xStack
®
DGS-3400 Series Layer 2 Gigabit Managed Switch CLI Manual
358
config mac_based_access_control ports
Purpose
Used to configure the parameters of MAC–based access control.
Syntax
config mac_based_access_control ports [<portlist> | all] {state [enable | disable] |
mode [port_based | host_based] | aging_time [infinite | <min 1–1440>] | block_time
[infinite|<sec 1-300>] | max_users [no_limit | <value 1 - 4000>]} (1)
Description
This command is used to configure the MAC-based access control setting.
When the MAC-based access control function is enabled for a port, and the guest VLAN
function for this port is disabled, the user attached to this port will not be forwarded unless
the user passes authentication. The user that does not pass authentication will not be
serviced by the switch. If the user passes authentication, the user will be able to forward
traffic operated under the assigned VLAN configuration.
When the MAC-based access control function is enabled for a port, and the guest VLAN
function for this port is enabled, it will move from the original VLAN member port, and
become the member port of the guest_vlan, before the authentication process starts.
After the authentication, if a valid VLAN is assigned by the RADIUS server, then this port
will be removed from the guest VLAN and become the member port of the assigned
VLAN.
For guest VLAN mode, there are two situations that need to be considered. If the product
doesn’t support MAC-based VLAN classifications when the port has been moved to the
authorized VLAN, the subsequent users will not be authenticated again. They will operate
in the current authorized VLAN. In the case where it doesn’t support MAC–based VLAN
classification, the guest VLAN and host–based mode can’t be enabled at the same time.
If the product supports the MAC–based VLAN classification, then each user will be
authorized individually and capable of getting its own VLAN.
For guest VLAN mode, if the MAC address is authorized, but no VLAN information is
assigned from the RADIUS server or the VLAN assigned by RADIUS server is invalid
(e.g. the assigned VLAN is not existent), this port/MAC will be removed from the member
port of the guest VLAN and become a member port of the original VLAN
Parameters
ports
– A range of ports enable or disable the MAC-based access control function.
state
– Specify whether MAC access control function is enabled or disabled.
mode
– Either port-based or host-based.
port_based
: means that all users connected to a port share the first
authentication result.
host_based
: means that each user can have its own authentication result. If the
Switch doesn’t support MAC–based VLANs, then the Switch will not allow the
option
host_based
for ports that are in guest vlan mode.
aging_time
– A time period during which an authenticated host will be kept in
authenticated state. When the aging time is time–out, the host will be moved back to
unauthenticated state.
block_time
– If a host fails to pass the authentication, the next authentication will not
started within block_time unless the user clear the entry state manually.
max_user
– max number of authenticated clients on per port.
Restrictions
Only Administrator and Operator-level users can issue this command.
Example usage:
To configure port state:
D G S – 3 4 2 6 : 5 # c o n f i g m a c _ b a s e d _ a c c e s s _ c o n t r o l p o r t s 1
–
8 s t a t e e n a b l e
C o m m a n d : c o n f i g m a c _ b a s e d _ a c c e s s _ c o n t r o l p o r t s 1
–
8 s t a t e e n a b l e
S u c c e s s .
D G S – 3 4 2 6 : 5 #
To configure port mode: