ACL Assignment
Configuration
Example
[Sysname-GigabitGigabitEthernet1/0/1] dot1x port-control auto
[Sysname-GigabitGigabitEthernet1/0/1] quit
# Create VLAN 10.
[Sysname] vlan 10
[Sysname-vlan10] quit
# Specify port GigabitEthernet 1/0/1 to use VLAN 10 as its guest VLAN.
[Sysname] dot1x guest-vlan 10 interface GigabitEthernet 1/0/1
You can use the display current-configuration or display interface
GigabitEthernet 1/0/1 command to view your configuration. You can also use
the display vlan 10 command in the following cases to verify whether the
configured guest VLAN functions:
When no users log in.
■
When a user fails the authentication.
■
When a user goes offline.
■
Network requirements
As shown in Figure 223, a host is connected to port GigabitEthernet1/0/1 of the
device and must pass 802.1x authentication to access the Internet.
Configure the RADIUS server to assign ACL 3000.
■
Enable 802.1x authentication on GigabitEthernet1/0/1 of the device, and
■
configure ACL 3000.
After the host passes 802.1x authentication, the RADIUS server assigns ACL 3000
to GigabitEthernet1/0/1. As a result, the host can access the Internet but cannot
access the FTP server, whose IP address is 10.0.0.1.
Network diagram
Figure 223 Network diagram for ACL assignment
GE 1/0/1
192 .168 .1.1 /24
Host
192.168.1.10
Configuration procedure
# Configure the IP addresses of the interfaces. (Omitted)
# Configure the RADIUS scheme.
ACL Assignment Configuration Example
Authentication servers
(RADIUS server cluster)
10 .1.1.1
10 .1.1.2
GE 1/0 /2
192 .168 .1 .2/24
Switch
Internet
FTP server
10.0.0.1
735