3com 5500-ei pwr Installation Instruction
1-9
z
The users of the port can initiate 802.1x authentication. If a user passes authentication, the port
leaves the guest VLAN and is added to the original VLAN, that is, the one the port belongs to before
it is added to the guest VLAN). The port then does not handle other users' authentication requests.
z
MAC address authentication is also allowed. However, MAC authentication in this case cannot be
triggered by user requests; the switch will use the first MAC address learned in the guest VLAN to
initiate MAC address authentication at a certain interval. If the authentication succeeds, the port
leaves the guest VLAN.
Follow these steps to configure a guest VLAN for a port in macAddressOrUserLoginSecure mode:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Set the interval at which the switch
triggers MAC address authentication
after a port is added to the guest
VLAN
triggers MAC address authentication
after a port is added to the guest
VLAN
port-security timer guest-vlan-reauth
interval
interval
Optional
Enter Ethernet port view
interface
interface-type interface-number
—
Set the security mode to
macAddressOrUserLoginSecure
macAddressOrUserLoginSecure
port-security port-mode
userlogin-secure-or-mac
userlogin-secure-or-mac
Required
Specify a VLAN as the guest VLAN
of the port
of the port
port-security guest-vlan vlan-id
Required
Note that:
z
Only an existing VLAN can be specified as a guest VLAN. Make sure the guest VLAN of a port
contain the resources that the users need.
z
If one user of the port has passed or is undergoing authentication, you cannot specify a guest
VLAN for it.
z
When a user using a port with a guest VLAN specified fail the authentication, the port is added to
the guest VLAN and users of the port can access only the resources in the guest VLAN.
z
Multiple users may connect to one port in the macAddressOrUserLoginSecure mode for
authentication; however, after a guest VLAN is specified for the port, only one user can pass the
security authentication. In this case, the authentication client software of the other 802.1x users
displays messages about the failure; MAC address authentication does not have any client
software and therefore no such messages will be displayed.
z
To change the security mode from macAddressOrUserLoginSecure mode of a port that is
assigned to a guest VLAN, execute the undo port-security guest-vlan command first to remove
the guest VLAN configuration.
z
For a port configured with both the port-security guest-vlan and port-security intrusion-mode
disableport commands, when authentication of a user fails, only the intrusion detection feature is
triggered. The port is not added to the specified guest VLAN.
z
It is not recommended to configure the port-security guest-vlan and port-security
intrusion-mode blockmac commands simultaneously for a port. Because when the
authentication of a user fails, the blocking MAC address feature will be triggered and packets of the
user will be dropped, making the user unable to access the guest VLAN.