130• When a port is assigned to the corresponding VLAN in a MAC address-to-VLAN entry, but has notbeen assigned to the VLAN by using the port hybrid vlan command, the port sends packets fromthe VLAN with VLAN tags removed.• If you configure both static and dynamic MAC-based VLAN assignment on the same port, dynamicMAC-based VLAN assignment applies.• A port forwards frames matching MAC-to-VLAN entries according to the 802.1p priorities of theMAC-based VLANs.Dynamic MAC-based VLANYou can use dynamic MAC-based VLAN with access authentication (such as 802.1X authenticationbased on MAC addresses) to implement secure, flexible terminal access. After configuring dynamicMAC-based VLAN on the device, you must configure the username-to-VLAN entries on the accessauthentication server.When a user passes authentication of the access authentication server, the device obtains VLANinformation from the server, generates a MAC address-to-VLAN entry by using the source MAC addressof the user packet and the VLAN information, and assigns the port to the MAC-based VLAN. When theuser goes offline, the device automatically deletes the MAC address-to-VLAN entry, and removes the portfrom the MAC-based VLAN. For more information about 802.1X, MAC, and portal authentication, seeSecurity Configuration Guide.Configuration restrictions and guidelinesWhen you configure a MAC-based VLAN, follow these guidelines:• MAC-based VLANs are available only on hybrid ports.• You cannot configure super VLANs in the MAC address-to-VLAN entries.• With dynamic MAC-based VLAN assignment enabled, packets are delivered to the CPU forprocessing. The packet processing mode has the highest priority and overrides the configuration ofMAC learning limit and disabling of MAC address learning. When dynamic MAC-based VLANassignment is enabled, do not configure the MAC learning limit or disable MAC address learning.• Do not use dynamic MAC-based VLAN assignment together with 802.X and MAC authentication.• In dynamic MAC-based VLAN assignment, the port that receives a packet with an unknown sourceMAC address can be successfully assigned to the matched VLAN only when the matched VLAN isa static VLAN.• The MAC-based VLAN feature is mainly configured on the downlink ports of the user accessdevices. Do not enable this function together with link aggregation.• With MSTP enabled, if a port is blocked in the MST instance (MSTI) of the target MAC-based VLAN,the port drops the received packets, instead of delivering them to the CPU. As a result, the receivingport will not be dynamically assigned to the corresponding VLAN. Do not configure dynamicMAC-based VLAN assignment together with MSTP, because the former is mainly configured on theaccess side.• When PVST is enabled, if the VLAN to which a port is to be assigned is not allowed by the port, theport is blocked. In this case, the port drops received packets instead of delivering them to the CPU,failing to complete dynamic MAC-based VLAN assignment. Do not configure dynamic MAC-basedVLAN assignment together with PVST, because the former is mainly configured on the access side.• When you configure MAC-to-VLAN entries, if you specify the 802.1p priority for the VLAN of aMAC address, you must configure the qos trust dot1p command on the corresponding port, so that