Mac address-based vlan overview, Egress ports – Allied Telesis AT-S63 User Manual

Chapter 29: MAC Address-based VLANs

688

Section VI: Virtual LANs

MAC Address-based VLAN Overview

Note

MAC address-based VLANs are only supported on the
AT-9424Ti/SP switch.

As explained in “VLAN Overview” on page 600, VLANs are a means for
creating independent LAN segments within a network and are typically
employed to improve network performance and security.

The AT-S63 management software offers several different types of
VLANs, including port-based, tagged, and protected ports. Membership in
these VLANs is determined either by the port VLAN identifier (PVID)
assigned to a port on a switch or, in the case of tagged traffic, by the VLAN
identifier within the packets themselves.

This chapter describes VLANs that are based on the source MAC
addresses of the end nodes that are connected to the switch. With a MAC
address-based VLAN, only those nodes whose source MAC addresses
have been entered as members of the VLAN can share and access the
VLAN resources. This is in contrast to a port-based or tagged VLAN where
any node that has access a switch port can join a VLAN as a member.

One of the principle advantages of this type of VLAN is that it can make it
easier to manage network users that roam. These are users who access
the network from different points at different times. The challenge for a
network administrator is providing these users with the same resources
regardless of the point at which they access the network. If you employed
port-based or tagged VLANs for roaming users, you might have to
reconfigure the VLANs, moving ports to and from different virtual LANs, so
that the users always have access to the same network resources.

But with a MAC address-based VLAN, the switch can assign a network
user to the same VLAN and network resources regardless of the port from
which the user accesses the network.

Egress Ports

Implementing a MAC address-based VLAN involves more than entering
the MAC addresses of the end nodes that are members of the VLAN. You
must also designate the egress ports on the switch for the packets from
the nodes. The egress ports define the limits of flooding of packets when a
port receives a unicast packet with an unknown destination address (that
is, an address that has not been learned by the MAC address table).
Without knowing the egress ports, the switch would be forced to flood the
packets on all ports, and that could result in a security violation where end
nodes receive packets from other nodes that are in different VLANs.