Authorization VSI
An authorization VSI is associated with a VXLAN that has network resources inaccessible to unauthenticated users.
802.1X supports remote VSI authorization. If the VTEP does not receive authorization VSI information for an 802.1X user from the remote server, the user cannot access resources in any VXLAN after passing authentication. If the VTEP receives authorization VSI information for a user from the remote server, it handles the authorization VSIs on an 802.1X-enabled port as shown in Table 8.
Table 8: VSI manipulation
Port access control method | VSI manipulation |
---|---|
Port-based | The VTEP dynamically creates an Ethernet service instance according to the user's access port and VLAN, and it maps the AC to the authorization VSI. Subsequent users in the same VLAN can access resources in the VXLAN associated with the VSI without authentication. |
MAC-based | The VTEP dynamically creates an Ethernet service instance according to the user's access port, VLAN, and MAC address, and it then maps the AC to the authorization VSI. The user then can access resources in the VXLAN associated with the VSI. |
For information about dynamic creation of Ethernet service instances, see VXLAN configuration Guide.