Configuring an Auth-Fail VLAN
Configuration guidelines
Follow these guidelines when configuring an 802.1X Auth-Fail VLAN:
•
Assign different IDs for the voice VLAN, the default VLAN, and the 802.1X Auth-Fail VLAN on a port,
so the port can correctly process VLAN tagged incoming traffic.
You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on
•
different ports can be different.
Use
Table 7
•
Table 7 Relationships of the 802.1X Auth-Fail VLAN with other features
Feature
Super VLAN
MAC authentication guest VLAN
on a port that performs
MAC-based access control
Port intrusion protection on a port
that performs MAC-based access
control
Configuration prerequisites
Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
•
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
•
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
•
enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged
member. For more information about the MAC-based VLAN function, see Layer 2
Configuration Guide.
Follow these steps to configure an Auth-Fail VLAN:
To do...
Enter system view
Enter Ethernet interface view
Configure the Auth-Fail VLAN on
the port
when configuring multiple security features on a port.
Relationship description
You cannot specify a VLAN as both a super
VLAN and an 802.1X Auth-Fail VLAN.
The 802.1X Auth-Fail VLAN has a high
priority.
The 802.1X Auth-Fail VLAN function has
higher priority than the block MAC action
but lower priority than the shut down port
action of the port intrusion protection
feature.
Use the command...
system-view
interface interface-type
interface-number
dot1x auth-fail vlan authfail-vlan-id
97
Reference
See the chapter "Super
VLAN configuration" in
Layer 2
LAN Switching
—
Configuration Guide
See the chapter "MAC
authentication
configuration"
See the chapter "Port
security configuration"
LAN Switching
—
Remarks
—
—
Required
By default, no Auth-Fail VLAN is
configured.