DES-7200 Configuration Guide Chapter 4 802.1x Configuration
4-53
will be discarded. The ACL can only work on the basis of the MAC address.
For example, if the authenticated MAC address is 00d0.f800.0001, then all the packets from
the source MAC address of 00d0.f800.0001 can be switched. If the port is associated with an
ACL, the ACL will further filter these packets that can be switched, for example, rejecting the
ICMP packets from the source MAC address of 00d0.f800.0001.
2. The restrictions for the condition that the users on the interface have being authenticated
or the users have been authenticated:
The port mode cannot be modified, such as the command switchport mode trunk
cannot be used.
The port Access VLAN can not be modified in the ACCESS mode.
The port Allowed VLAN and Native VLAN can not be modified in the TRUNK mode.
The port can not exit from or be added to the AP port.
3. The restrictions for the condition that the users in the VLAN have being authenticated or
the users have been authenticated:
VLAN can not be deleted
VLAN type cannot be modified, such as the command private-vlan primary cannot be
used.
4. The restrictions for the condition of multiple user-auth under the same auth-port.
The first user does not assign the VLAN and assign the default VLAN.
The consequent auth-users don’t assign VLAN and use the first user to assign the
VLAN.
The VLAN assigned consequently must be consistent with the one assigned by the first
user; or it fails for the authentication.
The VLAN assigned after the 1
st
user re-auth must be the same as the one passed the
last-auth; or it fails for the authentication.
5. GVRP cannot be co-used with the dynamic VLAN auto-switching function.
6. The VLAN-switching function switches the whole port to another VLAN for the
communication after the 802.1x authentication, so the most applicable network topology
is that one single user is connected with the ACCESS port. If it is a TRUNK port,
although it is configurable, the actual authentication fails. To this end, the VLAN
switching function cannot be configured on the TRUNK port.
7. 802.1x function can be co-used with other access control functions, such as the port
security, IP+MAC binding,ect. When those access control functions are co-used, the
packets can enter the switch on the condition that those packets must address all access
controls.