Dividing a LAN into VLANs Based on MAC Addresses
Context
The switch enabled with MAC address-based VLAN assignment cannot process protocol packets sent to the CPU, and it is recommended that MAC address-based VLAN assignment be used in Layer 2 transparent transmission scenarios.
MAC address-based VLAN assignment is used if user locations do not need to be concerned. This improves security and flexibility for terminal users.
VLANs configured based on MAC addresses process only untagged frames, and treat tagged frames in the same manner as VLANs configured based on ports.
If a mapping is found, the port forwards the frame based on the VLAN ID and priority value in the mapping.
If no matching mapping is found, the port matches the frame with other matching rules.
Procedure
- Run system-view
The system view is displayed.
- (Optional) Run vlan assign global { vlan-id1 [ to vlan-id2 ] } &<1-5>
VLANs that can be globally assigned are specified.
After VLANs are assigned, the VLANs created using the vlan vlan-id command must be within the assignable VLAN range.
- (Optional) Run vlan reserved vlan-id
A reserved VLAN is configured.
By default, the reserved VLAN ID ranges from 4064 to 4094. After vlan-id is specified, the VLAN specified by vlan-id to the VLAN specified by vlan-id plus 30 are configured as reserved VLANs.CE12800E that has the ED-E/EG-E/EGA-E series cards installed does not support this step.
- Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094 (excluding reserved VLANs). If VLANs need to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN.
If VLANs are created in a batch, you are advised to create at most 400 VLANs at one time.
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
- Run mac-vlan mac-address mac-address
A MAC address is mapped to the VLAN.
The mac-address value is in H-H-H format. An H is a hexadecimal number that contains one to four digits, such as 00e0 and fc01. If an H contains less than four digits, 0s are padded ahead. For example, if you specify an H as e0, it is displayed as 00e0. A MAC address cannot be set to all 0s, all Fs or multicast addresses.
- Run quit
The system view is displayed.
- Configure attributes for Ethernet interfaces.
- Run the interface interface-type interface-number command to enter the view of the interface.
Run the port link-type hybrid command to set the link type of the interface to hybrid.
The interface where MAC address-based VLAN assignment is to be enabled is a hybrid interface.
By default, the link type is access.
Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to configure the hybrid interface to allow frames with a specified VLAN ID to pass through.
- Run mac-vlan enable
MAC address-based VLAN assignment is enabled.
By default, MAC address-based VLAN assignment is disabled.
For CE12800E that has the FD-X series cards installed and CE12800, MAC address-based VLAN assignment cannot be used with port security or MAC address limiting on the same interface.
When MAC address-based assignment is configured on the CE-L48XS-FDA, CE-L48XS-FD, CE-L48XS-FG, CE-L16CQ-FD, CE-L08CF-FG1, CE-L48XS-FD1, CE-L24LQ-FD, CE-L36LQ-FD, CE-L12CQ-FD, CE-L36CQ-FG, CE-L36CQ-FD1, CE-L36CQ-SD, and CE-L36CQ-FD, running the mac-vlan enable or undo mac-vlan enable command may cause few packets to be discarded. Exercise caution when you run this command.
- Run commit
The configuration is committed.