5.3.7 Operation when dot1q is set to MAC
If you use the switchport mac dot1q vlan configuration command to configure dot1q at a MAC port, tagged frames entering that port are authenticated according to fixed VLAN mode.
Untagged frames are authenticated according to dynamic VLAN mode. Note that untagged frames are associated with the native VLAN prior to authentication and with the designated VLAN ID after successful authentication.
The following figure describes the operation of the MAC port with dot1q configured:
|
|
![[Figure Data]](./GRAPHICS/ZU250080.GIF)
If the mac-authentication dot1q-vlan force-authorized configuration command is applied to the MAC port, the switch will forward tagged frames from that port without requiring it to undergo MAC-based authentication.
Because a terminal thus exempted from authentication is treated as an authenticated MAC terminal, keep the following in mind:
-
Authentication-exempted terminals (MAC addresses) count against the maximum number of authenticated users allowed on a port.
-
After you cancel terminal's authentication-exempted status, a logout message appears in the operation log. Because authentication-exempted status is canceled when a terminal is moved to another port, the same message will appear in the operation log after you move an authentication-exempted terminal between ports.
-
The following triggers cancel the authentication-exempted status of a terminal:
-
An operation command is used to cancel authentication-exempted status.
The authentication-exempted status of a terminal will be canceled if you specify its MAC address in the clear mac-authentication auth-state operation command.
It also cancels its exempted status if you specify the option of the clear mac-authentication auth-state operation command that cancels the authentication status for all MAC-authenticated terminals.
-
The port to which an authentication-exempted terminal is connected is in link-down status.
When the switch detects that a port is in link-down status, the terminals attached to the port will lose their authentication-exempted status.
-
An authentication-exempted terminal is aged out from the MAC address table.
If there is no communication from an authentication-exempted terminal for a period of approximately 10 minutes after the aging time of the MAC address table has elapsed, the authentication-exempted status is canceled.
-
The VLAN configuration changes.
The authentication-exempted status of a terminal will be canceled if you use a configuration command to change the configuration of the VLAN to which the terminal belongs.
The following configuration changes trigger a logout:
Deletion of the VLAN
Suspension of the VLAN
-
The authentication mode changes.
The authentication-exempted status of a terminal will be canceled if the copy command is used to change authentication modes.
-
MAC-based authentication is deleted.
The authentication-exempted status of a terminal will be canceled if the no mac-authentication system-auth-control configuration command is used to delete MAC-based authentication.
-
The following table describes the operation of Layer 2 authentication with dot1q configured at a MAC port:
|
Frame type |
IEEE802.1X |
Web Authentication |
MAC-based Authentication |
|---|---|---|---|
|
Untagged frame |
Subject to VLAN-based authentication (dynamic) |
Subject to authentication in dynamic VLAN mode |
Subject to authentication in dynamic VLAN mode |
|
Tagged frame |
Subject to VLAN-based authentication (static) |
Cannot be authenticated |
Subject to authentication in fixed VLAN mode |