Configuration restrictions and guidelines
When you configure an 802.1X guest VLAN, follow these restrictions and guidelines:
The following matrix shows the location restrictions for the interface configured with 802.1X guest VLAN and the interface connected to the external network on an eIRF system:
Location of the interface configured with 802.1X guest VLAN
Location restrictions of the interface connected to the external network
A PEX
The interface cannot be on an interface module of the parent fabric or on other PEXs.
An interface module on the parent fabric
The interface cannot be on PEXs.
For more information about eIRF, see Virtual Technologies Configuration Guide.
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different.
Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port. The assignment makes sure the port can correctly process incoming VLAN-tagged traffic.
When you configure multiple security features on a port, follow the guidelines in Table 8.
Table 8: Relationships of the 802.1X guest VLAN and other security features
Feature
Relationship description
Reference
MAC-based VLAN
The MAC-based VLAN has higher priority than the 802.1X guest VLAN on a port that performs port-based access control.
See Layer 2—LAN Switching Configuration Guide.
Super VLAN
You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN.
See Layer 2—LAN Switching Configuration Guide.
802.1X Auth-Fail VLAN on a port that performs MAC-based access control
The 802.1X Auth-Fail VLAN has higher priority than the 802.1X guest VLAN.
See "802.1X VLAN manipulation."
Port intrusion protection actions on a port that performs MAC-based access control
The 802.1X guest VLAN feature has higher priority than the block MAC action.
The 802.1X guest VLAN feature has lower priority than the shutdown port action of the port intrusion protection feature.
See "Configuring port security."