authentication guest-vlan
Function
The authentication guest-vlan command configures a guest VLAN on an interface.
The undo authentication guest-vlan command deletes a guest VLAN from an interface.
By default, no guest VLAN is configured on an interface.
Format
In the system view:
authentication guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
undo authentication guest-vlan [ vlan-id ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
In the interface view:
authentication guest-vlan vlan-id
undo authentication guest-vlan [ vlan-id ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
vlan-id |
Specifies the ID of a guest VLAN. |
The value is an integer that ranges from 1 to 4094. |
interface { interface-type interface-number1 [ to interface-number2 ] } |
Specifies the interface type and number.
|
- |
Views
System view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view
Usage Guidelines
Usage Scenario
During 802.1X authentication and MAC address authentication, a guest VLAN allows users to access limited resources without authentication. The device supports the guest VLAN function.
Users in the guest VLAN can access resources in the guest VLAN without authentication but must be authenticated when they access external resources.
The restrict VLAN is for the users who fail the authentication, while the guest VLAN is for the users who are not authenticated.
If only a guest VLAN is configured but no restrict VLAN is configured, the users who fail the authentication are added to the guest VLAN.
Prerequisites
The VLAN to be configured as the guest VLAN must have been created.
802.1X authentication has been enabled globally and on the interface using the dot1x enable command, or MAC address authentication has been enabled globally and on the interface using the mac-authen command.
Precautions
- The guest VLAN function can take effect only in 802.1X and MAC address authentication.
- A super VLAN cannot be configured as a guest VLAN.
- When free IP subnets are configured, the guest VLAN function becomes invalid immediately.
- If the authentication function of the built-in Portal server is enabled, the guest VLAN cannot be configured on interfaces.
- The guest VLAN function takes effect only when a user sends untagged packets to the device.
- Different interfaces can be configured with different guest VLANs. After a guest VLAN is configured on an interface, the guest VLAN cannot be deleted.
- To make the VLAN authorization function take effect,
the link type and access control mode of the authentication interface
must meet the following requirements:
- When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
- When the link type is access or trunk, the access control mode can only be based on the interface.
Example
<HUAWEI> system-view [HUAWEI] vlan batch 20 [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type hybrid [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] dot1x enable interface gigabitethernet 0/0/1 [HUAWEI] dot1x port-method port interface gigabitethernet 0/0/1 [HUAWEI] authentication guest-vlan 20 interface gigabitethernet 0/0/1
# In the interface view, enable MAC address authentication on GE0/0/1 and set the guest VLAN to VLAN 20.
<HUAWEI> system-view [HUAWEI] vlan batch 20 [HUAWEI] mac-authen [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type hybrid [HUAWEI-GigabitEthernet0/0/1] mac-authen [HUAWEI-GigabitEthernet0/0/1] authentication guest-vlan 20