Configuring Policy-based VLAN Assignment
Context
Policy-based VLAN assignment allows plug-and-play of user terminals and provides secure data isolation for terminal users.
The switch provides policy-based VLAN assignment based on just MAC and IP addresses or based on both MAC and IP addresses and interfaces.
To configure policy-based VLAN assignment, configure MAC and IP addresses or interfaces of terminals on the switch and associate MAC and IP addresses or interfaces with VLANs. Only terminals matching a policy can be added to a specific VLAN. If the IP or MAC addresses of terminals added to a VLAN are changed, they will exit from the VLAN.
The switch that has policy-based VLAN assignment enabled processes only untagged frames, and treat tagged frames in the same manner as VLANs configured based on ports.
When receiving an untagged frame, the switch determines the VLAN according to the policy matching both MAC and IP addresses of the frame, and transmits the frame in the VLAN.
Procedure
- Run:
system-viewThe system view is displayed.
- Run:
vlan vlan-id
A VLAN is created and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in a batch, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in a batch, and then run the vlan vlan-id command to enter the view of a specified VLAN.
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
The vlan configuration command completes vLAN configurations when the VLAN is not created.
- Run:
policy-vlan mac-address mac-address ip ip-address [ interface interface-type interface-number ] [ priority priority ]
Policy-based VLAN assignment is configured.
If interface interface-type interface-number is not specified, MAC-IP binding policies are applied to all interfaces in a specified VLAN.
The device supports a maximum of 512 policies.
- Run:
quitReturn to the system view.
- Configure attributes for the Ethernet interface.
Run:
interface interface-type interface-number
The view of the interface that allows the policy-based VLAN is displayed.
Run:
port link-type hybrid
The interface is configured as the hybrid interface.
Run:
port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is configured to allow the policy-based VLAN.
On access and trunk interfaces, policy-based VLAN assignment can be used only when the policy-based VLAN is the same as the PVID. It is recommended that policy-based VLAN assignment be configured on hybrid interfaces.
Policy-based VLAN assignment is invalid for packets with the VLAN ID of 0.
