Configuring a MAC authentication guest VLAN
Restrictions and guidelines
When you configure the MAC authentication guest VLAN on a port, follow the guidelines in Table 18.
Table 18: Relationships of the MAC authentication guest VLAN with other security features
Feature | Relationship description | Reference |
---|---|---|
Quiet feature of MAC authentication | The MAC authentication guest VLAN feature has higher priority. When a user fails MAC authentication, the user can access the resources in the guest VLAN. The user's MAC address is not marked as a silent MAC address. | |
Super VLAN | You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN. | See Layer 2—LAN Switching Configuration Guide. |
Port intrusion protection | The guest VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port intrusion protection feature. | See "Configuring port security." |
Prerequisites
Before you configure the MAC authentication guest VLAN on a port, complete the following tasks:
Create the VLAN to be specified as the MAC authentication guest VLAN.
Configure the port as a hybrid port, and configure the VLAN as an untagged member on the port.
Enable MAC-based VLAN on the port.
For information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.
Procedure
Enter system view.
system-view
Enter interface view.
interface interface-type interface-number
Specify the MAC authentication guest VLAN on the port.
mac-authentication guest-vlan guest-vlan-id
By default, no MAC authentication guest VLAN is specified on a port.
You can configure only one MAC authentication guest VLAN on a port. The MAC authentication guest VLANs on different ports can be different.
(Optional.) Set the authentication interval for users in the MAC authentication guest VLAN.
mac-authentication guest-vlan auth-period period-value
The default setting is 30 seconds.