Port access VLAN groups

VLAN grouping enables user distribution across VLANs in a VLAN group to reduce the size of broadcast domains. This supports dynamic load balancing of users across VLANs by onboarding new users on the least populated VLAN in the group.

A VLAN group is a configuration construct, which contains multiple VLANs allocated to that group. VLAN group leverages the existing standard attribute Tunnel-Group-Private-ID(81). This standard attribute is overloaded to be interpreted as the VLAN group name, if the VLAN name does not exist on the switch with that name. VLAN group is supported only through RADIUS attributes; there is no support available through local roles or downloadable user roles.

VLAN grouping limitations

The following limitations apply to VLAN grouping:

  • VLANs must be created to be allocated. Any VLAN that does not exist on the switch is ignored from allocation.
  • When a VLAN is allocated from a VLAN group, and is subsequently removed from the VLAN group, no change is performed on the client, until the client expires or a role change is performed. Re-authentication has no effect.
  • Deleting a VLAN group after a VLAN from that group is allocated to a client, does not affect the client.
  • It is not recommended to use reserved VLANs in the pool. Any VLAN that is reserved for another purpose, such as UBT, is allocated, but fails authorization.
  • When the VLAN group and VLAN name are configured with the same name on the switch; upon authentication, the VLAN name takes precedence and clients are applied to the VLAN name.