Enable and Disable Identity Management Role-Based VLAN
Enabling this feature in EXOS must be done on a per-port basis. Identity
management (IDM) requires that the port on which role-based VLAN is enabled be part of a
“default” or “base” (not necessarily the “Default” VLAN) VLAN as untagged. This “default” or
“base” VLAN for the port is the VLAN on which untagged packets are classified to when no VLAN
configuration is available for the MAC. This default VLAN should be present before enabling the
feature and the port should have already been added to this VLAN by the user manually before
enabling the feature.
Enabling this feature on a port results in a failure if any of the following
conditions are true:
- IDM is not enabled globally.
- IDM is not enabled on the port.
- The port is not an untagged member of any VLAN.
When an identity's MAC address is detected on a port, identity management consults its
configuration database to determine the VLAN configuration for the role to which this identity is
placed under. When the identity is sending tagged traffic it will work as in previous releases.
Role based VLAN for tagged traffic is not supported in this release. If no configuration is
present for the identity‘s role, IDM assumes that there are no restrictions for traffic
classification and the traffic is classified to the default/base VLAN (received VLAN). In
addition to the VLAN tag, you can specify the VR to which the dynamically created VLAN needs to
be associated. The VR configuration is relevant only if a VLAN tag is configured for the
role.
The following table specifies the VR configuration:
Identity Management Role-Based VLAN
Configured VR on Port |
Configured VR for Role |
VLAN already exists on the switch |
Role-based Dynamic VLAN's VR |
None |
None |
No |
VR-Default |
None |
None |
Yes |
VLAN's VR if it is Default Else EMS error |
None |
VR-X |
No |
VR-X |
None |
VR-X |
Yes |
VLAN's VR if it is VR-X (Role's VR) Else EMS error |
VR-X |
None |
No |
EMS error |
VR-X |
None |
Yes |
EMS error |
VR-X |
VR-Y |
No |
EMS error |
VR-X |
VR-Y |
Yes |
EMS error |
When you disable role based VLAN on a port, identity management does the
following:
- Triggers deletion of MAC-based entries in that port in the hardware.
- If the port has been added to any VLAN by identity management, identity
management triggers deletion of MAC-based entries on that port in the hardware..
- If the port has been added to any VLAN by IDM, IDM requests VLAN manager
to remove the port from the VLAN. (Note: It is up to VLAN Manager to decide if the port actually
needs to be removed from the VLAN).
When IDM is disabled on a port, the IDM based VLAN feature is also operationally disabled.
However IDM role based VLAN configuration is persistent and will come into effect once IDM is
re-enabled on that port.