Dot1X Critical Vlan - HPE FlexNetwork HSR6800 Security Command Reference

You can configure both an Auth-Fail VLAN and a guest VLAN for a port.
Examples
# Configure VLAN 3 as the Auth-Fail VLAN for port GigabitEthernet 3/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 3/0/1
[Sysname-GigabitEthernet3/0/1] dot1x auth-fail vlan 3
Related commands
•
dot1x
•
dot1x port-method

dot1x critical vlan

Use dot1x critical vlan to configure an 802.1X critical VLAN on a port for users that fail 802.1X
authentication because all the RADIUS servers in their ISP domains have been unreachable.
Use undo dot1x critical vlan to restore the default.
Syntax
dot1x critical vlan vlan-id
undo dot1x critical vlan
Default
No critical VLAN is configured on any port.
Views
Layer 2 Ethernet interface view
Default command level
2: System level
Parameters
vlan-id: Specifies a VLAN ID in the range of 1 to 4094. Make sure that the VLAN has been created
and is not a super VLAN. For more information about super VLANs, see Layer 2
Configuration Guide.
Usage guidelines
You can configure only one critical VLAN on a port. The MAC authentication critical VLANs on
different ports can be different.
When you change the access control method from MAC-based to port-based on the port, the
mappings between MAC addresses and the 802.1X critical VLAN are removed. You can use the
display mac-vlan command to display MAC-to-VLAN mappings.
When you change the access control method from port-based to MAC-based on a port that is in a
critical VLAN, the port is removed from the critical VLAN.
To delete a VLAN that has been configured as an 802.1X critical VLAN, you must perform the undo
dot1x critical vlan command first.
Examples
# Specify VLAN 3 as the 802.1X critical VLAN on port GigabitEthernet 3/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 3/0/1
[Sysname-gigabitethernet3/0/1] dot1x critical vlan 3
113
—
LAN Switching