H3C Technologies H3C WX3000 Series Unified Switches User Manual

29-5

z

Guest VLANs are implemented in the mode of adding a port to a VLAN. For example, when
multiple users are connected to a port, if the first user fails in the authentication, the other users can
access only the contents of the Guest VLAN. The device will re-authenticate only the first user
accessing this port, and the other users cannot be authenticated again. Thus, if more than one
client is connected to a port, you cannot configure a Guest VLAN for this port.

z

After users that are connected to an existing port failed to pass authentication, the device adds the
port to the Guest VLAN. Therefore, the Guest VLAN can separate unauthenticated users on an
access port. When it comes to a trunk port or a hybrid port, if a packet itself has a VLAN tag and be
in the VLAN that the port allows to pass, the packet will be forwarded perfectly without the influence
of the Guest VLAN. That is, packets can be forwarded to the VLANs other than the Guest VLAN
through the trunk port and the hybrid port, even users fail to pass authentication.

Follow these steps to configure a Guest VLAN:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter Ethernet port view

interface interface-type
interface-number

—

Configure the Guest VLAN for the
current port

mac-authentication
guest-vlan vlan-id

Required
By default, no Guest VLAN is
configured for a port by default.

Return to system view

quit

—

Configure the interval at which the
device re-authenticates users in
Guest VLANs

mac-authentication timer
guest-vlan-reauth interval

Optional
By default, the device re-authenticates
the users in Guest VLANs at the
interval of 30 seconds by default.

z

If more than one client is connected to a port, you cannot configure a Guest VLAN for this port.

z

When a Guest VLAN is configured for a port, only one MAC address authentication user can
access the port. Even if you set the limit on the number of MAC address authentication users to
more than one, the configuration does not take effect.

z

The undo vlan command cannot be used to remove the VLAN configured as a Guest VLAN. If you
want to remove this VLAN, you must remove the Guest VLAN configuration for it. Refer to VLAN in

H3C WX3000 Series Unified Switches Switching Engine Configuration Guide

for the description on

the undo vlan command.

z

Only one Guest VLAN can be configured for a port, and the VLAN configured as the Guest VLAN
must be an existing VLAN. Otherwise, the Guest VLAN configuration does not take effect. If you
want to change the Guest VLAN for a port, you must remove the current Guest VLAN and then
configure a new Guest VLAN for this port.