Static mac-based vlan assignment, Dynamic mac-based vlan, Configuration procedure – H3C Technologies H3C S12500 Series Switches User Manual
Page 26
13
Static MAC-based VLAN assignment
Static MAC-based VLAN assignment applies to networks containing a small number of VLAN users. In
such a network, you can create a MAC address-to-VLAN map containing multiple MAC
address-to-VLAN entries on a port, enable the MAC-based VLAN feature on the port, and assign the port
to MAC-based VLANs.
With static MAC-based VLAN assignment configured on a port, the device processes received frames by
using the following guidelines:
•
When the port receives an untagged frame, the device looks up the MAC address-to-VLAN map
based on the source MAC address of the frame for a match.
{
The device first performs a fuzzy match. In the fuzzy match, the device searches the MAC
address-to-VLAN entries whose masks are not all-Fs and performs a logical AND operation on
the source MAC address and each mask. If the result of an AND operation matches the
corresponding MAC address, the device tags the frame with the corresponding VLAN ID.
{
If the fuzzy match fails, the device performs an exact match. In the exact match, the device
searches the MAC address-to-VLAN entries whose masks are all-Fs. If the MAC address of a
MAC address-to-VLAN entry matches the source MAC address of the untagged frame, the
device tags the frame with the corresponding VLAN ID.
{
If no match is found, the device assigns a VLAN to the frame by using other criteria, such as IP
subnet or protocol, and forwards the frame.
{
If no VLAN is available, the device tags the frame with the PVID of the receiving port and
forwards the frame.
•
When the port receives a tagged frame, the port forwards the frame if the VLAN ID of the frame is
permitted by the port, or otherwise drops the frame.
Dynamic MAC-based VLAN
You can use dynamic MAC-based VLAN with access authentication (such as 802.1X authentication
based on MAC addresses) to implement secure, flexible terminal access. After configuring dynamic
MAC-based VLAN on the device, you must configure the username-to-VLAN entries on the access
authentication server.
When a user passes authentication of the access authentication server, the device obtains VLAN
information from the server, generates a MAC address-to-VLAN entry by using the source MAC address
of the user packet and the VLAN information, and assigns the port to the MAC-based VLAN. When the
user goes offline, the device automatically deletes the MAC address-to-VLAN entry, and removes the port
from the MAC-based VLAN.
For more information about 802.1X, MAC, and portal authentication, see Security Configuration Guide.
Configuration procedure
IMPORTANT:
•
MAC-based VLANs are available only on hybrid ports.
•
Because MAC-based dynamic port assignment is mainly configured on the downlink ports of the user
access devices, do not enable this function together with link aggregation.
To configure static MAC-based VLAN assignment: