Enabling MAC authentication multi-VLAN mode

By default, a MAC authentication-enabled port forwards packets for an authenticated user only in the VLAN where the user is authenticated. If the user forwards packets in a different VLAN, the port must re-authenticate the user. After the user passes re-authentication, the port will update the MAC and VLAN mapping of the user. For a user that sends various types of traffic (for example, data, video, and audio) in multiple VLANs, frequent MAC re-authentication can downgrade the system performance and affect data transmission quality.

The MAC authentication multi-VLAN mode enables a MAC authentication-enabled port to forward packets for an authenticated user in up to five VLANs without re-authentication. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device performs the following tasks:

• Forwards the packet.

• Creates a new MAC-VLAN mapping for the user.

Hewlett Packard Enterprise recommends that you configure this feature on hybrid or trunk ports.

For example, an IP phone, which can send tagged and untagged frames, is connected to a MAC authentication-enabled port. The port receives tagged frames in VLAN 2 and untagged frames in VLAN 1. Before you enable the multi-VLAN mode on the port, the port must re-authenticate the IP phone repeatedly, because it sends tagged frames and untagged frames alternately in different VLANs. After you enable the multi-VLAN mode, the port can receive tagged and untagged frames alternately from the IP phone without triggering a MAC re-authentication. The multi-VLAN mode improves the transmission quality of data that is vulnerable to delay and interference.

To enable MAC authentication multi-VLAN mode on a port: