Configuring a MAC authentication critical VLAN
You must configure the MAC authentication critical VLAN on a hybrid port. Before you configure the MAC authentication critical VLAN on a hybrid port, complete the following tasks:
Enable MAC authentication globally and on the port.
Enable MAC-based VLAN on the port.
Create the VLAN to be specified as the MAC authentication critical VLAN.
Configure the VLAN as an untagged member on the port.
When you configure the MAC authentication critical VLAN on a port, follow the guidelines in Table 13.
Table 13: Relationships of the MAC authentication critical VLAN with other security features
Feature | Relationship description | Reference |
|---|---|---|
Quiet feature of MAC authentication | The MAC authentication critical VLAN feature has higher priority. When a user fails MAC authentication because no RADIUS authentication server is reachable, the user can access the resources in the critical VLAN. The user's MAC address is not marked as a silent MAC address. | |
Super VLAN | You cannot specify a VLAN as both a super VLAN and a MAC authentication critical VLAN. | See Layer 2—LAN Switching Configuration Guide. |
Port intrusion protection | The critical VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port intrusion protection feature. | See "Configuring port security." |
To configure the MAC authentication critical VLAN on a port:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter Ethernet interface view. | interface interface-type interface-number | N/A |
3. Specify the MAC authentication critical VLAN on the port. | mac-authentication critical vlan critical-vlan-id | By default, no MAC authentication critical VLAN exists. You can configure only one MAC authentication critical VLAN on a port. |