If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
•
enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an
untagged member. For more information about the MAC-based VLAN function, see the Layer 2
LAN Switching Configuration Guide.
Configuration procedure
Follow these steps to configure an 802.1X guest VLAN:
To do...
Enter system view
Configure an
802.1X guest
VLAN for one or
more ports
Configuring an Auth-Fail VLAN
Configuration guidelines
Follow these guidelines when configuring an 802.1X Auth-Fail VLAN:
Assign different IDs for the voice VLAN, default VLAN, and 802.1X guest VLAN on a port, so the
•
port can correctly process VLAN tagged incoming traffic.
You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on
•
different ports can be different.
•
Use
Table 9
Table 9 Relationships of the 802.1X Auth-Fail VLAN with other features
Feature
MAC authentication guest VLAN
on a port that performs
MAC-based access control
Port intrusion protection on a port
that performs MAC-based access
control
Configuration prerequisites
Create the VLAN to be specified as the 802.1X Auth-Fail VLAN
•
•
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
•
enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged
Use the command...
system-view
dot1x guest-vlan guest-vlan-id
In system view
[ interface interface-list ]
interface interface-type
interface-number
In Layer 2
Ethernet
interface view
dot1x guest-vlan guest-vlan-id
when configuring multiple security features on a port.
Relationship description
The 802.1X Auth-Fail VLAN has a high
priority.
The 802.1X Auth-Fail VLAN function has
higher priority than the block MAC action
but lower priority than the shut down port
action of the port intrusion protection
feature.
79
Remarks
—
Required
Use either approach.
By default, no 802.1X guest VLAN
is configured on any port.
Reference
The chapter "MAC
authentication
configuration"
The chapter "Port Security
configuration"
—