MAC basado en VLAN HP

7/23/2019 MAC basado en VLAN HP

1/6

MAC-Based VLAN Technology White Paper

Hangzhou H3C Technologies Co., Ltd. 1/6


Keywords: MAC-based VLAN, 802.1X, MAC address authentication

Abst ract: As a way of grouping VLAN members, MAC address-based VLAN (MAC-based VLAN) decides

the VLAN for forwarding an untagged frame based on the source MAC address of the frame. This

document describes how MAC-based VLAN works and the technical characteristics of MAC-based

VLAN.

Acronyms:

Acronym Full spelling Descript ion

MAC-based VLAN MAC address-based VLANMAC address-based VLAN decides the VLANfor forwarding an untagged frame based on thesource MAC address of the frame.

802.1X 802.1X

As a port-based network access controlprotocol, 802.1X is used to perform port-levelauthentication and control of devicesconnected to the 802.1X-enabled LAN ports.With the 802.1X protocol employed, a user-side device can access the LAN only after itpasses the authentication. Those devices thatfail to pass the authentication are deniedaccess to the LAN.


2/6



Table of Contents

Overview3

Background3

Benefits 3

MAC-Based VLAN Implementation 3

Appl ication Scenarios 5

Static MAC-Based VLAN Configuration Example5

Network Diagram5

Application Scenario5

Dynamic MAC-Based VLAN Configuration Example6

Network Diagram6

Application Scenario6

References 6


3/6



Overview

Background

A most common way of grouping VLAN members is by port, hence the name port-based VLAN.

Typically, the device adds the same VLAN tag to untagged packets that are received through the

same port. Later on, these packets can be forwarded in the same VLAN. Port-based VLAN is easy to

configure, and applies to networks where the locations of terminal devices are relatively fixed. As

mobile office and wireless network access gain more popularity, the ports that terminal devices use to

access the networks are very often non-fixed. A device may access a network through Port A this time,

but through Port B the next time. If Port A and Port B belong to different VLANs, the device will be

assigned to a different VLAN the next time it accesses the network. As a result, it will not be able touse the resources in the old VLAN. On the other hand, if Port A and Port B belong to the same VLAN,

after terminal devices access the network through Port B, they will have access to the same

resources as those accessing the network through Port A do, which brings security issues. To provide

user access and ensure data security in the mean time, the MAC-based VLAN technology is

developed.

MAC-based VLANs group VLAN members by MAC address. With MAC-based VLAN configured, the

device adds a VLAN tag to an untagged frame according to its source MAC address. MAC-based

VLANs are mostly used in conjunction with security technologies such as 802.1X to provide secure,

flexible network access for terminal devices.

Benefits

MAC-based VLAN delivers the following benefits:

Precise access control: By bundling terminals with VLANs, MAC-based VLAN enables traffic sent

by a particular terminal device to be forwarded in a particular VLAN.

Flexible access control: With MAC-based VLAN configured, the device assigns a terminal to the

same VLAN when the terminal accesses the network through different ports at different times;

the device assigns different VLANs to different terminals that access the network through the

same port.

MAC-Based VLAN Implementation

The procedure of grouping VLAN members by MAC address is as follows: When receiving an

untagged frame, the device looks up the list of MAC-to-VLAN mappings for a match by using the

source MAC address of the frame as a keyword. If a match is found, the system forwards the frame in

the corresponding VLAN.

Two methods of creating MAC-to-VLAN mappings are available: static and dynamic.


4/6



Static configuration

At the CLI, you can associate MAC addresses with VLANs by running a certain command, and the

system will generate the corresponding MAC-to-VLAN mappings. When manually associating MAC

addresses with a VLAN by running a command, if you specify an all-one mask in the command, the

system associates a single MAC address with a VLAN; if you specify a mask with the higher-order

bits being consecutive 1s and the lower-order bits being 0s, the system associates a group of MAC

addresses with a VLAN. The latter method is typically used to assign all devices of a particular vendor

to the same VLAN.

Static configuration of MAC-to-VLAN mappings is easy to implement, because it involves only the

access devices. However, in static configuration mode, you need to configure each individual port that

may be used by terminals to access the network to permit the MAC-based VLANs of terminals. The

configuration workload is very heavy.

Dynamic configuration

In this mode, you need to configure both MAC-based VLANs and MAC-based access authentication

(MAC address authentication or MAC-based 802.1X authentication). When a user goes online, the

authentication server issues VLAN information during authentication packet exchange, and based on

the VLAN information, the device automatically generates a MAC-toVLAN mapping entry and adds

the MAC-based VLAN to the permitted untagged VLAN list of the accessing port. When the user goes

offline, the system automatically removes the corresponding MAC-to-VLAN mapping entry and

removes the MAC-based VLAN from the untagged VLAN list of the accessing port.

This mode makes the MAC-based VLAN configuration on large-scale networks much easier. It can

automatically identify MAC addresses, create MAC-to-VLAN mappings, and instruct accessing ports

to permit configured MAC-based VLANs. However, it requires the cooperation of MAC-based remote

AAA authentication. You need to deploy an AAA authentication server that can issue VLAN

information in the network.


5/6



Application Scenarios

Static MAC-Based VLAN Conf iguration Example

Network Diagram

Figure 1 Network diagram for static MAC-based VLAN configuration

Appl ication Scenario

To ensure communication security and isolate broadcast packets, a company assigns different VLANs

to different departments. The office of the sales department is in Room 1002, and all the assets of the

department belong to VLAN 2; the office of the technical support department is in Room 1003, and all

the assets of the department belong to VLAN 3. Because the locations of some employees are mobile,

the company opens a temporary office in the meeting room, where the employees can access the

company network wirelessly. But it is required that each employee can only access the VLAN

assigned to their own department. For example, Host A can only access VLAN 2 and Host D can only

access VLAN 3 from the meeting room.

In Room 1002 and Room 1003, because the employees are rather immobile, port-based VLANs are

configured to group them. In the meeting room, because the employees are highly mobile and the

accessing ports are non-fixed, MAC-based VLANs are configured to associate the employees MAC

addresses with the VLANs assigned to their departments. In this way, the employees are

automatically assigned to their department VLANs every time they access the network, regardless of

the accessing ports. In addition, the network configuration needs not to be altered.


6/6



Dynamic MAC-Based VLAN Configuration Example

Network Diagram

Figure 2 Network diagram for dynamic MAC-based VLAN configuration

Appl ication Scenario

Users access the network via wireless access points AP 1 through AP n. By configuring both MAC-

based VLANs and MAC-based 802.1X authentication, you can easily achieve the following purposes:

User access authentication, which prevents illegal users from accessing the network resources.

One VLAN per user, which isolates broadcast packets of different users and protects user

information.

References

MAC-Based VLAN Configuration Examples

Copyright 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C

Technologies Co., Ltd.

The information in this document is subject to change without notice.

Documents

MAC basado en VLAN HP