近期对华为S5300交换机启用802.1x认证之后,由于接入端口的接入终端固定,所以想同时做一个静态mac地址绑定,但发现配置失败。
情况一
如果接入端口下,接入终端已经通过802.1x认证,则配置静态mac地址绑定时,会报错,配置不上去;因为此时接入端口已经可以学习到mac地址,而且mac地址类型是authen,执行静态mac地址绑定时,则提示“Error: The MAC address entry of another type already exists.”,另一种类型的mac地址条目存在。
[S5352]disp dot1x interface GigabitEthernet 0/0/39
GigabitEthernet0/0/39 status: UP 802.1x protocol is Enabled
Port control type is Auto
Authentication method is MAC-based
Reauthentication is disabled
Maximum users: 256
Current users: 1
Guest VLAN is disabled
Critical VLAN is disabled
Restrict VLAN is disabled
Authentication Success: 1 Failure: 0
EAPOL Packets: TX : 9 RX : 9
Sent EAPOL Request/Identity Packets : 1
EAPOL Request/Challenge Packets : 7
Multicast Trigger Packets : 0
EAPOL Success Packets : 1
EAPOL Failure Packets : 0
Received EAPOL Start Packets : 1
EAPOL Logoff Packets : 0
EAPOL Response/Identity Packets : 1
EAPOL Response/Challenge Packets: 7
Online user(s) info:
UserId MAC/VLAN AccessTime UserName
------------------------------------------------------------------------------
988 000f-4103-211f/500 2018/04/23 15:33:46 Alice
------------------------------------------------------------------------------
Total 1,1 printed
[S5352]
[S5352]mac-address static 000f-4103-211f GigabitEthernet 0/0/39 vlan 500
Error: The MAC address entry of another type already exists.
[S5352]
[S5352]
[S5352]disp mac-address GigabitEthernet 0/0/39
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
000f-4103-211f 500/- GE0/0/39 authen
-------------------------------------------------------------------------------
Total items displayed = 1
[S5352]
情况二
如果接入端口下,还没有接入终端通过802.1x认证,则静态mac地址绑定命令可以成功执行,但是,802.1x认证管控已经失效,接入端口下带终端不需要认证,都可以直接接入网络。
华为研发确认
咨询了华为400,研发确认我所使用的华为S5300交换机(软件版本:Version 5.110 (S5300 V200R001C00SPC300)),确认存在802.1x和静态mac绑定功能冲突,两个功能只能取其一。
