How to configure Layer 2 transparent transmission of 802.1x authentication packets on an S series switch

An extensible authentication protocol (EAP) packet in 802.1x authentication is a bridge protocol data unit (BPDU). By default, S series switches do not perform Layer 2 forwarding for BPDUs. If a Layer 2 switch exists between an 802.1x authentication-enabled device and a user, Layer 2 transparent transmission must be configured on the switch. Otherwise, EAP packets sent by the user cannot reach the authentication device and the user cannot pass authentication
The following describes different methods of configuring Layer 2 transparent transmission of 802.1x authentication packets on a fixed switch and a modular switch:
- Assume that the Layer 2 fixed switch connects to the upstream device through GE0/0/1, and connects to users through GE0/0/2.
[HUAWEI] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x enable
[HUAWEI-GigabitEthernet0/0/1] bpdu enable
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1x enable
[HUAWEI-GigabitEthernet0/0/2] bpdu enable
[HUAWEI-GigabitEthernet0/0/2] quit
- Assume that the Layer 2 modular switch connects to the upstream device through GE1/0/1, and connects to users through GE1/0/2.
[HUAWEI] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] l2protocol-tunnel user-defined-protocol dot1x enable
[HUAWEI-GigabitEthernet1/0/1] bpdu bridge enable
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] l2protocol-tunnel user-defined-protocol dot1x enable
[HUAWEI-GigabitEthernet1/0/2] bpdu bridge enable
[HUAWEI-GigabitEthernet1/0/2] quit
Note that you cannot set the group-mac parameter to the following addresses:
- Reserved multicast MAC addresses: 0180-C200-0000 to 0180-C200-002F
- Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
- Destination MAC address of Smart Link packets: 010F-E200-0004
- Multicast MAC addresses used on the switch.

Other related questions:
S series switches' support for Layer 2 transparent transmission of 802.1x authentication packets
If you have more questions, you can seek help from following ways:
To iKnow To Live Chat To Google
Scroll to top