Configuring the escape critical VSI feature

About the escape critical VSI feature

Use this feature in a VXLAN network where the following conditions exist:

The escape critical VSI feature logs off online MAC authentication users that have been assigned authorization URLs.

When 802.1X or MAC authentication for a user is triggered on a port, the escape critical VSI feature enables the device to perform the following operations:

  1. Dynamically creates an Ethernet service instance that matches the user's access VLAN and MAC address on the user's access port.

  2. Maps the Ethernet service instance to the 802.1X or MAC authentication critical VSI on the port.

The user is assigned to the corresponding critical VSI. The user can come online without performing authentication and access resources in the VXLAN associated with the critical VSI.

Restrictions and guidelines

The escape critical VSI feature does not affect 802.1X or MAC authentication users that are already online before this feature is enabled.

For the escape critical VSI feature to function correctly on a port, make sure the port does not have the following settings:

The escape critical VSI feature does not take effect on a new 802.1X or MAC authentication user if any of the following conditions exists:

This feature can be enabled globally or on a port. The global escape critical VSI feature takes effect on all ports, and the port-specific escape critical VSI feature takes effect only on the specified port.

When you disable the escape critical VSI both globally and on a port, the device logs off the users in the 802.1X critical VSI and the MAC authentication critical VSI on the port. Users must perform authentication to come online again on the port.

Prerequisites

Before you enable the escape critical VSI feature, configure the 802.1X critical VSI and the MAC authentication VSI on the access port of each 802.1X or MAC authentication user.

Procedure

  1. Enter system view.

    system-view

  2. Enable the escape critical VSI feature.

    • Enable the global escape critical VSI feature.

      port-security global escape critical-vsi

    • Execute the following commands in sequence to enable the escape critical VSI feature on a port:

      interface interface-type interface-number

      port-security escape critical-vsi

    By default, the escape critical VSI feature is disabled.