Upload
renzo-mejia-veli
View
214
Download
0
Embed Size (px)
Citation preview
7/23/2019 MAC basado en VLAN HP
1/6
MAC-Based VLAN Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 1/6
MAC-Based VLAN Technology White Paper
Keywords: MAC-based VLAN, 802.1X, MAC address authentication
Abst ract: As a way of grouping VLAN members, MAC address-based VLAN (MAC-based VLAN) decides
the VLAN for forwarding an untagged frame based on the source MAC address of the frame. This
document describes how MAC-based VLAN works and the technical characteristics of MAC-based
VLAN.
Acronyms:
Acronym Full spelling Descript ion
MAC-based VLAN MAC address-based VLANMAC address-based VLAN decides the VLANfor forwarding an untagged frame based on thesource MAC address of the frame.
802.1X 802.1X
As a port-based network access controlprotocol, 802.1X is used to perform port-levelauthentication and control of devicesconnected to the 802.1X-enabled LAN ports.With the 802.1X protocol employed, a user-side device can access the LAN only after itpasses the authentication. Those devices thatfail to pass the authentication are deniedaccess to the LAN.
7/23/2019 MAC basado en VLAN HP
2/6
MAC-Based VLAN Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 2/6
Table of Contents
Overview3
Background3
Benefits 3
MAC-Based VLAN Implementation 3
Appl ication Scenarios 5
Static MAC-Based VLAN Configuration Example5
Network Diagram5
Application Scenario5
Dynamic MAC-Based VLAN Configuration Example6
Network Diagram6
Application Scenario6
References 6
7/23/2019 MAC basado en VLAN HP
3/6
MAC-Based VLAN Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 3/6
Overview
Background
A most common way of grouping VLAN members is by port, hence the name port-based VLAN.
Typically, the device adds the same VLAN tag to untagged packets that are received through the
same port. Later on, these packets can be forwarded in the same VLAN. Port-based VLAN is easy to
configure, and applies to networks where the locations of terminal devices are relatively fixed. As
mobile office and wireless network access gain more popularity, the ports that terminal devices use to
access the networks are very often non-fixed. A device may access a network through Port A this time,
but through Port B the next time. If Port A and Port B belong to different VLANs, the device will be
assigned to a different VLAN the next time it accesses the network. As a result, it will not be able touse the resources in the old VLAN. On the other hand, if Port A and Port B belong to the same VLAN,
after terminal devices access the network through Port B, they will have access to the same
resources as those accessing the network through Port A do, which brings security issues. To provide
user access and ensure data security in the mean time, the MAC-based VLAN technology is
developed.
MAC-based VLANs group VLAN members by MAC address. With MAC-based VLAN configured, the
device adds a VLAN tag to an untagged frame according to its source MAC address. MAC-based
VLANs are mostly used in conjunction with security technologies such as 802.1X to provide secure,
flexible network access for terminal devices.
Benefits
MAC-based VLAN delivers the following benefits:
Precise access control: By bundling terminals with VLANs, MAC-based VLAN enables traffic sent
by a particular terminal device to be forwarded in a particular VLAN.
Flexible access control: With MAC-based VLAN configured, the device assigns a terminal to the
same VLAN when the terminal accesses the network through different ports at different times;
the device assigns different VLANs to different terminals that access the network through the
same port.
MAC-Based VLAN Implementation
The procedure of grouping VLAN members by MAC address is as follows: When receiving an
untagged frame, the device looks up the list of MAC-to-VLAN mappings for a match by using the
source MAC address of the frame as a keyword. If a match is found, the system forwards the frame in
the corresponding VLAN.
Two methods of creating MAC-to-VLAN mappings are available: static and dynamic.
7/23/2019 MAC basado en VLAN HP
4/6
MAC-Based VLAN Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 4/6
Static configuration
At the CLI, you can associate MAC addresses with VLANs by running a certain command, and the
system will generate the corresponding MAC-to-VLAN mappings. When manually associating MAC
addresses with a VLAN by running a command, if you specify an all-one mask in the command, the
system associates a single MAC address with a VLAN; if you specify a mask with the higher-order
bits being consecutive 1s and the lower-order bits being 0s, the system associates a group of MAC
addresses with a VLAN. The latter method is typically used to assign all devices of a particular vendor
to the same VLAN.
Static configuration of MAC-to-VLAN mappings is easy to implement, because it involves only the
access devices. However, in static configuration mode, you need to configure each individual port that
may be used by terminals to access the network to permit the MAC-based VLANs of terminals. The
configuration workload is very heavy.
Dynamic configuration
In this mode, you need to configure both MAC-based VLANs and MAC-based access authentication
(MAC address authentication or MAC-based 802.1X authentication). When a user goes online, the
authentication server issues VLAN information during authentication packet exchange, and based on
the VLAN information, the device automatically generates a MAC-toVLAN mapping entry and adds
the MAC-based VLAN to the permitted untagged VLAN list of the accessing port. When the user goes
offline, the system automatically removes the corresponding MAC-to-VLAN mapping entry and
removes the MAC-based VLAN from the untagged VLAN list of the accessing port.
This mode makes the MAC-based VLAN configuration on large-scale networks much easier. It can
automatically identify MAC addresses, create MAC-to-VLAN mappings, and instruct accessing ports
to permit configured MAC-based VLANs. However, it requires the cooperation of MAC-based remote
AAA authentication. You need to deploy an AAA authentication server that can issue VLAN
information in the network.
7/23/2019 MAC basado en VLAN HP
5/6
MAC-Based VLAN Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 5/6
Application Scenarios
Static MAC-Based VLAN Conf iguration Example
Network Diagram
Figure 1 Network diagram for static MAC-based VLAN configuration
Appl ication Scenario
To ensure communication security and isolate broadcast packets, a company assigns different VLANs
to different departments. The office of the sales department is in Room 1002, and all the assets of the
department belong to VLAN 2; the office of the technical support department is in Room 1003, and all
the assets of the department belong to VLAN 3. Because the locations of some employees are mobile,
the company opens a temporary office in the meeting room, where the employees can access the
company network wirelessly. But it is required that each employee can only access the VLAN
assigned to their own department. For example, Host A can only access VLAN 2 and Host D can only
access VLAN 3 from the meeting room.
In Room 1002 and Room 1003, because the employees are rather immobile, port-based VLANs are
configured to group them. In the meeting room, because the employees are highly mobile and the
accessing ports are non-fixed, MAC-based VLANs are configured to associate the employees MAC
addresses with the VLANs assigned to their departments. In this way, the employees are
automatically assigned to their department VLANs every time they access the network, regardless of
the accessing ports. In addition, the network configuration needs not to be altered.
7/23/2019 MAC basado en VLAN HP
6/6
MAC-Based VLAN Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 6/6
Dynamic MAC-Based VLAN Configuration Example
Network Diagram
Figure 2 Network diagram for dynamic MAC-based VLAN configuration
Appl ication Scenario
Users access the network via wireless access points AP 1 through AP n. By configuring both MAC-
based VLANs and MAC-based 802.1X authentication, you can easily achieve the following purposes:
User access authentication, which prevents illegal users from accessing the network resources.
One VLAN per user, which isolates broadcast packets of different users and protects user
information.
References
MAC-Based VLAN Configuration Examples
Copyright 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C
Technologies Co., Ltd.
The information in this document is subject to change without notice.