Configuring Access Guardian Access Guardian Overview
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-17
1 UNP classification rules are examined to determine if any of the rules match the device traffic. If so,
the device is assigned to the profile associated with the matching rule.
2 If there are no matching UNP classification rules, the UNP port-level configuration is used to
determine a profile assignment for the device. For example, is there a default UNP profile assigned to the
port. If so, the device is assigned to that profile.
UNP Profile Mapping
The mapping of a VLAN ID or service-based parameters determines whether a VLAN-port association
(VPA) or a service virtual port association is dynamically created for UNP port traffic that is assigned to
the profile. UNP profiles that are mapped to a VLAN ID are referred to as VLAN profiles; UNP profiles
that are mapped to service-based parameters are referred to as service profiles.
• VLAN profile mapping. This type of profile mapping dynamically creates a VLAN-port association
(VPA) for device traffic that is classified into the profile. The VPA represents an association between
the UNP bridge port on which the device traffic is received and the VLAN ID mapped to the profile.
Once classified into a specific VLAN profile, device traffic is tagged to forward on the UNP VLAN.
• Service profile mapping. This type of profile mapping specifies service-based parameter values that
are used to dynamically create a Service Access Point (SAP). The SAP becomes a virtual port that is
associated with the profile. Once classified into a specific service profile, device traffic is mapped to
the SAP and forwarded on the service associated with the SAP. There are two types of service-
mappings supported: Shortest Path Bridging (SPB) and Virtual eXtensible LAN (VXLAN).
The OmniSwitch supports two separate traffic domains: VLAN and service. The availability of two types
of profile mapping (VLAN and service) provides an efficient method for network access control and
dynamic assignment of device traffic into one of these domains.
• An administrator can use VLAN profiles to implement the same UNP name across the entire network
infrastructure. Each UNP name can have a different VLAN ID mapping on each switch, as the VLAN
mapping configuration applies only to the local switch. For example, the administrator can deploy a
UNP named “Engineering” in one building using VLAN 10, while the same UNP deployed in another
building can use VLAN 20. The same UNP access controls are applied to all profile devices in each
building even though the devices belong to different VLANs.
• A service profile is particularly useful in the OmniSwitch Data Center solution to facilitate virtual
machine (VM) discovery and movement. UNP service profiles used for such purposes are also referred
to as Virtual Network Profiles (vNPs).
UNP VLANs
When a VLAN is mapped to a UNP profile, specifying a VLAN ID is required. Traffic that is classified
with the UNP is assigned to the associated VLAN. There are two methods for creating this type of VLAN:
• Using standard VLAN management commands, create the VLAN then assign the VLAN to the UNP at
the time the profile mapping is configured.
• Enabling the UNP dynamic VLAN configuration option to automatically create the VLAN, if it does
not exist, at the time the UNP profile mapping is configured.
VLANs that are automatically created at the time the profile mapping is configured are referred to as UNP
dynamic VLANs. These VLANs carry many of the same attributes as standard VLANs, such as:
• The VLAN status (enabled or disabled) is configurable.
• Additional ports (tagged and untagged) can be assigned to dynamic VLANs.
To Next Page
Loading...
