Aggregation |
Cannot coexist with Link Aggregation Control Protocol (LACP) channel groups. |
|
MAC address-learning suppression |
VLAN and its VLAN cannot be used at the same time. |
||
VLAN |
Port VLAN |
Can be used in port-based authentication and VLAN-based (static) authentication. |
|
Protocol VLAN |
Cannot coexist on the same device. |
||
MAC VLAN |
Can be used in VLAN-based (dynamic) authentication. |
||
Default VLAN |
Can be used in port-based authentication and VLAN-based (static) authentication. Can also be used as the pre-authentication VLAN in VLAN-based (dynamic) authentication. |
||
Extended VLAN Functionality |
VLAN tunneling |
Cannot coexist on the same device. |
|
EAPOL forwarding |
Cannot coexist on the same device. |
||
VXLAN [SL-L3A] |
Do not configure port-based authentication or VLAN based authentication (static) for VXLAN Network and VXLAN Access ports. |
||
Spanning Tree Protocols |
Do not configure port-based authentication or VLAN-based (static) authentication for a port subject to a Spanning Tree Protocol. |
||
Ring Protocol |
Do not configure port-based authentication or VLAN-based (static) authentication for a ring port subject to the Ring Protocol. |
||
IGMP snooping |
|
||
GSRP |
Cannot coexist on the same device. |
||
VRRP |
Can authenticate terminals except those attached to a VLAN configured with VRRP or the ports associated with that VLAN. IEEE 802.1X authentication cannot take place in the following contexts:
|
||
Uplink Redundancy |
Cannot be used for uplink port pairs |
||
IEEE 802.3ah/UDLD |
Do not use on a port configured for port-based authentication or VLAN-based (static) authentication. |
||
CFM |
Cannot be used at the same time on a port for which a CFM has been set. |
||
OADP and CDP |
The Switch does not forward OADP or CDP traffic. |
||
PTP |
Cannot coexist on the same device. |
||
VRFs |
Cannot coexist on the same device. |
||
Web Authentication |
Link Aggregation |
Ports in a channel group cannot be used as an authentication port in fixed VLAN or dynamic VLAN mode. |
|
MAC address-learning suppression |
VLAN and its VLAN cannot be used at the same time. |
||
VLAN |
Port VLAN |
Can be used in fixed VLAN mode. |
|
Protocol VLAN |
Cannot coexist on the same device. |
||
MAC VLAN |
Can be used in dynamic VLAN mode and legacy mode. |
||
Default VLAN |
Can be used in fixed VLAN mode. Can also be used as the pre-authentication VLAN in dynamic VLAN mode and legacy mode. |
||
Extended VLAN Functionality |
VLAN tunneling |
Cannot coexist on the same device. |
|
EAPOL forwarding |
Can be used on the same device. |
||
VXLAN [SL-L3A] |
Do not configure fixed VLAN mode or dynamic VLAN mode for VXLAN Network and VXLAN Access ports. |
||
Spanning Tree Protocols |
Do not configure fixed VLAN mode or dynamic VLAN mode for a port subject to a Spanning Tree Protocol. |
||
Ring Protocol |
Do not configure fixed VLAN mode or dynamic VLAN mode for a ring port subject to the Ring Protocol. |
||
IGMP snooping # |
Cannot coexist on the same device. |
||
DHCP Snooping |
Cannot be used with a port assigned a VLAN ID with legacy mode specified. |
||
VRRP |
Can authenticate terminals except those attached to a VLAN configured with VRRP or the ports associated with that VLAN. Do not configure MAC-based authentication in the following contexts:
|
||
Uplink Redundancy |
Cannot be used for uplink port pairs |
||
IEEE 802.3ah/UDLD |
Do not use on a port configured in fixed VLAN mode or dynamic VLAN mode. |
||
CFM |
Cannot be used at the same time on a port for which a CFM has been set. |
||
PTP |
Cannot coexist on the same device. |
||
VRFs |
Cannot coexist on the same device. |
||
MAC-based Authentication |
Link Aggregation |
Ports in a channel group cannot be used as an authentication port in fixed VLAN or dynamic VLAN mode. |
|
MAC address-learning suppression |
VLAN and its VLAN cannot be used at the same time. |
||
VLAN |
Port VLAN |
Can be used in fixed VLAN mode. |
|
Protocol VLAN |
Cannot coexist on the same device. |
||
MAC VLAN |
Can be used in dynamic VLAN mode. |
||
Default VLAN |
Can be used in fixed VLAN mode. Can also be used as the pre-authentication VLAN in dynamic VLAN mode. |
||
Extended VLAN Functionality |
VLAN tunneling |
Cannot coexist on the same device. |
|
EAPOL forwarding |
Can be used on the same device. |
||
VXLAN [SL-L3A] |
Do not configure MAC authorization for VXLAN Network and VXLAN Access ports. |
||
Spanning Tree Protocols |
Do not configure MAC-based authentication for a port subject to a Spanning Tree Protocol. |
||
Ring Protocol |
Do not configure MAC-based authentication for a link port subject to the Ring Protocol. |
||
IGMP snooping |
Cannot coexist on the same device. |
||
VRRP |
Can authenticate terminals except those attached to a VLAN configured with VRRP or the ports associated with that VLAN. Do not configure MAC-based authentication in the following contexts:
|
||
Uplink Redundancy |
Cannot be used for uplink port pairs |
||
IEEE 802.3ah/UDLD |
Do not use IEEE 802.3ah/UDLD on a port configured for MAC-based authentication. |
||
CFM |
Cannot be used at the same time on a port for which a CFM has been set. |
||
PTP |
Cannot coexist on the same device. |
||
VRFs |
Cannot coexist on the same device. |
#: Web authentication is compatible with IGMP snooping in legacy mode.