Configuration guidelines
Follow these guidelines when you configure an 802.1X guest VLAN:
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different.
Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port, so the port can correctly process incoming VLAN tagged traffic.
If 802.1X clients in your network cannot trigger an immediate DHCP-assigned IP address renewal in response to a VLAN change, the 802.1X users cannot access authorized network resources immediately after an 802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HPE iNode client does not have this problem.
Use Table 6 when configuring multiple security features on a port.
Table 6: Relationships of the 802.1X guest VLAN and other security features
Feature | Relationship description | Reference |
---|---|---|
Super VLAN | You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN. | See Layer 2—LAN Switching Configuration Guide. |
MAC authentication guest VLAN on a port that performs MAC-based access control | Only the 802.1X guest VLAN take effect. A user who fails MAC authentication will not be assigned to the MAC authentication guest VLAN. | |
802.1X Auth-Fail VLAN on a port that performs MAC-based access control | The 802.1X Auth-Fail VLAN has a higher priority. | |
Port intrusion protection on a port that performs MAC-based access control | The 802.1X guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. | See "Configuring port security." |