Configuring Access Guardian Configuring Port-Based Network Access Control
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-66
-> unp classification vlan-tag 10 profile1 serverA
• Combine the VLAN ID tag rule with other rules to include the tag as a required parameter to match for
the rule. For example, to include the VLAN tag with a MAC address rule, use the unp classification
mac-address rule command with the vlan-tag option:
-> unp classification mac-address 00:00:2a:33:44:01 vlan-tag 10 profile1 serverA
In this example, a device is classified into UNP “serverA” profile if the source MAC address of the
device is “00:00:2a:33:44:01” and device packets are tagged with VLAN 10.
When a VLAN tag rule is combined with another rule, the combined rule takes precedence over the rule
that does not specify a VLAN tag. For example, a rule that specifies a MAC address and a VLAN tag
takes precedence over a rule that specifies only a MAC address.
Configuring the Domain Classification Rule
An optional UNP domain ID is assigned to UNP ports to form a logical group of ports to which
classification rules are applied. There are two methods for configuring classification rules to apply to
traffic received on ports in a specific domain ID:
• Use the unp classification domain command to configure a domain ID rule that is applied only to
ports that belong to the specified domain ID. For example, the following command configures a
domain rule that will classify device traffic into the “serverB” profile if the device is connected to a
UNP port that is assigned to domain 2:
-> unp classification domain 2 profile1 serverB
• Combine the domain classification rule with other rules to include the domain ID as a required
parameter to match for the rule. For example, to include the domain ID with a MAC address rule, use
the unp classification mac-address rule command with the domain option:
-> unp classification mac-address 00:00:2a:33:44:01 domain 2 profile1 serverB
In this example, device traffic is classified into the “serverB” profile if the source MAC address of the
device is “00:00:2a:33:44:01” and the device is connected to a UNP port that is assigned to UNP
domain 2.
The domain ID specified in a classification rule must already exist in the switch configuration. See
“Configuring UNP Port Domains” on page 28-47 for more information.
Configuring the LLDP MED Endpoint Classification Rule
There are two types of configurable LLDP MED Endpoint rules: one for detecting IP phone traffic and
one for detecting OmniAccess Stellar access point (AP) traffic.
• Use the unp classification lldp med-endpoint command with the ip-phone option to configure a rule
that will detect LLDP TLVs from IP phones and then classify the traffic from the phones into the
profile associated with the rule. For example:
-> unp classification lldp med-endpoint ip-phone profile1 unp1-vlan
• Use the unp classification lldp med-endpoint command with the access-point option to configure a
rule that will detect LLDP TLVs from Stellar APs and then classify the traffic from the APs into the
profile associated with the rule. For example:
To Next Page
Loading...
