Port access role
Every device that connects to a port is associated with a role. Roles are associated with all clients, both authenticated and unauthenticated, and applied to each user session. By default, roles are enabled on a switch.
Following are a few examples of user role names and the access privileges that can be configured:
- Employee—Provide complete access to network resources.
- Contractor—Provide limited access to network resources.
- Guest—Provide only Internet browsing access.
Each user role determines the client network privileges, frequency of reauthentication, applicable bandwidth contracts, and other permissions.
Active user roles applied on clients are created only on Ternary Content-Addressable Memory (TCAM) resource availability of the switch.
A user role consists of the following optional parameters:
- Ingress user policy
- captive-portal-profile
- inactivity-timeout
The inactivity timeout period in seconds with a range of 300 to 4294967295 for the authenticated client for an implicit logoff.
- reauth-period
- vlan access
- vlan trunk
- auth-mode
- poe-priority
- mtu
- vlan trunk allowed
-
trust-mode
- private-vlan
Configures PVLAN port type for a user role. The following are the attributes:
- promiscuous
- secondary
Configures the port type as promiscuous.
Configures the port type as secondary.
L3 (IPv4 and/or IPv6) ordered list of classes with actions.
Assigns a captive portal profile for this role.
Sets the reauthentication period in seconds or 0 to disable.
Sets the untagged VLAN ID.
Sets the tagged VLAN ID.
Configures the authentication mode for the clients that are associated with the current role. Available modes are: client-mode, device-mode, or multi-domain.
Specifies the PoE priority for the interface.
Configures the MTU support for the client.
Specifies the list of tagged VLANs configured for the interface.
Configures the QoS trust mode for the client.