H3C Technologies H3C S3100 Series Switches User Manual

1-5

In PGV or PAFV mode, when a user fails MAC authentication on a port, the device adds the port to the

guest VLAN or Auth-Fail VLAN. Therefore, the guest VLAN can separate unauthenticated users on an

access port. When it comes to a trunk port or a hybrid port, if a packet itself carries a VLAN tag and the

VLAN is allowed on the port, the port will forward the packet according to the VLAN tag, regardless of

the guest VLAN or Auth-Fail VLAN. That is, packets can be forwarded to the VLANs other than the

guest VLAN or Auth-Fail VLAN through the Trunk or Hybrid port, even if users fail to pass

authentication.

Table 1-3 Configure a guest VLAN or Auth-Fail VLAN

Operation

Command

Description

Enter system view

system-view

—

Enter Ethernet port view

interface interface-type
interface-number

—

Configure the guest VLAN for
MAC authentication

mac-authentication
guest-vlan vlan-id

Required

Not configured by default.

Configure the Auth-Fail VLAN
for MAC authentication

mac-authentication auth-fail
vlan authfail-vlan-id

Optional

Not configured by default.

Return to system view

quit

—

Configure the interval at which
the switch re-authenticates
users in guest VLANs

mac-authentication timer
guest-vlan-reauth interval

Optional

By default, the switch
re-authenticates the users in
guest VLANs at the interval of
30 seconds by default.