This tab lets you view and configure four different mapping lists for the selected role:
- MAC to Role Mapping - Lets you assign the role to an end user based on the user's MAC address.
- IP to Role Mapping - Lets you assign the role to an end user based on the user's IP address.
- Tagged Packet VLAN to Role Mapping - Lets you assign the role to network traffic based on the traffic's VLAN ID.
- Authentication-Based VLAN to Role Mapping - Lets you assign the role to an end user during the authentication process, based on a VLAN Attribute.
To access this tab, select a role in the left panel's Roles tab and click the Mappings tab in the right panel. Any additions or changes you make to this tab must be enforced in order to take effect.
Click the graphic for more information.
MAC to Role Mapping
MAC to Role mapping provides a way to assign a role to an end station based on its MAC address. This allows you to create a specific role for a group of end stations (such as IP phones), and assign it to them based on their MAC address. When the end stations connect to the network, the policy-enabled device identifies the source MAC address and applies the mapped role.
This table lists any device-level (all devices) or port-level MAC to Role mappings that have been configured for this role. Use the Add button to create a new device-level mapping for this role. Port-level mappings can be added via the Port Properties General tab, Mappings Sub-tab. Port-level mappings will override any device-level mappings.
| NOTES: | -- You must have the Port Level Role Mappings feature enabled in Policy Manager
for port-level mappings to take effect. (From the menu bar, select the Edit > Port
Level Role Mappings checkbox.) If the feature is not enabled, the mappings will
be ignored and any mappings listed here will be grayed out. -- Port-level mappings cannot be added to or removed from frozen ports  . You must clear the frozen state on a
port in order to add or remove a mapping. Once you have created a mapping, you can freeze
the port. The port-level mappings of the frozen port will still be enforced and
verified. |
|---|
- Device/Port Level
- This column indicates whether the mapping is a device-level mapping (all devices) or a port-level mapping (IP address and port description).
- MAC Address
- The MAC addresses mapped to this role. Click Add to add a MAC address and mask to the list. Using a mask provides an easy way to select end stations based on a portion of their MAC address. For example, you could select one MAC address, then use a mask based on the manufacturers ID portion of the MAC address to specify all your Siemens IP Phones. Masked MAC addresses are not supported on legacy devices.
- Add
- Opens the Add MAC Address window, where you can select a MAC address and specify the direction (source or destination).
IP to Role Mapping
IP to Role mapping provides a way to assign a role to an end station based on its IP address. For example, in networks that haven't deployed authentication, this would allow you to map an individual IP address such as an administrator's laptop, to a specific role. When the end station connects to the network, the policy-enabled device identifies the IP address and applies the mapped role.
This table lists any IP to Role mappings that have been configured for this role. Use the Add button to create a new mapping for this role.
- IP Address
- The IP addresses mapped to this role. Click Add to add an IP address (IPv4 or IPv6 address) and mask to the list. Masked IP addresses are not supported on legacy devices.
- Add
- Opens the Add IP Address window, where you can enter an IP address (IPv4 or IPv6 address) and specify the direction (source or destination).
Tagged Packet VLAN to Role Mapping
Tagged Packet VLAN to Role mapping provides a way to let policy-enabled devices assign a role to network traffic, based on a VLAN ID. When a device receives network traffic that has been tagged with a VLAN ID (tagged packet) it uses the Tagged Packet VLAN to Role mapping list to determine what role to assign the traffic based on the VLAN ID. For more information, see VLAN to Role Mapping in the Concepts Help topic.
This table lists any device-level (all devices) or port-level Tagged Packet VLAN to Role mappings that have been configured for this role. Use the Add button to create a new device-level mapping for this role. Port-level mappings can be added via the Port Properties General tab, Mappings Sub-tab. Port-level mappings will override any device-level mappings.
| NOTES: | -- You must have the Port Level Role Mappings feature enabled in Policy Manager
for port-level mappings to take effect. (From the menu bar, select the Edit > Port
Level Role Mappings checkbox.) If the feature is not enabled, the mappings will
be ignored and any mappings listed here will be grayed out. -- Port-level mappings cannot be added to or removed from frozen ports . You must clear the frozen state on a
port in order to add or remove a mapping. Once you have created a mapping, you can freeze
the port. The port-level mappings of the frozen port will still be enforced and
verified. |
|---|
| NOTE: | TCI Overwrite Requirement
-- Tagged Packet VLAN to Role Mapping will apply the Role definition to incoming packets using a mapped VLAN. This definition will apply a COS and determine if the packet is discarded or permitted, and if TCI Overwrite is enabled will re-specify the VLAN ID defined by the Rule / Role Default. If TCI Overwrite is disabled, the packet will egress (if permitted by the Rule Hit) with the original VLAN ID it ingressed with. -- If supported by the device, you can enable TCI Overwrite on a per-port basis in the Port Properties window General tab, or for an individual role in the role's General tab. The stackable devices support rewriting the CoS values but not the VLAN ID. |
|---|
- * - Primary C2/B2/D2/C3/B3/G3/C5/B5/A4 mapping
- Use this column to select the device-level VLAN to role mapping that will be used for C2/C3/C5 and B2/B3/B5 devices (C2 firmware version 03.02.xx and higher/B2 firmware version 02.00.16 and higher), and D2, A4, and G3 devices (G3 firmware version 6.03.xx and higher). These devices only support one device-level VLAN to role mapping. If you do not make a selection, there will be no device-level mapping for these devices. Use the Mappings tab in the Enforce Preview window to quickly see which VLAN to role mapping is selected for these devices.
- Device/Port Level
- This column indicates whether the mapping is a device-level mapping (all devices) or a port-level mapping (IP address and port description).
- Add
- Opens the VLANs Selection View, where you can choose a VLAN to map to the role.
Authentication-Based VLAN to Role Mapping
Authentication-Based VLAN to Role mapping provides a way to assign a role to a user during the authentication process, based on a VLAN Attribute. An end user connects to a policy-enabled device that supports 802.1X authentication using a RADIUS Server. During the authentication process, the RADIUS server returns a VLAN ID in its RADIUS VLAN Tunnel Attribute. The device uses the Authentication-Based VLAN to Role mapping list to determine what role to assign to the end user, based on the VLAN Tunnel Attribute. Use this table to view and configure the VLANs that will map to the selected role. For more information, see VLAN to Role Mapping in the Concepts Help topic.
This table lists any Authentication-Based VLAN to Role mappings that have been configured for this role. Use the Add button to create a new mapping for this role.
| NOTE: | When configuring Authentication-Based VLAN to role mapping, you must
enable RFC3580 VLAN Authorization on the device via the
device Authentication tab. |
|---|
- Add
- Opens the VLANs Selection View, where you can choose a VLAN to map to the role.
For information on related concepts:
