Specifications

Configuring and Managing VLANs

RoamAbout Mobility System Software Configuration Guide 4-15

Users and VLANs

Whenausersuccessfullyauthenticatestothenetwork,theuserisassignedtoaspecificVLAN.A

userremainsassociatedwiththesameVLANthroughouttheuser’ssessiononthenetwork, even

whenroamingfromoneRoamAboutSwitchtoanotherwithintheMobilityDomain.

YouassignausertoaVLAN

bysettingoneofthefol lowing attributesontheRADIUSserversor

inthelocaluserdatabase:

•Tunnel‐Private‐Group‐ID—ThisattributeisdescribedinRFC2868,RADIUSAttributesfor

TunnelProtocolSupport.

•VLAN‐Name—ThisattributeisanEnterasysvendor‐specificattribute(VSA).

SpecifytheVLANname,nottheVLANnumber.

TheexamplesinthischapterassumetheVLAN

isassignedonaRADIUSserverwitheitherofthevalidattributes.(Formoreinformation,see

Chapter 17,”ConfiguringAAAforNetworkUsers”.)

VLAN Names

TocreateaVLAN,youmustassignanametoit.VLANnamesmustbegloballyuniqueacrossa

MobilityDomaintoensuretheintendeduserconnectivityasdeterminedthroughauthentication

andauthorization.

EveryVLANonaRoamAbou tSwitchhasbothaVLANname,usedforauthorizationpurposes,

andaVLAN

number.VLANnumberscanvaryuniquelyforeachRoamAboutSwitchandarenot

relatedto802.1Qtagvalues.

YoucannotuseanumberasthefirstcharacterinaVLANname.

Roaming and VLANs

RoamAboutswitchesinaMobilityDomaincontainauser’strafficwithintheVLANthattheuser

isassignedto.Forexample,ifyouassignausertoVLANred,theRoamAboutswitchesinthe

MobilityDomaincontaintheuser’strafficwithinVLANredconfiguredontheswitches.

TheRoamAboutSwitchthrough

whichauserisauthenticatedisnotrequiredtobeamemberof

theVLANtheuserisassignedto.YouarenotrequiredtoconfiguretheVLANonallRoamAbout

switchesintheMobilityDomain.Whenauserroamstoaswitchthatisnotamemberofthe

VLANtheuserisassignedto,theswitchcantunneltrafficfortheuserthroughanotherswitch

thatisamemberoftheVLAN.Thetrafficcanbeofanyprotocoltype.

(Formoreinformation

aboutMobilityDomains,seeChapter 7,”ConfiguringandManagingMobilityDomain

Roaming”.)

Note: You cannot configure the Tunnel-Private-Group-ID attribute in the local user database.

Note: Because the default VLAN (VLAN 1) might not be in the same subnet on each switch,

Enterasys Networks recommends that you do not rename the default VLAN or use it for user traffic.

Instead, configure other VLANs for user traffic.