authentication restrict-vlan

Function

The authentication restrict-vlan command configures a restrict VLAN on an interface.

The undo authentication restrict-vlan command deletes the restrict VLAN from an interface.

By default, no restrict VLAN is configured on an interface.

Format

In the system view:

authentication restrict-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo authentication restrict-vlan [ vlan-id ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication restrict-vlan vlan-id

undo authentication restrict-vlan [ vlan-id ]

Parameters

Parameter	Description	Value
vlan-id	Specifies the ID of a restrict VLAN.	The value is an integer that ranges from 1 to 4094.
interface { interface-type interface-number1 [ to interface-number2 ] }	Specifies the interface type and number. interface-type specifies the interface type. interface-number1 specifies the number of the first interface. interface-number2 specifies the number of the last interface.	-

Parameter

Description

Value

vlan-id

Specifies the ID of a restrict VLAN.

The value is an integer that ranges from 1 to 4094.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

interface-type specifies the interface type.
interface-number1 specifies the number of the first interface.
interface-number2 specifies the number of the last interface.

Views

System view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure the restrict VLAN on the device interface, so that the users can still access some network resources (for example, update the virus library) when the users fail the authentication. The users who fail the authentication are added to the restrict VLAN to access the resources in the restrict VLAN. Note that, the user fails the authentication because the authentication server rejects the user for some reasons, for example, the user enters an incorrect user password, not because the authentication times out or the network is disconnected.

The restrict VLAN is for the users who fail the authentication, while the guest VLAN is for the users who are not authenticated.
If only a guest VLAN is configured but no restrict VLAN is configured, the users who fail the authentication are added to the guest VLAN.

Prerequisites

The VLAN to be configured as the restrict VLAN must have been created.

Precautions

A super VLAN cannot be configured as a restrict VLAN.
When free IP subnets are configured, the restrict VLAN function becomes invalid immediately.
If the authentication function of the built-in Portal server is enabled, the restrict VLAN cannot be configured on interfaces.
The restrict VLAN function takes effect only when a user sends untagged packets to the device.
To make the VLAN authorization function take effect, the link type and access control mode of the authentication interface must meet the following requirements:
- When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
- When the link type is access or trunk, the access control mode can only be based on the interface.

Example

# In the system view, configure 802.1X authentication for the users using Port-based access method on GE0/0/1 and set the restrict VLAN to VLAN 20.

<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] dot1x enable interface gigabitethernet 0/0/1
[HUAWEI] dot1x port-method port interface gigabitethernet 0/0/1
[HUAWEI] authentication restrict-vlan 20 interface gigabitethernet 0/0/1