MAC-Based VLAN Configuration
Introduction to MAC-Based VLAN
MAC-based VLANs group VLAN members by MAC address. They are mostly used in conjunction with
security technologies such as 802.1X to provide secure, flexible network access for terminal devices.
MAC-based VLAN implementation
With MAC-based VLAN configured, the device processes received packets as follows:
When receiving an untagged frame, the device looks up the list of MAC-to-VLAN mappings based
on the source MAC address of the frame for a match. Two matching modes are available: exact
matching and fuzzy matching. In exact matching mode, the device searches the MAC-to-VLAN
mappings whose masks are all-Fs. If the MAC address in a MAC-to-VLAN mapping matches the
source MAC address of the untagged frame exactly, the device ends the search and adds a VLAN
tag containing the corresponding VLAN ID to the packet. In fuzzy matching mode, the device
searches the MAC-to-VLAN mappings whose masks are not all-Fs and performs a logical AND
operation on the keyword and each mask. If the result of an AND operation matches the
corresponding MAC address exactly, the device ends the search the adds a VLAN tag containing
the corresponding VLAN ID to the packet. If no match is found, the system looks up other types of
VLANs to make the forwarding decision.
When receiving a tagged frame, the receiving port forwards the frame if it is assigned to the
corresponding VLAN or drops the frame if it is not. In this case, port-based VLAN applied.
Approaches to Creating MAC Address-to-VLAN Mappings
In addition to creating MAC address-to-VLAN mappings at the CLI, you can use an authentication
server to automatically issue MAC address-to-VLAN mappings.
Manually Static configuration (through CLI)
You can associate MAC addresses with VLANs by using corresponding commands.
Automatic configuration through the authentication server (that is, VLAN issuing)
The device associates MAC addresses with VLANs dynamically based on the information provided by
the authentication server. If a user goes offline, the corresponding MAC address-to-VLAN association is
removed automatically. Automatic configuration requires MAC address-to–VLAN mapping be
configured on the authentication server. For detailed information, refer to 802.1X Configuration in the
The two configuration approaches can be used at the same time, that is, you can configure a MAC
address-to-VLAN entry on both the local device and the authentication server at the same time. Note
that the MAC address-to-VLAN entry configuration takes effect only when the configuration on the local
device is consistent with that on the authentication server. Otherwise, the previous configuration takes
Configuring a MAC Address-Based VLAN