H3C S5100-SI Operation Manual page 327

After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port
(namely, the first user whose unicast MAC address is learned by the switch) periodically. If this user
passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the
network normally.
Guest VLANs are implemented in the mode of adding a port to a VLAN. For example, when
multiple users are connected to a port, if the first user fails in the authentication, the other users can
access only the contents of the Guest VLAN. The switch will re-authenticate only the first user
accessing this port, and the other users cannot be authenticated again. Thus, if more than one
client is connected to a port, you cannot configure a Guest VLAN for this port.
After users that are connected to an existing port failed to pass authentication, the switch adds the
port to the Guest VLAN. Therefore, the Guest VLAN can separate unauthenticated users on an
access port. When it comes to a trunk port or a hybrid port, if a packet itself has a VLAN tag and be
in the VLAN that the port allows to pass, the packet will be forwarded perfectly without the influence
of the Guest VLAN. That is, packets can be forwarded to the VLANs other than the Guest VLAN
through the trunk port and the hybrid port, even users fail to pass authentication.
Follow these steps to configure a Guest VLAN:
To do...
Enter system view
Enter Ethernet port view
Configure the Guest VLAN for
the current port
Return to system view
Configure the interval at which
the switch re-authenticates
users in Guest VLANs
Use the command...
system-view
interface interface-type
interface-number
mac-authentication
guest-vlan vlan-id
quit
mac-authentication timer
guest-vlan-reauth interval
1-5
Remarks
—
—
Required
By default, no Guest VLAN is
configured for a port by default.
—
Optional
By default, the switch
re-authenticates the users in
Guest VLANs at the interval of
30 seconds by default.