Configuring a MAC authentication guest VLAN
You must configure the MAC authentication guest VLAN on a hybrid port. Before you configure the MAC authentication guest VLAN on a hybrid port, complete the following tasks:
Enable MAC authentication globally and on the port.
Enable MAC-based VLAN on the port.
Create the VLAN to be specified as the MAC authentication guest VLAN.
Configure the VLAN as an untagged member on the port.
When you configure the MAC authentication guest VLAN on a port, follow the guidelines in Table 12.
Table 13: Relationships of the MAC authentication guest VLAN with other security features
Feature | Relationship description | Reference |
|---|---|---|
Quiet feature of MAC authentication | The MAC authentication guest VLAN feature has higher priority. When a user fails MAC authentication, the user can access the resources in the guest VLAN. The user's MAC address is not marked as a silent MAC address. | |
Super VLAN | You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN. | See Layer 2—LAN Switching Configuration Guide. |
Port intrusion protection | The guest VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port intrusion protection feature. | See "Configuring port security." |
To configure the MAC authentication guest VLAN on a port:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter Layer 2 Ethernet interface view. | interface interface-type interface-number | N/A |
3. Specify the MAC authentication guest VLAN on the port. | mac-authentication guest-vlan guest-vlan-id | By default, no MAC authentication guest VLAN is specified on a port. You can configure only one MAC authentication guest VLAN on a port. |
4. (Optional.) Set the authentication interval for users in the MAC authentication guest VLAN. | mac-authentication guest-vlan auth-period period-value | The default setting is 30 seconds. This command is available in Release 1121 and later. |