Dell FCX624-E Laptop User Manual


  Open as PDF
of 1494
 
528 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Dynamic MAC-based VLAN
15
Source MAC Address Authentication
Policy-Based Classification and Forwarding
Source MAC address authentication
Source MAC address authentication is performed by a central RADIUS server when it receives a
PAP request with a username and password that match the MAC address being authenticated.
When the MAC address is successfully authenticated, the server must return the VLAN identifier,
which is carried in the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes of
the RADIUS packets. If the Tunnel-Type is tagged, the MAC address will be blocked or restricted. If
the identified VLAN does not exist, then the authentication is considered a failure, and action is
taken based on the configured failure options. (The default failure action is to drop the traffic.) The
RADIUS server may also optionally return the QoS attribute for the authenticated MAC address.
Refer to Table 90 on page 533 for more information about attributes.
Policy-based classification and forwarding
Once the authentication stage is complete, incoming traffic is classified based on the response
from the RADIUS server. There are three possible actions:
Incoming traffic from a specific source MAC is dropped because authentication failed
Incoming traffic from a specific source MAC is classified as untagged into a specific VLAN
Incoming traffic from a specific source MAC is classified as untagged into a restricted VLAN
Traffic classification is performed by programming incoming traffic and RADIUS-returned attributes
in the hardware. Incoming traffic attributes include the source MAC address and the port on which
the feature is enabled. The RADIUS-returned attributes are the VLAN into which the traffic is to be
classified, and the QoS priority.
NOTE
This feature drops any incoming tagged traffic on the port, and classifies and forwards untagged
traffic into the appropriate VLANs.
This feature supports up to a maximum of 32 MAC addresses per physical port, with a default of 2.
Once a client MAC address is successfully authenticated and registered, the MAC-to-VLAN
association remains until the port connection is dropped, or the MAC entry expires.
MAC-based VLAN and port up or down events
When the state of a port is changed to down, all authorized and unauthorized MAC addresses are
removed from the MAC-to-VLAN mapping table, any pending authentication requests are cancelled.
Dynamic MAC-based VLAN
When enabled, this feature allows the dynamic addition of mac-vlan-permit ports to the VLAN table
only after successful RADIUS authentication. Ports that fail RADIUS authentication are not added to
the VLAN table.