How to configure the critical VLAN function on S series switches

2

During 802.1x authentication, when a fault occurs on the network between the access device and the authentication server or the authentication server fails, the authentication process on the network is interrupted. As a result, a user fails authentication and cannot access network resources. You can configure the critical VLAN function to solve this problem. When a fault occurs on the network between the access device and the authentication server or the authentication server fails, an 802.1x authentication user is added to the critical VLAN, and then can access resources in the critical VLAN.
Configure a critical VLAN on S series switches (except the S1700) as follows:
- Perform the following operations in the system view:
[HUAWEI] vlan batch 20
[HUAWEI] undo authentication unified-mode //Skip this step on switches running versions earlier than V200R005C00.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 20 //The critical VLAN takes effect only for hybrid or access interfaces added to the critical VLAN in untagged mode.
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] dot1x enable interface gigabitethernet 1/0/1
[HUAWEI] dot1x port-method port interface gigabitethernet 1/0/1
[HUAWEI] authentication critical-vlan 20 interface gigabitethernet 1/0/1
- Perform the following operations in the interface view:
[HUAWEI] vlan batch 20
[HUAWEI] undo authentication unified-mode //Skip this step on switches running versions earlier than V200R005C00.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 20 //The critical VLAN takes effect only for hybrid or access interfaces added to the critical VLAN in untagged mode.
[HUAWEI-GigabitEthernet1/0/1] dot1x enable
[HUAWEI-GigabitEthernet1/0/1] dot1x port-method port
[HUAWEI-GigabitEthernet1/0/1] authentication critical-vlan 20

Other related questions:
How to configure the restrict VLAN function on S series switches
You can configure a restrict VLAN on an interface of a switch, so that a user can still access some network resources (for example, update the virus library) when the user fails authentication. The user who fails authentication is added to the restrict VLAN to access resources in the restrict VLAN. Note that a user fails authentication because the authentication server rejects the user for some reasons, for example, the user enters an incorrect password, but not because the authentication times out or the network is disconnected. Configure a restrict VLAN on S series switches (except the S1700) as follows: - Perform the following operations in the system view: [HUAWEI] vlan batch 20 [HUAWEI] undo authentication unified-mode //Skip this step on switches running versions earlier than V200R005C00. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 20 //The restrict VLAN takes effect only for hybrid or access interfaces added to the restrict VLAN in untagged mode. [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] dot1x enable interface gigabitethernet 1/0/1 [HUAWEI] dot1x port-method port interface gigabitethernet 1/0/1 [HUAWEI] authentication restrict-vlan 20 interface gigabitethernet 1/0/1 - Perform the following operations in the interface view: [HUAWEI] vlan batch 20 [HUAWEI] undo authentication unified-mode //Skip this step on switches running versions earlier than V200R005C00. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port link-type hybrid [HUAWEI-GigabitEthernet1/0/1] port hybrid untagged vlan 20 //The restrict VLAN takes effect only for hybrid or access interfaces added to the restrict VLAN in untagged mode. [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] dot1x port-method port [HUAWEI-GigabitEthernet1/0/1] authentication restrict-vlan 20

Subnet-based VLAN assignment on S series switch
Example of configuring IP subnet-based VLAN assignment for S series switches (except S1700 switches): 1. Configuration roadmap 1) Create VLANs, and add an interface to the VLANs so that the interface allows packets of IP subnet-based VLANs to pass through. 2) Enable IP subnet-based VLAN assignment on the interface, and associate IP subnets with the VLANs, so that the switch can determine the VLANs to which received packets belong according to the source IP addresses or specified subnets in the packets. 2. Configuration procedure 1) Create VLANs. [HUAWEI] vlan batch 100 200 //Create VLAN100 and VLAN 200. 2) Configure an interface. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type hybrid //Set the interface type to hybrid. [HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 100 200 //Add the interface to VLAN 100 and VLAN 200 in untagged mode. [HUAWEI-GigabitEthernet0/0/1] ip-subnet-vlan enable //Enable IP subnet-based VLAN assignment on the interface. [HUAWEI-GigabitEthernet0/0/1] quit 3) Associate IP subnets with VLANs. [HUAWEI] vlan 100 [HUAWEI-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2 //Associate IP subnet 192.168.1.2/24 with VLAN 100 and set the 802.1p priority of VLAN 100 to 2. [HUAWEI-vlan100] quit [HUAWEI] vlan 200 [HUAWEI-vlan200] ip-subnet-vlan 1 ip 192.168.2.2 24 priority 3 [HUAWEI-vlan200] quit

How to configure the BFD echo function for S series switches
You can configure BFD echo on S series switches (except S1700 switches) to achieve rapid detection of link failures. The networking is shown as follows: SwitchA(10.1.1.5/24)---(10.1.1.6/24)SwitchB Switch A and Switch B are directly connected through a link. SwitchA supports BFD, while SwitchB does not. Perform the following configuration: [SwitchA] bfd //Enable BFD. [SwitchA-bfd] quit [SwitchA] bfd atob bind peer-ip 10.1.1.6 interface vlanif13 source-ip 10.1.1.5 one-arm-echo //Create a BFD echo session. [SwitchA-bfd-session-atob] discriminator local 1 //Configure the BFD echo session identifier. [SwitchA-bfd-session-atob] commit

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top