Mapping dynamic Ethernet service instances to VSIs

Overview

The 802.1X or MAC authentication feature can use the authorization VSI, the guest VSI, the Auth-Fail VSI, and the critical VSI to control the access of users to network resources. When assigning a user to a VSI, 802.1X or MAC authentication sends the VXLAN feature the VSI information and the user's access information, including access interface, VLAN, and MAC address. Then the VXLAN feature creates a dynamic Ethernet service instance for the user and maps it to the VSI. For more information about 802.1X authentication and MAC authentication, see Security Configuration Guide.

A dynamic Ethernet service instance matches frames by VLAN ID and source MAC address, which is called MAC-based traffic match mode. To use this mode for dynamic Ethernet service instances, you must enable MAC authentication or 802.1X authentication that uses MAC-based access control.

Configuration restrictions and guidelines

Dynamic Ethernet service instances cannot be created on member ports of a Layer 2 aggregation group.

Configuration procedure

To map dynamic Ethernet service instances to VSIs:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter interface view.

  • Enter Layer 2 Ethernet interface view.
    interface
    interface-type interface-number

  • Enter Layer 2 aggregate interface view.interface bridge-aggregation interface-number

N/A

3. Enable MAC-based traffic match mode for dynamic Ethernet service instances on the interface.

mac-based ac

By default, MAC-based traffic match mode is disabled for dynamic Ethernet service instances.

4. Enable MAC authentication or 802.1X authentication that uses MAC-based access control.

Configure MAC authentication or 802.1X authentication that uses MAC-based access control and perform one of the following tasks:

  • Configure the guest VSI, Auth-Fail VSI, or critical VSI on the 802.1X- or MAC authentication-enabled interface.

  • Issue an authorization VSI to an 802.1X or MAC authentication user from a remote AAA server.

After you perform this step, the device will automatically create a dynamic Ethernet service instance for the 802.1X or MAC authentication user and map the Ethernet service instance to a VSI.

For more information about configuring 802.1X authentication and MAC authentication, see Security Configuration Guide.