No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring the Restrict VLAN Function

(Optional) Configuring the Restrict VLAN Function


You can configure the restrict VLAN function on the device interface to enable users who fail authentication to access some network resources (for example, to update the virus library). The users are added to the restrict VLAN when failing authentication and can access resources in the restrict VLAN. The user fails authentication in this instance because the authentication server rejects the user for some reasons (for example, the user enters an incorrect password) not because the authentication times out or the network is disconnected.

Similar to the guest VLAN, the restrict VLAN allows users to access limited network resources before passing 802.1X authentication. Generally, fewer network resources are deployed in the restrict VLAN than in the guest VLAN; therefore, the restrict VLAN limits access to network resources from unauthenticated users more strictly.


  1. Run system-view

    The system view is displayed.

  2. Configure the restrict VLAN function in the system or interface view.

    • In the system view:

    1. Run authentication restrict-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

      A restrict VLAN where the interface is added is configured.

    • In the interface view:

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Run authentication restrict-vlan vlan-id

      A restrict VLAN where the interface is added is configured.

    By default, an interface is not added to the restrict VLAN.

    • A super VLAN cannot be configured as a restrict VLAN.
    • When free IP subnets are configured, the restrict VLAN function becomes invalid immediately.
    • The restrict VLAN function takes effect only when a user sends untagged packets to the device.
    • To make the VLAN authorization function take effect, the link type and access control mode of the authentication interface must meet the following requirements:
      • When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
      • When the link type is access or trunk, the access control mode can only be based on the interface.

Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 123979

Downloads: 59

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next