policy-vlan

Function

The policy-vlan command configures policy-based VLAN assignment by associating a MAC address and IP address binding policy to a VLAN and setting the 802.1p priority of the VLAN.

The undo policy-vlan command disassociates a MAC address and IP address binding policy from a VLAN.

By default, a VLAN is not associated with any MAC address and IP address binding policy.

Format

policy-vlan mac-address mac-address ip ip-address [ interface interface-type interface-number ] [ priority priority ]

undo policy-vlan { all | mac-address mac-address ip ip-address [ interface interface-type interface-number ] }

Parameters

Parameter	Description	Value
mac-address mac-address	Specifies the source MAC address associated with a VLAN.	The value is in H-H-H format. H is a hexadecimal number of 4 digits, for example, 00e0 and fc01. If you enter fewer than four digits, 0s are prefixed to the input digits. For example, if you enter e0, the system changes e0 to 00e0. The MAC address cannot be 0000-0000-0000, FFFF-FFFF-FFFF, or a multicast MAC address.
ip ip-address	Specifies the IP address associated with a VLAN.	The value is in dotted decimal notation.
interface interface-type interface-number	Specifies the interface where the MAC address and IP address binding policy is applied. interface-type specifies the type of an interface. interface-number specifies the number of an interface. If this parameter is not specified, the binding policy is applied to all the interfaces in the VLAN. If this parameter is specified, the binding policy is applied to the specified interface.	-
priority priority	Specifies the 802.1p priority of the VLAN associated with the MAC address and IP address.	The value is an integer that ranges from 0 to 7. A larger value indicates a higher priority. The default value is 0.
all	Disassociates all MAC address and IP address binding policies from a VLAN.	-

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Policy-based VLAN assignment is a method to assign VLANs based on source MAC addresses and IP addresses of packets. This method is applicable to networks where high security is required and user devices move frequently.

When receiving an untagged packet, an interface matches the source IP address and source MAC address of the packet with the entries in the policy-based VLAN table.

If a matching entry is found, the interface forwards the packet based on the matching VLAN ID and priority.
If no matching entry is found, the interface uses other matching rules to forward the packet.

Policy-based VLAN assignment takes effect only for untagged packets, whereas tagged packets are forwarded based on port-based VLANs.

Precautions

On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, and S5720-SI, when the ip error-packet-check disable command is used to disable IP packet check, IP subnet-based VLAN assignment and policy-based VLAN assignment do not take effect.

After a MAC address or IP address is associated with a VLAN, it cannot be associated with other VLANs.

If you run the policy-vlan command multiple times in the same VLAN view, all the specified IP addresses and MAC addresses are associated with the VLAN.

Example

# Bind MAC address 0-1-1 and IP address 10.1.1.1 to VLAN 2, and set the 802.1p priority of the VLAN to 7.

<HUAWEI> system-view
[HUAWEI] vlan 2
[HUAWEI-vlan2] policy-vlan mac-address 0-1-1 ip 10.1.1.1 priority 7