H3C Technologies H3C S3600 Series Switches User Manual

2-7

z

For a VLAN ID with suffix t or T, the authentication port sends the frames of the VLAN tagged.

z

For the first VLAN ID with suffix u or U, or with no suffix in the VLAN list, the authentication port

sends the frames of the VLAN untagged and configures the VLAN as its default VLAN; for the other

VLAN IDs with suffix u or U, or with no suffix, the authentication port still sends the frames of the

corresponding VLANs tagged.

That is, except the VLAN corresponding to the first VLAN ID with suffix u or U, or with no suffix in the

VLAN list, the authentication port sends the frames of all the VLANs specified in the VLAN list tagged.

Suppose the RADIUS server issues a VLAN list "1u 2t 3" to a switch. After the switch resolves the list, it

assigns the authentication port to VLAN 1, VLAN 2, and VLAN 3, configures VLAN 1 as the default

VLAN of the authentication port, and configures the authentication port to send frames of VLAN 1

untagged and send frames of VLAN 2 and VLAN 3 tagged.

According to the way a switch resolves a VLAN list, the resolution results of VLAN lists "1u 2u 3u", "1 2

3", "1 2t 3t", "2t 1u 3", "2t 1 3t", and "2t 1 3u" are all the same as that of "1u 2t 3".

z

Because the switch needs to assign a port to multiple VLANs specified in a VLAN list, only hybrid

and trunk ports support the Auto VLAN feature.

z

For a trunk port, the issued VLAN list must include a default VLAN ID, that is, the VLAN IDs in the

VLAN list cannot be all followed by suffix t or T.

z

A VLAN list issued by the RADIUS server can contain up to 64 VLAN IDs. Otherwise, the

authentication fails. In addition, a RADIUS attribute string can contain up to 253 characters. For a

VLAN list of more than 253 characters, even though the VLAN list contains no more than 64 VLAN

IDs, the authentication switch will not accept this VLAN list, which will also cause the authentication

to fail;

z

If a VLAN ID appears in a VLAN list more than once, the tag processing mode for the VLAN

depends on the suffix of the VLAN ID appearing the last time; According to this rule, if VLAN list "1u

2u 1t" or "1u 2u 1" is issued to a port, the port joins VLAN 1 and VLAN 2, sending frames of VLAN

1 and VLAN 2 tagged ,this VLAN list the same as "2t 1t";

z

The VLAN IDs in the VLAN list must be within the valid VLAN ID range; however, they are not

required to be sorted in an ascending or descending order;

z

A VLAN ID starting with 0 is considered illegal;

z

A Tunnel-Private-Group-ID string cannot include characters other than numbers, U, u, T, and t. For

example, 3.0 and -3 are illegal characters;

z

The number of spaces preceding and following a VLAN ID and its suffix is not restricted, but there

should be no space between a VLAN ID and its suffix. For example, the resolution results of VLAN

lists " 1u 2t 3", "1u 2t 3 ", "1u 2t 3", and "1u2t3" are all the same as that of "1u 2t 3", while VLAN

lists "1uu2t 3", "1 u 2t 3", and "u" are all illegal.

In actual applications, to use this feature together with Guest VLAN, you should better set port control to

port-based mode. For more information, refer to Basic 802.1x Configuration of 802.1x and System

Guard Operation.

Follow these steps to configure dynamic VLAN assignment: