Configuring Access Guardian Configuring Port-Based Network Access Control
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-40
Consider the following guidelines when configuring UNP port parameters:
• Any configuration change to a UNP-enabled port will flush all MAC addresses learned on that port.
This applies only to CLI commands used to configure UNP port parameters.
• The UNP name specified with the unp default-profile, unp 802.1x-authentication pass-alternate,
and unp mac-authentication pass-alternate commands must already exist in the switch
configuration. See “UNP Profiles” on page 28-16 for more information.
• The default UNP for a port is basically a “last resort” UNP for traffic that was not successfully
classified through other methods. If all other methods fail and a default UNP is not configured for the
port, device traffic is blocked on that port.
• Parameter values defined in a custom UNP port template override the existing UNP port configuration.
Any attempt to explicitly configure a UNP port parameter for a port that is associated with a custom
template is not allowed. See “Using UNP Port Templates” on page 28-41 for more information.
• Enabling both 802.1X and MAC authentication is allowed on the same port, but 802.1X authentication
is attempted first unless 802.1X authentication bypass is also enabled for the port. See “Configuring
802.1X Authentication Bypass” on page 28-44 for more information.
• There are two methods for configuring and applying port bandwidth parameter values to UNP ports
that are assigned to a profile: QoS policy list rules and UNP profile bandwidth parameters. See
“Configuring UNP Port Bandwidth” on page 28-46 for more information.
• If there is no authentication type enabled for the UNP port, then the source MAC address of a device
connected to the port is not sent to the designated RADIUS server for identification and authentication.
Instead, other classification parameters configured for the port are applied to the device.
Use the show unp port config command to display the UNP port configuration. For example:
-> show unp port 1/1/10 config
Port 1/1/10
Port-Type = BRIDGE,
Redirect Port Bounce = Disabled,
802.1x authentication = Enabled,
802.1x Pass Alternate Profile = -,
unp admin-state Configures the administrative status of the UNP configuration for
the port. By default, the status is enabled. When disabled, the UNP
configuration is retained but not active for port traffic.
unp dynamic-service Configures whether the System Default service profile dynamically
creates an SPB Service Access Point (SAP) or a VXLAN SAP
based on the traffic received on the UNP access port. This command
applies only to UNP access ports. See “System Default Profiles” on
page 28-19.
unp l2-profile Assigns the name of an existing Layer 2 profile to a UNP access
port. This profile determines how Layer 2 protocol frames received
on the access port are processed. By default, the Layer 2 profile
“unp-def-access-profile” is assigned when a port is configured as a
UNP access port. See “Configuring Layer 2 Profiles for UNP
Access Ports” on page 28-49.
unp vlan Configures an untagged VLAN-port association between the
specified UNP bridge port and VLAN ID. This command applies
only to UNP bridge ports.
To Next Page
Loading...
