Mapping dynamic Ethernet service instances to VSIs
Overview
The 802.1X or MAC authentication feature can use the authorization VSI, the guest VSI, the Auth-Fail VSI, and the critical VSI to control the access of users to network resources. When assigning a user to a VSI, 802.1X or MAC authentication sends the VXLAN feature the VSI information and the user's access information, including access interface, VLAN, and MAC address. Then the VXLAN feature creates a dynamic Ethernet service instance for the user and maps it to the VSI. For more information about 802.1X authentication and MAC authentication, see Security Configuration Guide.
A dynamic Ethernet service instance matches frames by VLAN ID and source MAC address, which is called MAC-based traffic match mode. To use this mode for dynamic Ethernet service instances, you must enable MAC authentication or 802.1X authentication that uses MAC-based access control.
Configuration restrictions and guidelines
Dynamic Ethernet service instances cannot be created on member ports of a Layer 2 aggregation group.
Configuration procedure
To map dynamic Ethernet service instances to VSIs:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. |
| N/A |
3. Enable MAC-based traffic match mode for dynamic Ethernet service instances on the interface. | mac-based ac | By default, MAC-based traffic match mode is disabled for dynamic Ethernet service instances. |
4. Enable MAC authentication or 802.1X authentication that uses MAC-based access control. | Configure MAC authentication or 802.1X authentication that uses MAC-based access control and perform one of the following tasks:
| After you perform this step, the device will automatically create a dynamic Ethernet service instance for the 802.1X or MAC authentication user and map the Ethernet service instance to a VSI. For more information about configuring 802.1X authentication and MAC authentication, see Security Configuration Guide. |