Table of Contents
Advertisement
Configuring Access Guardian
The main benefit of UNP port domains is that they provide the ability to group physical UNP ports or link
aggregates into one logical domain. Once a UNP port is assigned to a specific domain ID, only
classification rules associated with the same domain ID are applied to that port.
An example of using port domains would be to group all UNP ports carrying traffic for a specific
customer into the same domain (all Customer A ports assigned to domain 2). Then, assign UNP
classification rules associated with VLAN and/or service profiles tailored for that customer to the same
domain ID (all profile classification rules for Customer A are assigned to domain 2).
For more information about UNP port domains, see
"Configuring the Domain Classification Rule" on page
UNP Classification Rules
Classifying devices with UNP rules allows the administrator to assign users to a profile group based on
port and device attributes, such as source IP address, source MAC address, port, or domain ID. For
example:
•
Classification is enabled on UNP port 1/1/10.
•
A MAC address range classification rule is associated with a UNP profile named "Engineering". This
rule defines a MAC address range of "00:11:22:33:44:55 through 00:11:22:33:44:66".
•
A device connecting to port 1/1/10 with a source MAC address that falls within the specified MAC
address range is dynamically assigned to the "Engineering" profile. The device and the port on which
the device was learned are also dynamically assigned to the VLAN or service that is associated with
the profile.
Enabling classification and defining classification rules is optional with UNP. When enabled, however,
classification rules are only applied to UNP port traffic when one of the following occurs:
•
802.1X and MAC authentication are disabled on the port.
•
802.1X and/or MAC authentication is enabled but the RADIUS server is not configured.
•
802.1X and/or MAC authentication is enabled but the RADIUS authentication process did not return a
UNP name or failed.
If classification is disabled on a UNP port, classification rules are not applied to traffic received on that
port. If both authentication and classification are disabled on a UNP port, traffic received on that port is
blocked, unless a default UNP is configured for that port.
UNP Rule Types
A classification rule specifies the criteria that a device must match and the name of a UNP profile that is
applied to the device when the match occurs. The following table lists all the UNP classification rules in
the order of precedence (highest to lowest).
Precedence Step/Rule
1. Port + VLAN tag
2. Port
3. Domain ID + VLAN
tag
OmniSwitch AOS Release 8 Network Configuration Guide
"Configuring UNP Port Domains" on page 28-47
Matching Condition
Packet is learned on a matching port or link aggregate and the packet
contains a matching VLAN ID tag.
Packet is learned on a matching port or link aggregate.
Packet is learned on a port or link aggregate that is assigned to a matching
domain ID and the packet contains a matching VLAN ID tag.
28-66.
December 2017
Access Guardian Overview
and
page 28-23
- Quick Links:
- Ethernet Port Defaults
Hide quick links:
Advertisement
Table of Contents
