How to configure a guest VLAN on an S series switch

7

You can configure the guest VLAN function to enable users to access some network resources without authentication. For example, the users can download client software, upgrade the client, and update the antivirus database.

For example, configure the guest VLAN function on GE1/0/1 and GE1/0/5 so that users on the two interfaces can update the antivirus database in real time. Assume that the antivirus database server is in VLAN 10. The configuration is as follows:
- Configure multiple interfaces in a batch in the system view.
[HUAWEI] dot1x enable
[HUAWEI] dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5
[HUAWEI] authentication guest-vlan 10 interface gigabitethernet 1/0/1 gigabitethernet 1/0/5

- Configure each interface in the interface view.
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x enable
[HUAWEI-GigabitEthernet1/0/1] authentication guest-vlan 10
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] interface gigabitethernet 1/0/5
[HUAWEI-GigabitEthernet1/0/5] dot1x enable
[HUAWEI-GigabitEthernet1/0/5] authentication guest-vlan 10

Note:
1. In V200R005C00 and later versions, the guest VLAN function can be configured only in NAC common mode.
2. A super VLAN cannot be configured as a guest VLAN.
3. The guest VLAN function takes effect only for hybrid interfaces added to the guest VLAN in untagged mode or access interfaces, and does not take effect for other types of interfaces.

Other related questions:
Subnet-based VLAN assignment on S series switch
Example of configuring IP subnet-based VLAN assignment for S series switches (except S1700 switches): 1. Configuration roadmap 1) Create VLANs, and add an interface to the VLANs so that the interface allows packets of IP subnet-based VLANs to pass through. 2) Enable IP subnet-based VLAN assignment on the interface, and associate IP subnets with the VLANs, so that the switch can determine the VLANs to which received packets belong according to the source IP addresses or specified subnets in the packets. 2. Configuration procedure 1) Create VLANs. [HUAWEI] vlan batch 100 200 //Create VLAN100 and VLAN 200. 2) Configure an interface. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type hybrid //Set the interface type to hybrid. [HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 100 200 //Add the interface to VLAN 100 and VLAN 200 in untagged mode. [HUAWEI-GigabitEthernet0/0/1] ip-subnet-vlan enable //Enable IP subnet-based VLAN assignment on the interface. [HUAWEI-GigabitEthernet0/0/1] quit 3) Associate IP subnets with VLANs. [HUAWEI] vlan 100 [HUAWEI-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2 //Associate IP subnet 192.168.1.2/24 with VLAN 100 and set the 802.1p priority of VLAN 100 to 2. [HUAWEI-vlan100] quit [HUAWEI] vlan 200 [HUAWEI-vlan200] ip-subnet-vlan 1 ip 192.168.2.2 24 priority 3 [HUAWEI-vlan200] quit

Why users can access the guest VLAN through an interface that is not in the guest VLAN
When an 802.1x enabled device has the guest VLAN configured: If users connect to an access interface, they are allowed to access the guest VLAN before authenticated. When you run the display this command on the interface, you will find that the interface is not in the guest VLAN. However, the device still adds the guest VLAN tag on the packets from these users. Therefore, these users are allowed to access the guest VLAN. If users connect to a trunk interface, the device changes the VLAN tag in user packets to the guest VLAN tag only when the VLAN tag in user packets is the same as the interface PVID. Then the device allows these users to access the guest VLAN.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top