Configuring the escape critical VSI feature
About the escape critical VSI feature
Use this feature in a VXLAN network where the following conditions exist:
The device uses remote RADIUS servers for the authentication and authorization of 802.1X or MAC authentication users.
802.1X or MAC authentication users fail authentication or authorization because the remote RADIUS server that the device selects for them functions incorrectly.
The escape critical VSI feature logs off online MAC authentication users that have been assigned authorization URLs.
When 802.1X or MAC authentication for a user is triggered on a port, the escape critical VSI feature enables the device to perform the following operations:
Dynamically creates an Ethernet service instance that matches the user's access VLAN and MAC address on the user's access port.
Maps the Ethernet service instance to the 802.1X or MAC authentication critical VSI on the port.
The user is assigned to the corresponding critical VSI. The user can come online without performing authentication and access resources in the VXLAN associated with the critical VSI.
Restrictions and guidelines
The escape critical VSI feature does not affect 802.1X or MAC authentication users that are already online before this feature is enabled.
For the escape critical VSI feature to function correctly on a port, make sure the port does not have the following settings:
Web authentication.
802.1X guest VLAN, 802.1X Auth-Fail VLAN, and 802.1X critical VLAN.
MAC authentication guest VLAN and MAC authentication critical VLAN.
The escape critical VSI feature does not take effect on a new 802.1X or MAC authentication user if any of the following conditions exists:
The 802.1X client and the device use different EAP message handling methods.
802.1X MAC address binding is enabled on the user's access port, but the MAC address of the 802.1X user is not bound to the port.
The user's MAC address is an all-zero, all-F, or multicast MAC address.
This feature can be enabled globally or on a port. The global escape critical VSI feature takes effect on all ports, and the port-specific escape critical VSI feature takes effect only on the specified port.
When you disable the escape critical VSI both globally and on a port, the device logs off the users in the 802.1X critical VSI and the MAC authentication critical VSI on the port. Users must perform authentication to come online again on the port.
Prerequisites
Before you enable the escape critical VSI feature, configure the 802.1X critical VSI and the MAC authentication VSI on the access port of each 802.1X or MAC authentication user.
Procedure
Enter system view.
system-view
Enable the escape critical VSI feature.
Enable the global escape critical VSI feature.
port-security global escape critical-vsi
Execute the following commands in sequence to enable the escape critical VSI feature on a port:
interface interface-type interface-number
port-security escape critical-vsi
By default, the escape critical VSI feature is disabled.