OmniSwitch os6900 Network Configuration Manual page 731

Configuring Universal Network Profiles
Configuring the Trust VLAN Tag Status
The trust VLAN tag option triggers a different function depending on the UNP port type. For example,
when this option is enabled on a UNP bridge port, packets received on the port with a VLAN tag that
matches an existing VLAN ID on the switch are assigned to the matching VLAN. However, when this
option is enabled on a UNP access port, the VLAN tag values of packets received on the port are used to
determine the service access point (SAP) to which the packets are mapped.
VLAN tag classification of packets is triggered when trust VLAN tag is enabled for the port and one of
the following events occurs:
The trust VLAN tag status determines whether or not the VLAN tag contained within device packets
received on UNP ports is used to classify the device. By default this option is disabled on UNP ports.
When enabled, device packets with a VLAN tag that matches an existing VLAN ID on the switch are
assigned to that VLAN when one of the following occurs:
•
MAC authentication passes, but the RADIUS server returns a UNP that does not exist in the switch
configuration.
•
MAC authentication passes, but the RADIUS server does not return a UNP and an alternate pass UNP
is not configured for the port.
•
Device traffic received on the port does not match any UNP classification rules.
•
On bridge ports only, The UNP VLAN obtained from the matching classification rule does not exist in
the switch configuration.
•
An authentication server down UNP is configured, but the VLAN associated with that UNP does not
exist in the switch configuration. Authentication server down UNP assignment is not supported on
UNP access ports.
By default the trust VLAN tag status is disabled on all UNP ports. To enable the trust VLAN tag status,
use the unp port trust-tag
-> unp port 1/10-15 trust-tag enable
To disable the trust VLAN tag status for the UNP port, use the unp port trust-tag command with the
disable option. For example:
-> unp port 1/10-15 trust-tag disable
If the trust VLAN tag status is disabled, the switch checks to see if a default UNP is configured for the
port. If a default UNP does not exist for the port, device traffic is blocked.
Configuring a Default UNP
Configuring a default UNP is done to specify a profile that is applied to device traffic when all other meth-
ods of classification have failed. For example:
•
MAC authentication and classification are not enabled for the port.
•
MAC authentication fails and device traffic doesn't match any UNP classification rules.
•
On bridge ports, The trust VLAN tag option is enabled but device packets do not contain a VLAN tag
that matches an existing VLAN ID on the switch.
•
On access ports, the trust VLAN tag option is enabled but the SAP does not exist and cannot be
dynamically created for whatever reason.
OmniSwitch AOS Release 7 Network Configuration Guide
command with the enable option. For example:
Configuring UNP Port-Based Access Control
June 2013 page 27-31