Configuring a MAC authentication critical VLAN

Follow the guidelines in Table 9 when you configure a MAC authentication critical VLAN on a port.

Table 9: Relationships of the MAC authentication critical VLAN with other security features

Feature	Relationship description	Reference
Quiet function of MAC authentication	The MAC authentication critical VLAN function has higher priority. When a user fails MAC authentication because no RADIUS authentication server is reachable, the user can access the resources in the critical VLAN, and the user’s MAC address is not marked as a silent MAC address.	See "MAC authentication timers."
Super VLAN	You cannot specify a VLAN as both a super VLAN and a MAC authentication critical VLAN.	See Layer 2—LAN Switching Configuration Guide.
Port intrusion protection	The MAC authentication critical VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature.	See "Configuring port security."

Feature

Relationship description

Reference

Quiet function of MAC authentication

The MAC authentication critical VLAN function has higher priority.

When a user fails MAC authentication because no RADIUS authentication server is reachable, the user can access the resources in the critical VLAN, and the user’s MAC address is not marked as a silent MAC address.

See "MAC authentication timers."

Super VLAN

You cannot specify a VLAN as both a super VLAN and a MAC authentication critical VLAN.

See Layer 2—LAN Switching Configuration Guide.

Port intrusion protection

The MAC authentication critical VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature.

See "Configuring port security."

If MAC authentication clients in your network cannot trigger an immediate DHCP-assigned IP address renewal in response to a VLAN change, the MAC authentication users cannot access authorized network resources immediately after a MAC authentication is complete. As a solution, remind the MAC authentication users to release their IP addresses or repair their network connections for a DHCP reassignment after MAC authentication is complete.

Before you configure a MAC authentication critical VLAN on a port, complete the following tasks:

Enable MAC authentication.
Enable MAC-based VLAN on the port.
Create the VLAN to be specified as the MAC authentication critical VLAN.

To configure a MAC authentication critical VLAN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface view.	interface interface-type interface-number	N/A
3. Specify a MAC authentication critical VLAN.	mac-authentication critical vlan critical-vlan-id	By default, no MAC authentication critical VLAN is configured. You can configure only one MAC authentication critical VLAN on a port.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

N/A

3. Specify a MAC authentication critical VLAN.

mac-authentication critical vlan critical-vlan-id

By default, no MAC authentication critical VLAN is configured.

You can configure only one MAC authentication critical VLAN on a port.

prev	up	next
Configuring a MAC authentication guest VLAN	home	Configuring MAC authentication delay