MAC-based VLANs

MAC-Based VLANs (MBVs) allow multiple clients on a single switch port to receive different untagged VLAN assignments. VLAN assignment of untagged traffic is based on the source MAC address rather than the port. Clients receive their untagged VLAN assignment from the RADIUS server. This feature adheres to the requirement that if all known RADIUS attributes for a given client cannot be applied, the authentication request for that client must be rejected.

Both authenticated and unauthenticated clients can reside on the same port on different VLANs, but only if the mixed-mode configuration is enabled. This is not the default behavior. The normal operating behavior is not to allow unauthenticated clients on the port when at least one authenticated client is present on the port. If an unauthenticated client is present on the unauthorized VLAN and another client successfully authenticates on that port, the unauthenticated client is kicked off the port.

When an MBV cannot be applied due to a conflict with another client on that port, a message indicating VID arbitration error is logged.

When an MBV cannot be applied due to lack of resources, a message indicating lack of resources is logged.

There is no command line support for this feature. The decision to use an MBV is made automatically if the hardware is capable and if the situation necessitates. If multiple clients authenticate on different untagged VLANs on hardware that does not support MBVs, the switch will reject all clients authorized on a VLAN different from the first client's VLAN - the first authenticated client sets the Port VID (PVID).

This feature has the side effect of allowing egress traffic from one client's VLAN to be accepted by all untagged clients on that port. For example, suppose that clients A and B are both on the same switch port, but on two different VLANs. If client A is subscribing to a multicast stream, then client B also receives that multicast traffic.