5
Figure 2 Flowchart for processing a frame in dynamic MAC-based VLAN assignment
Server-assigned MAC-based VLAN
Use this feature with access authentication, such as MAC-based 802.1X authentication, to
implement secure and flexible terminal access.
To implement server-assigned MAC-based VLAN, perform the following tasks:
1. Configure the server-assigned MAC-based VLAN feature on the access device.
2. Configure username-to-VLAN entries on the access authentication server.
When a user passes authentication of the access authentication server, the server assigns the
authorization VLAN information for the user to the device. The device then performs the following
operations:
1. Generates a MAC-to-VLAN entry by using the source MAC address of the user packet and the
authorization VLAN information. The authorization VLAN is a MAC-based VLAN.
The generated MAC-to-VLAN entry cannot conflict with the existing static MAC-to-VLAN entries.
If a confliction exists, the dynamic MAC-to-VLAN entry cannot be generated.
2. Assigns the port that connects the user to the MAC-based VLAN.
When the user goes offline, the device automatically deletes the MAC-to-VLAN entry and removes
the port from the MAC-based VLAN. For more information about 802.1X and MAC authentication,
see Security Configuration Guide.
IP subnet-based VLANs
The IP subnet-based VLAN feature assigns untagged packets to VLANs based on their source IP
addresses and subnet masks.
Use this feature when untagged packets from an IP subnet or IP address must be transmitted in a
VLAN.
No
Yes
No
Yes
No
No
Yes
Yes
No
Yes
Yes
No
Uses source MAC to
match the MAC in MAC-
to-VLAN entries
MAC addresses
match?
VLAN IDs
match?
Drops the frame
Joins the VLAN
Forwards the frame in
the VLAN
The port receives a
frame
Drops the frame
VLAN ID match the
port PVID?
PVID allowed?
Tagged frame ?
Selects a VLAN for the
frame
Gets the source MAC
Is the VLAN ID the primary VLAN ID and the
port PVID a secondary VLAN ID?
To Next Page
Loading...
Need help?
General