Step
1.
Enter system view.
2.
Configure an 802.1X
guest VLAN for one
or more ports.
Configuring an 802.1X Auth-Fail VLAN
Configuration guidelines
Follow these guidelines when configuring an 802.1X Auth-Fail VLAN:
Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X Auth-Fail VLAN on a port,
•
so the port can correctly process VLAN tagged incoming traffic.
You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on
•
different ports can be different.
When the port moves between VLANs (for example, leaves the 802.1X guest VLAN and joins the
•
Auth-Fail VLAN), ask 802.1X users to manually update their IP address so that they can access
specific resources.
Use
Table 7
•
Table 7 Relationships of the 802.1X Auth-Fail VLAN with other features
Feature
Port intrusion protection on a port
that performs MAC-based access
control
Configuration prerequisites
Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
•
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger
•
(dot1x multicast-trigger).
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
•
enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged
member. For more information about the MAC-based VLAN function, see Layer 2
Configuration Guide.
Configuration procedure
To configure an Auth-Fail VLAN:
Command
system-view
•
(Approach 1) In system view:
dot1x guest-vlan guest-vlan-id [ interface
interface-list ]
•
(Approach 2) In Ethernet interface view:
a.
interface interface-type interface-number
b.
dot1x guest-vlan guest-vlan-id
when configuring multiple security features on a port.
Relationship description
The 802.1X Auth-Fail VLAN function has
higher priority than the block MAC action
but lower priority than the shut down port
action of the port intrusion protection
feature.
88
Remarks
N/A
Use either approach.
By default, no 802.1X guest
VLAN is configured on any
port.
Reference
See
"Configuring port
security"
LAN Switching
—