R2511-HP MSR Router Series Security Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

141

142

143

144

145

146

147

148

149

150

129

Default command level

2: System level

Parameters

guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN. The value range

for the VLAN ID is 1 to 4094. Make sure the VLAN has been created and is not a super VLAN. For more

information about super VLANs, see Layer 2—LAN Switching Configuration Guide.

interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list =

{ interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type

represents the port type, interface-number represents the port number, and & <1-10> means that you can

provide up to 10 ports or port ranges. The start port number must be smaller than the end number and

the two ports must be of the same type. If no interface is specified, you configure an 802.1X guest VLAN

for all Layer 2 Ethernet ports.

Usage guidelines

You must enable 802.1X for an 802.1X guest VLAN to take effect.

To have the 802.1X guest VLAN take effect, complete the following tasks:

• Enable 802.1X both globally and on the interface.

• If the port performs port-based access control, enable the 802.1X multicast trigger function.

When you change the access control method from port-based to MAC-based on a port that is in a guest

VLAN, the port is removed from the guest VLAN. The device does not support guest VLAN on a port that

implements MAC-based access control.

To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN

configuration first.

You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port.

Examples

# Specify VLAN 999 as the 802.1X guest VLAN for port Ethernet 1/1

<Sysname> system-view

[Sysname] dot1x guest-vlan 999 interface ethernet 1/1

# Specify VLAN 10 as the 802.1X guest VLAN for ports Ethernet 1/2 to Ethernet 1/5.

<Sysname> system-view

[Sysname] dot1x guest-vlan 10 interface ethernet 1/2 to ethernet 1/5

# Specify VLAN 7 as the 802.1X guest VLAN for all ports.

<Sysname> system-view

[Sysname] dot1x guest-vlan 7

# Specify VLAN 3 as the 802.1X guest VLAN for port Ethernet 1/7.

<Sysname> system-view

[Sysname] interface ethernet 1/7

[Sysname-Ethernet1/7] dot1x guest-vlan 3

Related commands

• dot1x

• dot1x port-method

• dot1x multicast-trigger