Enable and Disable Identity Management Role-Based VLAN
Enabling this feature in EXOS must be done on a per-port basis. Identity management (IDM) requires that the port on which role-based VLAN is enabled be part of a “default” or “base” (not necessarily the “Default” VLAN) VLAN as untagged. This “default” or “base” VLAN for the port is the VLAN on which untagged packets are classified to when no VLAN configuration is available for the MAC. This default VLAN should be present before enabling the feature and the port should have already been added to this VLAN by the user manually before enabling the feature.
Enabling this feature on a port results in a failure if any of the following conditions are true:
- IDM is not enabled globally.
- IDM is not enabled on the port.
- The port is not an untagged member of any VLAN.
When an identity's MAC address is detected on a port, identity management consults its configuration database to determine the VLAN configuration for the role to which this identity is placed under. When the identity is sending tagged traffic it will work as in previous releases. Role based VLAN for tagged traffic is not supported in this release. If no configuration is present for the identity‘s role, IDM assumes that there are no restrictions for traffic classification and the traffic is classified to the default/base VLAN (received VLAN). In addition to the VLAN tag, you can specify the VR to which the dynamically created VLAN needs to be associated. The VR configuration is relevant only if a VLAN tag is configured for the role.
Identity Management Role-Based VLAN specifies the VR configuration:
|Configured VR on Port||Configured VR for Role||VLAN already exists on the switch||Role-based Dynamic VLAN's VR|
|None||None||Yes||VLAN's VR if it is Default Else EMS error|
|None||VR-X||Yes||VLAN's VR if it is VR-X (Role's VR) Else EMS error|
- Triggers deletion of MAC-based entries in that port in the hardware.
- If the port has been added to any VLAN by identity management, identity management triggers deletion of MAC-based entries on that port in the hardware.
- If the port has been added to any VLAN by IDM, IDM requests VLAN manager to remove the port from the VLAN. (Note: It is up to VLAN Manager to decide if the port actually needs to be removed from the VLAN.)