< Home

Configuring Policy-based VLAN Assignment

Context

Policy-based VLAN assignment allows plug-and-play of user terminals and provides secure data isolation for terminal users.

The switch provides policy-based VLAN assignment based on just MAC and IP addresses or based on both MAC and IP addresses and interfaces.

Policy-based VLAN assignment uses a policy to bind a terminal's MAC address and IP address, or its interface, to a specific VLAN. If the IP or MAC addresses of terminals added to a VLAN are changed, they will exit from the VLAN.

The switch that has policy-based VLAN assignment enabled processes only untagged frames, and treat tagged frames in the same manner as VLANs configured based on ports.

When receiving an untagged frame, the switch determines the VLAN according to the policy matching both MAC and IP addresses of the frame, and then transmits the frame in the VLAN.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run vlan vlan-id

    A VLAN is created and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.

    The VLAN ID is in the range from 1 to 4094. If VLANs need to be created in a batch, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command. Then run the vlan vlan-id command to enter the view of a specified VLAN.

    The vlan configuration command completes the VLAN configurations before the VLAN is created. The vlan configuration command only enters the VLAN configuration view. Neither the corresponding VLAN nor configurations in the VLAN take effect. To make configurations in the VLAN take effect, create the VLAN using the vlan command.

  3. Run policy-vlan mac-address mac-address ip ip-address [ interface interface-type interface-number ] [ priority priority ]

    Policy-based VLAN assignment is configured.

    If interface interface-type interface-number is not specified, MAC-IP binding policies are applied to all interfaces in a specified VLAN.

  4. Run quit

    Return to the system view.

  5. Configure attributes for the Ethernet interface.

    1. Run interface interface-type interface-number

      The view of the interface that allows the policy-based VLAN is displayed.

    2. Run port link-type hybrid

      The interface is configured as a hybrid interface.

    3. Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

      The hybrid interface is configured to allow the policy-based VLAN.

      On access and trunk interfaces, policy-based VLAN assignment can be used only when the policy-based VLAN is the same as the PVID. It is recommended that policy-based VLAN assignment be configured on hybrid interfaces.

    Policy-based VLAN assignment is invalid for packets with the VLAN ID of 0.

    On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, and S5720-SI, when the ip error-packet-check disable command is used to disable IP packet check, IP subnet-based VLAN assignment and policy-based VLAN assignment do not take effect.

Verifying the Configuration

  • Run the display policy-vlan { all | vlan vlan-id } command in any view to check the configuration of policy-based VLAN assignment.
  • Run the display vlan command in any view to check information about VLANs.
Parent Topic: Assigning VLANs
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic