Enable and Disable Identity Management Role-Based VLAN

Enabling this feature in EXOS must be done on a per-port basis. Identity management (IDM) requires that the port on which role-based VLAN (Virtual LAN) is enabled be part of a “default” or “base” (not necessarily the “Default” VLAN) VLAN as untagged. This “default” or “base” VLAN for the port is the VLAN on which untagged packets are classified to when no VLAN configuration is available for the MAC. This default VLAN should be present before enabling the feature and the port should have already been added to this VLAN by the user manually before enabling the feature.

Enabling this feature on a port results in a failure if any of the following conditions are true:

IDM is not enabled globally.
IDM is not enabled on the port.
The port is not an untagged member of any VLAN.

When an identity's MAC address is detected on a port, identity management consults its configuration database to determine the VLAN configuration for the role to which this identity is placed under. When the identity is sending tagged traffic it will work as in previous releases. Role based VLAN for tagged traffic is not supported in this release. If no configuration is present for the identity‘s role, IDM assumes that there are no restrictions for traffic classification and the traffic is classified to the default/base VLAN (received VLAN). In addition to the VLAN tag, you can specify the VR to which the dynamically created VLAN needs to be associated. The VR configuration is relevant only if a VLAN tag is configured for the role.

Identity Management Role-Based VLAN specifies the VR configuration:

Identity Management Role-Based VLAN

Configured VR on Port	Configured VR for Role	VLAN already exists on the switch	Role-based Dynamic VLAN's VR
None	None	No	VR-Default
None	None	Yes	VLAN's VR if it is Default Else EMS error
None	VR-X	No	VR-X
None	VR-X	Yes	VLAN's VR if it is VR-X (Role's VR) Else EMS error
VR-X	None	No	EMS error
VR-X	None	Yes	EMS error
VR-X	VR-Y	No	EMS error
VR-X	VR-Y	Yes	EMS error

When you disable role based VLAN on a port, identity management does the following:

Triggers deletion of MAC-based entries in that port in the hardware.
If the port has been added to any VLAN by identity management, identity management triggers deletion of MAC-based entries on that port in the hardware.
If the port has been added to any VLAN by IDM, IDM requests VLAN manager to remove the port from the VLAN. (Note: It is up to VLAN Manager to decide if the port actually needs to be removed from the VLAN.)

When IDM is disabled on a port, the IDM based VLAN feature is also operationally disabled. However IDM role based VLAN configuration is persistent and will come into effect once IDM is re-enabled on that port.

Published March 2020prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback