Configuring trapping, Refer to – H3C Technologies H3C S3600 Series Switches User Manual

1-12

Configuring trapping

Follow these steps to configure port security trapping:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Enable sending traps for the
specified type of event

port-security trap { addresslearned |
dot1xlogfailure | dot1xlogoff | dot1xlogon |
intrusion | ralmlogfailure | ralmlogoff |
ralmlogon }

Required

By default, no
trap is sent.

Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure mode

Users fails the authentication can access certain specified VLAN. This VLAN is called guest VLAN. For

details about guest VLAN, refer to the sections covering 802.1x and System-Guard.

A port in macAddressOrUserLoginSecure mode supports guest VLAN configurations. The port can

connect multiple users; but services only one user at a time.

1) When the first user of the port initiates 802.1X or MAC authentication:

z

If the user fails the authentication, the port is added to the guest VLAN, and all the other users of

the port are authorized to access the guest VLAN.

z

If the user passes the authentication, authentication requests from other users are not handled

because only one user is allowed to pass authentication using the port. The other users will fail the

authentication, but the port will not be added to the guest VLAN.

2) After the port is added to the guest VLAN:

z

The users of the port can initiate 802.1X authentication. If a user passes authentication, the port

leaves the guest VLAN and is added to the original VLAN, that is, the one the port belongs to before

it is added to the guest VLAN). The port then does not handle other users' authentication requests.

z

MAC authentication is also allowed. However, MAC authentication in this case cannot be triggered

by user requests; the switch will use the first MAC address learned in the guest VLAN to initiate

MAC authentication at a certain interval. If the authentication succeeds, the port leaves the guest

VLAN.

Follow these steps to configure a guest VLAN for a port in macAddressOrUserLoginSecure mode:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Set the interval at which the switch
triggers MAC authentication after a
port is added to the guest VLAN

port-security timer guest-vlan-reauth
interval

Optional

Enter Ethernet port view

interface

interface-type interface-number

—

Set the security mode to
macAddressOrUserLoginSecure

port-security port-mode
userlogin-secure-or-mac

Required

Specify a VLAN as the guest VLAN
of the port

port-security guest-vlan vlan-id

Required

Note that:

z

Only an existing VLAN can be specified as a guest VLAN. Make sure the guest VLAN of a port

contain the resources that the users need.