Configuring a MAC authentication guest VLAN

Restrictions and guidelines

When you configure the MAC authentication guest VLAN on a port, follow the guidelines in Table 18.

Table 18: Relationships of the MAC authentication guest VLAN with other security features

Feature

Relationship description

Reference

Quiet feature of MAC authentication

The MAC authentication guest VLAN feature has higher priority.

When a user fails MAC authentication, the user can access the resources in the guest VLAN. The user's MAC address is not marked as a silent MAC address.

See "Configuring MAC authentication timers."

Super VLAN

You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN.

See Layer 2—LAN Switching Configuration Guide.

Port intrusion protection

The guest VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port intrusion protection feature.

See "Configuring port security."

Prerequisites

Before you configure the MAC authentication guest VLAN on a port, complete the following tasks:

For information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.

Procedure

  1. Enter system view.

    system-view

  2. Enter interface view.

    interface interface-type interface-number

  3. Specify the MAC authentication guest VLAN on the port.

    mac-authentication guest-vlan guest-vlan-id

    By default, no MAC authentication guest VLAN is specified on a port.

    You can configure only one MAC authentication guest VLAN on a port. The MAC authentication guest VLANs on different ports can be different.

  4. (Optional.) Set the authentication interval for users in the MAC authentication guest VLAN.

    mac-authentication guest-vlan auth-period period-value

    The default setting is 30 seconds.