The first step in determining VLAN configuration for an identity is to learn the
identity‘s MAC. For untagged traffic the port is added as untagged to a “catcher/learning” VLAN
that is used to learn MACs. Identity Management (IDM) role based VLAN is not supported for tagged
traffic.
Upon receiving the first packet from the identity, the following actions are
completed:
FDB Manager learns the identity‘s MAC and informs IDM.
IDM creates an identity for the newly learned MAC and determines the
role for the identity.
IDM checks the role‘s configuration to see if the identities in this
role need to be associated with a VLAN.
If the identity in this role is associated with a VLAN tag, IDM checks
to see if a VLAN with the configured tag is already present.
If not, IDM creates VLAN “SYS_VLAN_<Configured-Role-VLAN-Tag>” and
adds the port (on which the identity is detected) to VLAN
“SYS_VLAN_<Configured-Role-VLAN-Tag>” as untagged. If a VLAN with configured tag already
exists, IDM simply adds the port to the VLAN as untagged.
In addition, IDM adds a MAC entry for identity‘s MAC in the hardware to
classify all untagged traffic from this identity to be associated with VLAN
“SYS_VLAN_<Configured-Role-VLAN-Tag>”.
IDM does not explicitly add uplink ports to VLAN
“SYS_VLAN_<Configured-Role-VLAN-Tag>”. It is assumed that user would have enabled MVRP on
the uplink ports or the uplink ports are configured statically. Creation of the VLAN is
sufficient for MVRP to advertise membership for VLAN
“SYS_VLAN_<Configured-Role-VLAN-Tag>” over those ports.
If no VLAN configuration exists for Role, IDM adds a MAC entry to
associate identity‘s MAC with the default/base VLAN configured for the port.
Note
All of the IDM enabled ports should be part of a default/base VLAN to
enable IDM role based VLAN on the port.
Tagged Traffic from Identity
Note
This section assumes that the IDM enabled port and the uplink ports
are already added to the VLAN as tagged.
FDB Manager learns the identity‘s MAC and informs IDM.
IDM creates an identity for the newly learned MAC and determines the
role for the identity.
IDM checks the role‘s configuration to see if the identities in this
role need to be associated with a VLAN.
If the identity in this role is associated with a VLAN tag, IDM checks
to see if a VLAN with configured tag is already present.
IDM also checks if the role configured tag matches the incoming VLAN tag
of the identity. If not, an EMS error is generated.
FDB Manager learns the identity‘s MAC on Switch1‘s port P1 and informs
IDM.
IDM creates an identity for this MAC and determine the role for this new
identity. IDM checks Role configuration to see if the identities in this role is associated
with a VLAN.
If the identity in this role is associated with a VLAN tag (say VLAN ID
100), IDM checks to see if a VLAN with tag 100 is already present. [If VLAN is already present
the assumption is the user has already added the uplink port to the VLAN].
If not IDM will create VLAN “SYS_VLAN_100” on Switch 1 and adds port P1
to VLAN “SYS_VLAN_100” as untagged. If a VLAN with tag 100 already exists, IDM simply adds the
port to the VLAN as untagged.
In addition IDM will add a MAC entry for identity‘s MAC in H/W to
classify all untagged traffic from this identity to be associated with VLAN “SYS_VLAN_100”.
IDM does not explicitly add uplink ports (ports P3 & P4) in this
case to VLAN “SYS_VLAN_100”. It is assumed that user would have enabled MVRP on the uplink
ports or the uplink ports are configured statically. Creation of the VLAN is sufficient for
MVRP to advertise membership for VLAN “SYS_VLAN_100” over those ports.
If no VLAN configuration exists for Role, IDM adds a MAC entry to
associate identity‘s MAC with the default/base VLAN configured for the port.