87
Step Command Remarks
2. Create a VLAN group and
enter its view.
vlan-group group-name By default, no VLAN group exists.
3. Add VLANs to the group.
vlan-list vlan-list
By default, a VLAN group does not
contain VLANs.
You can repeat this step to add VLANs.
Do not add a super VLAN to a VLAN
group. The device does not assign
super VLANs to 802.1X users.
Configuring an 802.1X guest VLAN
Configuration guidelines
Follow these guidelines when you configure an 802.1X guest VLAN:
• You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different
ports can be different.
• Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port, so
the port can correctly process incoming VLAN tagged traffic.
• With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member.
After the assignment, do not reconfigure the port as a tagged member in the VLAN.
• If 802.1X clients in your network cannot trigger an immediate DHCP-assigned IP address renewal
in response to a VLAN change, the 802.1X users cannot access authorized network resources
immediately after an 802.1X authentication is complete. As a solution, remind the 802.1X users to
release their IP addresses or repair their network connections for a DHCP reassignment after
802.1X authentication is complete. The HP iNode client does not have this problem.
• Use Table 8 w
hen configuring multiple security features on a port.
Table 8 Relationships of the 802.1X guest VLAN and other security features
Feature Relationship description Reference
Super VLAN
You cannot specify a VLAN as both a super
VLAN and an 802.1X guest VLAN.
See Layer 2
—
LAN
Switching Configuration
Guide
MAC authentication guest VLAN
on a port that performs
MAC-based access control
Only the 802.1X guest VLAN take effect. A
user that fails MAC authentication will not
be assigned to the MAC authentication
guest VLAN.
See "Configuring MAC
authentication"
802.1X Auth-Fail VLAN on a port
that performs MAC-based access
control
The 802.1X Auth-Fail VLAN has a higher
priority
See "Using 802.1X
authentication with other
features"
Port intrusion protection on a port
that performs MAC-based access
control
The 802.1X guest VLAN function has
higher priority than the block MAC action
but lower priority than the shut down port
action of the port intrusion protection
feature.
See "Configuring port
security"
To Next Page
Loading...
Need help?
General
