97
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter Layer 2 Ethernet
interface view.
interface
interface-type
interface-number
N/A
3. Enable 802.1X guest
VLAN assignment delay
on the port.
dot1x guest-vlan-delay
{
eapol
|
new-mac
}
By default, 802.1X guest VLAN
assignment delay is disabled on a port.
Configuring an 802.1X Auth-Fail VLAN
Configuration guidelines
When you configure an 802.1X Auth-Fail VLAN, follow these restrictions and guidelines:
• Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X Auth-Fail VLAN on a port.
The assignment makes sure the port can correctly process VLAN-tagged incoming traffic.
• You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on
different ports can be different.
• When you configure multiple security features on a port, follow the guidelines in Table 9.
Table 9
Relationships of the 802.1X Auth-Fail VLAN with other features
Feature Relationship description Reference
Super VLAN
You cannot specify a VLAN as
both a super VLAN and an
802.1X Auth-Fail VLAN.
See Layer 2—LAN Switching
Configuration Guide.
MAC authentication guest VLAN
on a port that performs
MAC-based access control
The 802.1X Auth-Fail VLAN has
a high priority.
See "Configuring MAC
authentication."
Port intrusion protection actions
on a port that performs
MAC-based access control
The 802.1X Auth-Fail VLAN
feature has higher priority than
the block MAC action.
The 802.1X Auth-Fail VLAN
feature has lower priority than
the shutdown port action of the
port intrusion protection feature.
See "Configuring port security."
Configuration prerequisites
Before you configure an 802.1X Auth-Fail VLAN, complete the following tasks:
• Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
• If the 802.1X-enabled port performs MAC-based access control, perform the following
operations for the port:
{ Configure the port as a hybrid port.
{ Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see
Layer 2—LAN Switching Configuration Guide.
{ Assign the port to the Auth-Fail VLAN as an untagged member.
To Next Page
Loading...
Need help?
General