Authorization VSI

An authorization VSI is associated with a VXLAN that has network resources inaccessible to unauthenticated users.

802.1X supports remote VSI authorization. If the VTEP does not receive authorization VSI information for an 802.1X user from the remote server, the user cannot access resources in any VXLAN after passing authentication. If the VTEP receives authorization VSI information for a user from the remote server, it handles the authorization VSIs on an 802.1X-enabled port as shown in Table 8.

Table 8: VSI manipulation

Port access control method

VSI manipulation

Port-based

The VTEP dynamically creates an Ethernet service instance according to the user's access port and VLAN, and it maps the AC to the authorization VSI.

Subsequent users in the same VLAN can access resources in the VXLAN associated with the VSI without authentication.

MAC-based

The VTEP dynamically creates an Ethernet service instance according to the user's access port, VLAN, and MAC address, and it then maps the AC to the authorization VSI. The user then can access resources in the VXLAN associated with the VSI.

For information about dynamic creation of Ethernet service instances, see VXLAN configuration Guide.