authentication critical-vlan

Function

The authentication critical-vlan command configures a critical VLAN on an interface.

The undo authentication critical-vlan command deletes a critical VLAN from an interface.

By default, no critical VLAN is configured on an interface.

Format

In the system view:

authentication critical-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo authentication critical-vlan [ vlan-id ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication critical-vlan vlan-id

undo authentication critical-vlan [ vlan-id ]

Parameters

Parameter	Description	Value
vlan-id	Specifies the VLAN ID of a critical VLAN.	The value is an integer that ranges from 1 to 4094.
interface { interface-type interface-number1 [ to interface-number2 ] }	Specifies the interface type and number. interface-type specifies the interface type. interface-number1 specifies the number of the first interface. interface-number2 specifies the number of the last interface.	-

Parameter

Description

Value

vlan-id

Specifies the VLAN ID of a critical VLAN.

The value is an integer that ranges from 1 to 4094.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

interface-type specifies the interface type.
interface-number1 specifies the number of the first interface.
interface-number2 specifies the number of the last interface.

Views

System view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A critical VLAN is authorized for users when the authentication server does not respond.

When the access device cannot communicate with the RADIUS server or the RADIUS server fails, the authentication process on the network is interrupted and users cannot pass the authentication. After the critical VLAN function of the device is enabled, the device sets the state flag of the authentication server to Down and adds the users to the critical VLAN. In this way, the users can access resources in the critical VLAN without being authenticated.

Precautions

This command is only valid for 802.1X authentication and MAC address authentication.
If the free-ip function is configured, the critical VLAN function becomes invalid immediately.
To make the VLAN authorization function take effect, the link type and access control mode of the authentication interface must meet the following requirements:
- When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
- When the link type is access or trunk, the access control mode can only be based on the interface.

Example

# In the system view, configure 802.1X authentication for the users using Port address-based access method on GE0/0/1 and set the critical VLAN to VLAN 20.

<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] dot1x enable interface gigabitethernet 0/0/1
[HUAWEI] dot1x port-method port interface gigabitethernet 0/0/1
[HUAWEI] authentication critical-vlan 20 interface gigabitethernet 0/0/1

# In the interface view, enable MAC address authentication on GE0/0/1 and set the critical VLAN to VLAN 20.

<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] mac-authen
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/1] mac-authen
[HUAWEI-GigabitEthernet0/0/1] authentication critical-vlan 20