Configuring a MAC authentication critical VLAN
Restrictions and guidelines
When you configure the MAC authentication critical VLAN on a port, follow the guidelines in Table 19.
Table 19: Relationships of the MAC authentication critical VLAN with other security features
Feature | Relationship description | Reference |
|---|---|---|
Quiet feature of MAC authentication | The MAC authentication critical VLAN feature has higher priority. When a user fails MAC authentication because no RADIUS authentication server is reachable, the user can access the resources in the critical VLAN. The user's MAC address is not marked as a silent MAC address. | |
Super VLAN | You cannot specify a VLAN as both a super VLAN and a MAC authentication critical VLAN. | See Layer 2—LAN Switching Configuration Guide. |
Port intrusion protection | The critical VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port intrusion protection feature. | See "Configuring port security." |
Prerequisites
Before you configure the MAC authentication critical VLAN on a port, complete the following tasks:
Create the VLAN to be specified as the MAC authentication critical VLAN.
Configure the port as a hybrid port, and configure the VLAN as an untagged member on the port.
Enable MAC-based VLAN on the port.
For information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.
Procedure
Enter system view.
system-view
Enter interface view.
interface interface-type interface-number
Specify the MAC authentication critical VLAN on the port.
mac-authentication critical vlan critical-vlan-id
By default, no MAC authentication critical VLAN is specified on a port.
You can configure only one MAC authentication critical VLAN on a port. The MAC authentication critical VLANs on different ports can be different.