1-11MAC-Based VLAN ConfigurationIntroduction to MAC-Based VLANMAC-based VLANs group VLAN members by MAC address. They are mostly used in conjunction withsecurity technologies such as 802.1X to provide secure, flexible network access for terminal devices.MAC-based VLAN implementationWith MAC-based VLAN configured, the device processes received packets as follows:z When receiving an untagged frame, the device looks up the list of MAC-to-VLAN mappings basedon the source MAC address of the frame for a match. Two matching modes are available: exactmatching and fuzzy matching. In exact matching mode, the device searches the MAC-to-VLANmappings whose masks are all-Fs. If the MAC address in a MAC-to-VLAN mapping matches thesource MAC address of the untagged frame exactly, the device ends the search and adds a VLANtag containing the corresponding VLAN ID to the packet. In fuzzy matching mode, the devicesearches the MAC-to-VLAN mappings whose masks are not all-Fs and performs a logical ANDoperation on the keyword and each mask. If the result of an AND operation matches thecorresponding MAC address exactly, the device ends the search the adds a VLAN tag containingthe corresponding VLAN ID to the packet. If no match is found, the system looks up other types ofVLANs to make the forwarding decision.z When receiving a tagged frame, the receiving port forwards the frame if it is assigned to thecorresponding VLAN or drops the frame if it is not. In this case, port-based VLAN applied.Approaches to Creating MAC Address-to-VLAN MappingsIn addition to creating MAC address-to-VLAN mappings at the CLI, you can use an authenticationserver to automatically issue MAC address-to-VLAN mappings.z Manually Static configuration (through CLI)You can associate MAC addresses with VLANs by using corresponding commands.z Automatic configuration through the authentication server (that is, VLAN issuing)The device associates MAC addresses with VLANs dynamically based on the information provided bythe authentication server. If a user goes offline, the corresponding MAC address-to-VLAN association isremoved automatically. Automatic configuration requires MAC address-to–VLAN mapping beconfigured on the authentication server. For detailed information, refer to 802.1X Configuration in theSecurity Volume.The two configuration approaches can be used at the same time, that is, you can configure a MACaddress-to-VLAN entry on both the local device and the authentication server at the same time. Notethat the MAC address-to-VLAN entry configuration takes effect only when the configuration on the localdevice is consistent with that on the authentication server. Otherwise, the previous configuration takeseffect.Configuring a MAC Address-Based VLAN