Introduction

This feature is available only on hybrid ports.

The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is usually used with security technologies such as 802.1X to provide secure and flexible network access for terminal devices.

Static MAC-based VLAN assignment

Use static MAC-based VLAN assignment in networks that have a small number of VLAN users. To configure static MAC-based VLAN assignment on a port, perform the following tasks:

  1. Create MAC-to-VLAN entries.

  2. Enable the MAC-based VLAN feature on the port.

  3. Assign the port to the MAC-based VLAN.

A port configured with static MAC-based VLAN assignment processes a received frame as follows before sending the frame out:

Dynamic MAC-based VLAN assignment

When you cannot determine the target MAC-based VLANs of a port, you can use dynamic MAC-based VLAN assignment on the port. To use dynamic MAC-based VLAN assignment, perform the following tasks:

  1. Create MAC-to-VLAN entries.

  2. Enable the MAC-based VLAN feature on the port.

  3. Enable dynamic MAC-based VLAN assignment on the port.

Dynamic MAC-based VLAN assignment uses the following workflow, as shown in Figure 41:

  1. When a port receives a frame, it first determines whether the frame is tagged.

    • If the frame is tagged, the port reports the source MAC address of the frame.

    • If the frame is untagged, the port selects a VLAN for the frame by using the following matching order:

      • MAC-based VLAN.

      • IP subnet-based VLAN.

      • Protocol-based VLAN.

      • Port-based VLAN.

      After tagging the frame with the selected VLAN, the port reports the source MAC address of the frame.

  2. The port uses the source address and VLAN of the frame to match the MAC-to VLAN entries.

    • If the source MAC address of the frame exactly matches the MAC address in a MAC-to-VLAN entry, the port checks whether the VLAN ID of the frame matches the VLAN in the entry.

      • If the two VLAN IDs match, the port joins the VLAN and forwards the frame.

      • If the two VLAN IDs do not match, the port drops the frame.

    • If the source MAC address of the frame does not match any MAC addresses in MAC-to-VLAN entries exactly, the port checks whether the VLAN ID of the frame is its PVID.

      • If the VLAN ID of the frame is the PVID of the port, the port determines whether it allows the PVID. If the PVID is allowed, the port forwards the frame within the PVID. If the PVID is not allowed, the port drops the frame.

      • If the VLAN ID of the frame is not the PVID of the port, the port matches the VLAN ID of the frame by using other criteria, such as IP subnet or protocol, and forwards the frame. If no VLAN is available, the port drops the frame.

Figure 41: Flowchart for processing a frame in dynamic MAC-based VLAN assignment

When you configure dynamic MAC-based VLAN assignment, follow these guidelines:

Server-assigned MAC-based VLAN

Use the server-assigned MAC-based VLAN feature with access authentication, such as MAC-based 802.1X authentication, to implement secure and flexible terminal access. In addition to configuring the server-assigned MAC-based VLAN feature on the device, you must configure the username-to-VLAN entries on the access authentication server.

When a user passes authentication of the access authentication server, the server issues the VLAN ID for the user to the device. The device then performs the following operations:

  1. Generates a MAC-to-VLAN entry by using the source MAC address of the user packet and the received VLAN ID. The VLAN is a MAC-based VLAN.

  2. Assigns the port that connects the user to the MAC-based VLAN.

When the user goes offline, the device automatically deletes the MAC-to-VLAN entry and removes the port from the MAC-based VLAN. For more information about 802.1X and MAC authentication, see Security Configuration Guide.