Mapping A Static Ethernet Service Instance To A Vsi; Mapping Dynamic Ethernet Service Instances To Vsis - H3C S5560X-EI Series Configuration Manual

Mapping a static Ethernet service instance to a VSI

A static Ethernet service instance matches a list of VLANs on a site-facing interface. The VTEP
assigns customer traffic from the VLANs to a VXLAN by mapping the Ethernet service instance to a
VSI.
To map an Ethernet service instance to a VSI:
Step
1. Enter system view.
2. Enter Layer 2 Ethernet
interface view.
3. Create an Ethernet
service instance and
enter Ethernet service
instance view.
4. Configure a frame match
criterion.
5. Map the Ethernet service
instance to a VSI.

Mapping dynamic Ethernet service instances to VSIs

About dynamic Ethernet service instances
The 802.1X or MAC authentication feature can use the authorization VSI, the guest VSI, the
Auth-Fail VSI, and the critical VSI to control the access of users to network resources. When
assigning a user to a VSI, 802.1X or MAC authentication sends the VXLAN feature the VSI
information and the user's access information, including access interface, VLAN, and MAC address.
Then the VXLAN feature creates a dynamic Ethernet service instance for the user and maps it to the
VSI. For more information about 802.1X authentication and MAC authentication, see Security
Configuration Guide.
A dynamic Ethernet service instance supports the following traffic match modes:
•
VLAN-based mode—Matches frames by VLAN ID.
•
MAC-based mode—Matches frames by VLAN ID and source MAC address.
To use MAC-based traffic match mode for dynamic Ethernet service instances, you must enable
MAC authentication or 802.1X authentication that uses MAC-based access control.
Configuration procedure
The device automatically creates a dynamic Ethernet service instance for an 802.1X or MAC
authentication user and maps the Ethernet service instance to a VSI in the following conditions:
•
The user is assigned to the guest VSI, Auth-Fail VSI, or critical VSI configured on the device.
Command
system-view
interface interface-type
interface-number
service-instance instance-id
•
Match frames that do not match
any other service instance on the
interface:
encapsulation default
•
Match any 802.1Q tagged or
untagged frames:
encapsulation { tagged |
untagged }
•
Match frames tagged with the
specified inner and outer 802.1Q
VLAN IDs:
encapsulation s-vid vlan-id
[ c-vid vlan-id-list | only-tagged ]
xconnect vsi vsi-name
[ access-mode vlan ]
11
Remarks
N/A
N/A
By default, no Ethernet service
instances exist.
By default, an Ethernet service
instance does not contain a
frame match criterion.
To match frames from a VLAN
correctly, make sure you have
created the VLAN and assigned
the interface to the VLAN. If the
default, tagged, or untagged
criterion is used, you must
assign the interface to its default
VLAN.
By default, an Ethernet service
instance is not mapped to any
VSI.