Configuring mac-based vlan, Introduction to mac-based vlan, Static mac-based vlan assignment – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

26

Configuring MAC-based VLAN

Introduction to MAC-based VLAN

The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is

usually used in conjunction with security technologies such as 802.1X to provide secure, flexible network
access for terminal devices.

Static MAC-based VLAN assignment

Static MAC-based VLAN assignment applies to networks containing a small number of VLAN users. In

such a network, you can create a MAC address-to-VLAN map containing multiple MAC

address-to-VLAN entries on a port, enable the MAC-based VLAN feature on the port, and assign the port
to MAC-based VLANs.
With static MAC-based VLAN assignment configured on a port, the device processes received frames by

using the following guidelines:

•

When the port receives an untagged frame, the device looks up the MAC address-to-VLAN map
based on the source MAC address of the frame for a match. The device first performs a fuzzy match.

In the fuzzy match, the device searches the MAC address-to-VLAN entries whose masks are not
all-Fs and performs a logical AND operation on the source MAC address and each mask. If the

result of an AND operation matches the corresponding MAC address, the device tags the frame

with the corresponding VLAN ID. If the fuzzy match fails, the device performs an exact match. In the

exact match, the device searches the MAC address-to-VLAN entries whose masks are all-Fs. If the
MAC address of a MAC address-to-VLAN entry matches the source MAC address of the untagged

frame, the device tags the frame with the corresponding VLAN ID. The device forwards such frames

according to the 802.1 priority of the VLANs mapped to the MAC addresses. If no match is found,

the device assigns a VLAN to the frame by using other criteria, such as IP address or protocol. If no
match is found, the device tags the frame with the PVID of the receiving port and forwards the

frame.

•

When the port receives a tagged frame, the port forwards the frame if the VLAN ID of the frame is
permitted by the port, or otherwise drops the frame.

Dynamic MAC-based VLAN

You can use dynamic MAC-based VLAN with access authentication (such as 802.1X authentication
based on MAC addresses) to implement secure, flexible terminal access. After configuring dynamic

MAC-based VLAN on the device, you must configure the username-to-VLAN entries on the access

authentication server.
When a user passes authentication of the access authentication server, the device obtains VLAN
information from the server, generates a MAC address-to-VLAN entry by using the source MAC address

of the user packet and the VLAN information, and assigns the port to the MAC-based VLAN. When the

user goes offline, the device automatically deletes the MAC address-to-VLAN entry, and removes the port

from the MAC-based VLAN.

NOTE:

For more information about 802.1X, MAC, and portal authentication, see

Security Configuration Guide.

Configuring a MAC-based VLAN

To configure static MAC-based VLAN assignment: