Configuring a MAC authentication guest VLAN

Follow the guidelines in Table 8 when configuring a MAC authentication guest VLAN on a port.

Table 8: Relationships of the MAC authentication guest VLAN with other security features

Feature

Relationship description

Reference

Quiet function of MAC authentication

The MAC authentication guest VLAN function has higher priority. A user can access any resources in the guest VLAN.

See "MAC authentication timers."

Super VLAN

You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN.

See Layer 2—LAN Switching Configuration Guide.

Port intrusion protection

The MAC authentication guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature.

See "Configuring port security."

802.1X guest VLAN on a port that performs MAC-based access control

The MAC authentication guest VLAN has a lower priority.

See "Configuring 802.1X."

If MAC authentication clients in your network cannot trigger an immediate DHCP-assigned IP address renewal in response to a VLAN change, the MAC authentication users cannot access authorized network resources immediately after a MAC authentication is complete. As a solution, remind the MAC authentication users to release their IP addresses or repair their network connections for a DHCP reassignment after MAC authentication is complete.

Before you configure a MAC authentication guest VLAN on a port, complete the following tasks:

To configure a MAC authentication guest VLAN:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

N/A

3. Specify a MAC authentication guest VLAN.

mac-authentication guest-vlan guest-vlan-id

By default, no MAC authentication guest VLAN is configured.

You can configure only one MAC authentication guest VLAN on a port.