Application Example 1: Classification (Port Mobility) - Alcatel-Lucent OmniSwitch 9900 Series Network Configuration Manual

Configuring Access Guardian

Application Example 1: Classification (Port Mobility)

In this configuration example, network access control for Employee1 is provided through the Access
Guardian classification mechanism; no authentication is necessary. Classification is a function of the UNP
feature and is enabled or disabled on UNP ports. Once enabled, the port and devices connected to the port
are eligible for dynamic assignment to a VLAN that is associated with a UNP profile.
To determine which UNP profile a device is assigned to, the administrator configures UNP classification
rules and assigns those rules to the appropriate profile. When traffic received on a UNP port that has
classification enabled matches the criteria of a specific classification rule, the user device is moved into
the profile associated with the rule and assigned to the VLAN associated with the profile.
This application example uses a MAC address range classification rule to dynamically assign Employee1
into VLAN 20. The following steps provide a brief tutorial for how to configure this example:
1
Create the required VLANs.
-> vlan 10 admin-state disable name vlan10-block
-> vlan 20 admin-state enable name vlan20-corporate
2
Create the required UNP profile and map the profile to VLAN 20.
-> unp profile corporate
-> unp profile corporate map vlan 20
3
Create another UNP profile that will serve as a default profile; map the profile to VLAN 10.
-> unp profile def_unp
-> unp profile def_unp map vlan 10
4
Create a MAC range classification rule and associate the rule to the "corporate" UNP profile.
-> unp classification-rule rule1 mac-address-range 08:00:27:00:98:0A
08:00:27:00:98:FF profile1 corporate
5
Enable UNP on ports that will connect to user devices.
-> unp port 1/1/1 port-type bridge
6
Set the default UNP profile on the port.
-> unp port 1/1/1 default-profile def_unp
7
Enable classification on the UNP port.
-> unp port 1/1/1 classification
How it Works
In this example, traffic received on the UNP port triggers the following classification process:
•
Device traffic is examined and matched against all UNP classification rules.
•
If the MAC address of a user device is within the range of MAC addresses specified in the MAC
address range rule, the user is classified into the "corporate" profile and assigned to VLAN 20.
•
If the MAC address of a user is not within the MAC address range and does not match any other UNP
classification rules on the switch, then the user is classified into the "def_unp" profile and assigned to
VLAN 10.
OmniSwitch AOS Release 8 Network Configuration Guide
Access Guardian Application Examples
December 2017 page 28-96