H3C S5600 Series Operation Manual page 604

Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest
VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address
authentication.
After completing configuration tasks in
Functions for a switch, this switch can authenticate access users according to their MAC
addresses or according to fixed user names and passwords. The switch will not learn MAC
addresses of the clients failing in the authentication into its local MAC address table, thus
prevent illegal users from accessing the network.
In some cases, if the clients failing in the authentication are required to access some
restricted resources in the network (such as the virus library update server), you can use
the Guest VLAN.
You can configure a Guest VLAN for each port of the switch. When a client connected to a
port fails in MAC address authentication, this port will be added into the Guest VLAN
automatically. The MAC address of this client will also be learned into the MAC address
table of the Guest VLAN, and thus the user can access the network resources of the Guest
VLAN.
After a port is added to a Guest VLAN, the switch will re-authenticate the first access user
of this port (namely, the first user whose unicast MAC address is learned by the switch)
periodically. If this user passes the re-authentication, this port will exit the Guest VLAN,
and thus the user can access the network normally.
Guest VLANs are implemented in the mode of adding a port to a VLAN. For example,
when multiple users are connected to a port, if the first user fails in the authentication,
the other users can access only the contents of the Guest VLAN. The switch will
re-authenticate only the first user accessing this port, and the other users cannot be
authenticated again. Thus, if more than one client is connected to a port, you cannot
configure a Guest VLAN for this port.
After users that are connected to an existing port failed to pass authentication, the
switch adds the port to the Guest VLAN. Therefore, the Guest VLAN can separate
unauthenticated users on an access port. When it comes to a trunk port or a hybrid port,
if a packet itself has a VLAN tag and be in the VLAN that the port allows to pass, the
packet will be forwarded perfectly without the influence of the Guest VLAN. That is,
packets can be forwarded to the VLANs other than the Guest VLAN through the trunk
port and the hybrid port, even users fail to pass authentication.
Follow these steps to configure a Guest VLAN:
Configuring Basic MAC Address Authentication
1-5