1-17
To do…
Use the command…
Remarks
dot1x guest-vlan
vlan-id
z
Different ports can be configured with different guest VLANs, but a port can be configured with only
one guest VLAN.
z
If you configure both 802.1X authentication and MAC authentication on a port and specify an MGV
for each authentication method, the MGV for the 802.1X authentication method will take effect. For
information about MGV for MAC authentication, refer to
MAC Authentication Configuration
in the
Security Volume
.
z
If you configure both an MAFV for 802.1X authentication and an MGV for MAC authentication on a
port, the newly generated MAFV entry for a user will overwrite the MGV entry for the user, if any;
while the newly generated MGV entry for a user will not overwrite the MAFV entry for the user, if
any.
z
The generated MGV entry for a MAC address will overwrite the existing blocked-MAC entry for the
MAC address. But if the port is disabled by the intrusion protection function, the MGV cannot take
effect. For description on the intrusion protection function of disabling a port, refer to
Port Security
Configuration
in the
Security Volume
.
Configuring an Auth-Fail VLAN
z
The Auth-Fail VLAN function and the free IP function in EAD fast deployment are mutually
exclusive on a port.
z
If the traffic from a user-side device carries VLAN tags and the 802.1X authentication and guest
VLAN functions are configured on the access port, you are recommended to configure different
VLAN IDs for the voice VLAN, default VLAN of the port, and 802.1X guest VLAN. This is to ensure
the normal use of the functions.
Configuration prerequisites
z
Create the VLAN to be specified as the Auth-Fail VLAN.
z
To configure a port-based Auth-Fail VLAN, make sure that the port access control method is
portbased
, and the 802.1X multicast trigger function is enabled.
z
To configure a MAC-based Auth-Fail VLAN, make sure that the port access control method is
macbased
and the MAC VLAN function is enabled on the port. For the MAC VLAN configuration,
refer to
VLAN Configuration
in the
Access Volume
.
Configuration procedure
Follow these steps to configure an Auth-Fail VLAN:
Summary of Contents for S5500-SI Series
Page 161: ...3 10 GigabitEthernet1 0 1 2 MANUAL...
Page 220: ...1 7 Clearing ARP entries from the ARP table may cause communication failures...
Page 331: ...1 7 1 1 ms 1 ms 1 ms 1 1 6 1 2 1 ms 1 ms 1 ms 1 1 4 1 3 1 ms 1 ms 1 ms 1 1 2 2 Trace complete...
Page 493: ...2 8...
Page 1111: ...1 10 Installing patches Installation completed and patches will continue to run after reboot...