R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

101

102

103

104

105

106

107

108

109

110

Feature Relationshi

descri

tion

Reference

Port intrusion protection on

a port that performs

MAC-based access control

The 802.1X Auth-Fail VLAN function has

higher priority than the block MAC action

but lower priority than the shut down port

action of the port intrusion protection

feature.

See "Configuring port security."

Before configuring an 802.1X Auth-Fail VLAN, complete the following tasks:

• Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.

• If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.

• If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,

enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged

member. For more information about the MAC-based VLAN function, see Layer 2—LAN Switching

Configuration Guide.

To configure an Auth-Fail VLAN:

Ste

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter Ethernet interface

view.

interface interface-type

interface-number

N/A

3. Configure the Auth-Fail

VLAN on the port.

dot1x auth-fail vlan

authfail-vlan-id

By default, no Auth-Fail VLAN is configured.

Configuring an 802.1X critical VLAN

Follow these guidelines when configuring an 802.1X critical VLAN:

• Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X critical VLAN on a port, so

the port can correctly process VLAN tagged incoming traffic.

• You can configure only one 802.1X critical VLAN on a port. The 802.1X critical VLANs on different

ports can be different.

• You cannot specify a VLAN as both a super VLAN and an 802.1X critical VLAN. For information

about super VLANs, see Layer 2—LAN Switching Configuration Guide.

Before configuring an 802.1X critical VLAN, complete the following tasks:

• Create the VLAN to be specified as a critical VLAN.

• If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger

(dot1x multicast-trigger).

• If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,

enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged

member. For more information about the MAC-based VLAN function, see Layer 2—LAN Switching

Configuration Guide.

To configure an 802.1X critical VLAN: