Enable and Disable Identity Management Role-Based VLAN

Enabling this feature in EXOS must be done on a per-port basis. Identity management (IDM) requires that the port on which role-based VLAN is enabled be part of a “default” or “base” (not necessarily the “Default” VLAN) VLAN as untagged. This “default” or “base” VLAN for the port is the VLAN on which untagged packets are classified to when no VLAN configuration is available for the MAC. This default VLAN should be present before enabling the feature and the port should have already been added to this VLAN by the user manually before enabling the feature.

Enabling this feature on a port results in a failure if any of the following conditions are true:

When an identity's MAC address is detected on a port, identity management consults its configuration database to determine the VLAN configuration for the role to which this identity is placed under. When the identity is sending tagged traffic it will work as in previous releases. Role based VLAN for tagged traffic is not supported in this release. If no configuration is present for the identity‘s role, IDM assumes that there are no restrictions for traffic classification and the traffic is classified to the default/base VLAN (received VLAN). In addition to the VLAN tag, you can specify the VR to which the dynamically created VLAN needs to be associated. The VR configuration is relevant only if a VLAN tag is configured for the role.

Identity Management Role-Based VLAN specifies the VR configuration:

Table 1. Identity Management Role-Based VLAN
Configured VR on Port Configured VR for Role VLAN already exists on the switch Role-based Dynamic VLAN's VR
None None No VR-Default
None None Yes VLAN's VR if it is Default Else EMS error
None VR-X No VR-X
None VR-X Yes VLAN's VR if it is VR-X (Role's VR) Else EMS error
VR-X None No EMS error
VR-X None Yes EMS error
VR-X VR-Y No EMS error
VR-X VR-Y Yes EMS error
When you disable role based VLAN on a port, identity management does the following:
  1. Triggers deletion of MAC-based entries in that port in the hardware.
  2. If the port has been added to any VLAN by identity management, identity management triggers deletion of MAC-based entries on that port in the hardware.
  3. If the port has been added to any VLAN by IDM, IDM requests VLAN manager to remove the port from the VLAN. (Note: It is up to VLAN Manager to decide if the port actually needs to be removed from the VLAN.)
When IDM is disabled on a port, the IDM based VLAN feature is also operationally disabled. However IDM role based VLAN configuration is persistent and will come into effect once IDM is re-enabled on that port.