Mac-based vlan, Introduction to mac-based vlan, Mac-based vlan implementation – H3C Technologies H3C S3100 Series Switches User Manual

1-7

MAC-Based VLAN

The contents of this section are only applicable to the S3100-EI series among S3100 series switches.

Introduction to MAC-Based VLAN

The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is

mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible

network access for terminal devices.

MAC-based VLAN implementation

With MAC-based VLAN configured, the device processes received packets as follows:

z

When receiving an untagged frame, the device looks up the list of MAC-to-VLAN mappings based

on the source MAC address of the frame for a match. The device searches the MAC-to-VLAN

mappings whose masks are all-Fs. If the MAC address in a MAC-to-VLAN mapping matches the

source MAC address of the untagged frame exactly, the device ends the search and adds a VLAN

tag containing the corresponding VLAN ID to the packet. If no match is found, the system looks up

other types of VLANs to make the forwarding decision.

z

When receiving a tagged frame, the receiving port forwards the frame if it is assigned to the

corresponding VLAN or drops the frame if it is not. In this case, port-based VLAN applied.

Approaches to creating MAC address-to-VLAN mappings

In addition to creating MAC address-to-VLAN mappings at the CLI, you can use an authentication

server to automatically issue MAC address-to-VLAN mappings.

z

Manually Static configuration (through CLI)

You can associate MAC addresses with VLANs by using corresponding commands.

z

Automatic configuration through the authentication server (that is, VLAN issuing)

The device associates MAC addresses with VLANs dynamically based on the information provided by

the authentication server. If a user goes offline, the corresponding MAC address-to-VLAN association is

removed automatically. Automatic configuration requires MAC address-to–VLAN mapping be

configured on the authentication server. For detailed information, refer to 802.1X Configuration in the

Security Volume.

The two configuration approaches can be used at the same time, that is, you can configure a MAC

address-to-VLAN entry on both the local device and the authentication server at the same time. Note

that the MAC address-to-VLAN entry configuration takes effect only when the configuration on the local

device is consistent with that on the authentication server. Otherwise, the previous configuration takes

effect.