Configuring Access Guardian Configuring Port-Based Network Access Control
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-49
• When traffic is received from devices connected to ports 1/15-20, the switch determines if there are
any classification rules associated with domain 2 and applies that rule to the traffic. Because UNP ports
1/15-20 belong to domain 2, the MAC address range rule is applied to traffic received on those ports.
• The source MAC address of device traffic received on ports 1/15-20 is examined to see if it falls within
the range of addresses defined in the MAC address range rule. If the source MAC address of the device
does fall within the specified range, the device is then assigned to the “CustA” profile.
• Network access control attributes configured for the “CustA” profile are then applied to device traffic
assigned to that profile.
Configuring Layer 2 Profiles for UNP Access Ports
A Layer 2 profile determines how control frames received on a UNP access port are processed. When a
port is configured as a UNP access port, a default Layer 2 profile (unp-def-access-profile) is applied to
the port with the following default values for processing control frames:
If the default profile values are not sufficient, use the service l2profile command with the tunnel, drop,
and peer options to create a new profile. For example, the following command creates a profile named
“DropL2”:
-> service l2profile DropL2 stp drop gvrp drop 802.1ab drop
Consider the following when configuring Layer 2 profiles:
• Not all of the control protocols are currently supported with the peer, tunnel, and drop parameters.
Use the following table to determine the parameter combinations that are supported:
• When a profile is created, the new profile inherits the default profile settings for processing control
frames. The default settings are applied with the new profile unless they are explicitly changed. For
Protocol Default
STP tunnel
802.1x peer
802.3ad peer
802.1ab drop
GVRP tunnel
MVRP tunnel
AMAP drop
Protocol Reserved MAC peer discard tunnel
STP 01-80-C2-00-00-00 no yes yes
802.1x 01-80-C2-00-00-03 yes yes yes
802.1ab 01-80-C2-00-00-0E yes yes yes
802.3ad 01-80-C2-00-00-02 yes no no
GVRP 01-80-C2-00-00-21 no yes yes
MVRP 01-80-C2-00-00-21 no yes yes
AMAP 00-20-DA-00-70-04 yes yes no
To Next Page
Loading...
