VLAN-based IGMP snooping access policy configuration example
Network configuration
As shown in Figure 18:
The switch runs IGMPv2 snooping.
The switch performs 802.1X authentication for Host A and Host B.
Configure an IGMP snooping access group policy on the switch so that Host A can join or leave only multicast group 224.1.1.1.
Figure 18: Network diagram
Configuring the switch
Configure IGMP snooping.
# Enable the IGMP snooping feature.
<Switch> system-view [Switch] igmp-snooping [Switch-igmp-snooping] quit
# Create VLAN 100 and assign Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet 1/0/3 to the VLAN.
[Switch] vlan 100 [Switch-vlan100] port ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/3
# Enable IGMP snooping for VLAN 100.
[Switch-vlan100] igmp-snooping enable [Switch-vlan100] quit
# Configure an IGMP snooping access policy.
[Switch] acl basic 2001 [Switch-acl-ipv4-basic-2001] rule permit source 224.1.1.1 0 [Switch-acl-ipv4-basic-2001] quit [Switch] user-profile profile2 [Switch-user-profile-profile2] igmp-snooping access-policy 2001 [Switch-user-profile-profile2] quit
Configure a RADIUS scheme.
# Create a RADIUS scheme named scheme2.
[Switch] radius scheme scheme2
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
[Switch-radius-scheme2] primary authentication 3.1.1.1 [Switch-radius-scheme2] key authentication 321123 [Switch-radius-scheme2] primary accounting 3.1.1.1 [Switch-radius-scheme2] key accounting 321123
# Exclude the ISP domain name from the username sent to the RADIUS server.
[Switch-radius-scheme2] user-name-format without-domain [Switch-radius-scheme2] quit
Configure an ISP domain.
# Create an ISP domain named domain2.
[Switch] domain domain2
# Configure AAA methods for the ISP domain.
[Switch-isp-domian2] authentication lan-access radius-scheme scheme2 [Switch-isp-domian2] authorization lan-access radius-scheme scheme2 [Switch-isp-domian2] accounting lan-access radius-scheme scheme2 [Switch-isp-domian2] quit
# Configure domain domain2 as the default ISP domain.
[Switch] domain default enable domain2
Configure 802.1X authentication.
# Enable 802.1X authentication on Ten-GigabitEthernet 1/0/2.
[Switch] interface ten-gigabitethernet 1/0/2 [Switch-Ten-GigabitEthernet1/0/2] dot1x [Switch-Ten-GigabitEthernet1/0/2] quit
# Enable 802.1X authentication on Ten-GigabitEthernet 1/0/3.
[Switch] interface ten-gigabitethernet 1/0/3 [Switch-Ten-GigabitEthernet1/0/3] dot1x [Switch-Ten-GigabitEthernet1/0/3] quit
# Enable 802.1X authentication globally.
[Switch] dot1x
Configuring the RADIUS server
# Configure the RADIUS server properly to provide authentication and accounting functions. (Details not shown.)
Verifying the configuration
# Display dynamic IGMP snooping group entries for VLAN 100.
[Switch] display igmp-snooping group vlan 100
Total 1 entries.
VLAN 100: Total 1 entries.
(0.0.0.0, 224.1.1.1)
Host ports (1 in total):
XGE1/0/3 (00:03:05)
The output shows that Ten-GigabitEthernet 1/0/3 is the only member port of multicast group 224.1.1.1.