Rule Precedence

Static rules (MAC + port) have higher precedence than dynamic rules (Dot1x/Mac/Web VLAN authorization rules).


configure policy rule admin-profile macsource 00-00-00-00-00-01 mask 48 port-string 27 admin-pid 2 

configure policy profile 2 name "filter" pvid-status "enable" pvid 400 egress-vlans 200 untagged-vlans 400 tci-overwrite "enable"

configure policy maptable response both 
configure policy vlanauthorization enable 
enable policy 

In the above configuration, if a dot1x user is authenticated with Tunnel Private Group Id as "3000" and filter id as "filter" via Radius, the static macsource rule takes higher precedence and the client FDB (forwarding database) learned on VLAN SYS_VLAN_0400 mentioned in the static rule rather than the tunnel ID sent by Radius.

(Engineering) X440G2-24fx-G4.74 # sh fd 
Mac                     Vlan      Age  Flags           Port / Virtual Port List
00:00:00:00:00:01 SYS_VLAN_0400(0400) 0010 nd m     v     27