General Tab (VLAN)

The VLAN General tab displays information about the VLAN selected in the left panel and lets you configure certain VLAN parameters. If you are using VLAN to Role mapping in your network, you can also use this tab to map the VLAN to a specific role. If you make a change on this tab, you need to enforce it using the Enforce button on the toolbar.

To view this tab, select a VLAN in the left panel of the Access Control Configuration window (available from the Policy Manager Edit menu).

Click the graphic for more information.

General Tab (VLAN)

General

This area provides general information about the VLAN and allows you to configure the VLAN.

Name: Name of the VLAN selected in the left panel.

VLAN ID: Unique number assigned to the VLAN, also called VID (for VLAN ID). This ID was either assigned by an administrator or assigned automatically by the system when the VLAN was created. The value can be anywhere between 1 and 4094, with VID 1 being reserved for the DEFAULT VLAN (a name for a particular VLAN, not to be confused with a role's assigned default VLAN).

This VLAN is intended as a Discard VLAN only: Select this checkbox if this VLAN is to be used to deny traffic. If it is to be used to contain traffic, leave the box unchecked.

Dynamic Egress Enabled: Dynamically add all ports which use this VLAN to this VLAN's egress list. Dynamic Egress is enabled by default in Policy Manager. Leave disabled for discard VLANs. See Dynamic Egress for more information.

Always write VLAN to device(s): If the box is checked, the VLAN will be written to the device whether the VLAN is being used in a rule or role, or not. If it is not checked, the VLAN will not be written to the device unless it is being used in a rule or role. Enabling this option is a way of ensuring that the device is aware of a VLAN that is being used for something other than policy configuration, and it allows you to configure that VLAN for Dynamic Egress. If the Default VLAN (VID=1) is selected in the left panel, this option is checked and cannot be edited, as the default VLAN is always on the device.

Tagged Packet VLAN to Role Mapping

Tagged Packet VLAN to Role Mapping provides a way to let policy-enabled devices assign a role to network traffic, based on a VLAN ID. (For more information, see VLAN to Role Mapping in the Concepts help topic.) This area displays what role (if any) the VLAN is mapped to at both the device-level and port-level, and lets you configure mappings, if desired.

	NOTE:	TCI Overwrite Requirement -- Tagged Packet VLAN to Role Mapping will apply the Role definition to incoming packets using a mapped VLAN. This definition will apply a CoS and determine if the packet is discarded or permitted, and if TCI Overwrite is enabled will re-specify the VLAN ID defined by the Rule / Role Default. If TCI Overwrite is disabled, the packet will egress (if permitted by the Rule Hit) with the original VLAN ID it ingressed with. -- If supported by the device, you can enable TCI Overwrite on a per-port basis in the Port Properties window General tab, or for an individual role in the role's General tab. The stackable devices support rewriting the CoS values but not the VLAN ID.

Device Level Mapping: The role the VLAN is mapped to at the device level (all devices). To select a role, click Select, choose a role, and click OK.

Select: Opens the role Selection View, where you can choose a role to associate with the VLAN at the device level.

Primary C2/B2/D2/C3/B3/G3/C5/B5/A4 mapping: Use this checkbox to specify that this VLAN to role mapping will be the primary mapping for C2/C3/C5 and B2/B3/B5 devices (C2 firmware version 03.02.xx and higher/B2 firmware version 02.00.16 and higher), and D2, A4, and G3 devices (G3 firmware version 6.03.xx and higher). These devices only support one device-level VLAN to role mapping. If you do not make this selection, there will be no device-level mapping for these devices.

Port Level Mappings

This table lists any port-level Tagged Packet VLAN to Role Mappings that have been configured for this VLAN. Port-level mappings will override any device-level mapping.

	NOTES:	— You must have the Port Level Role Mappings feature enabled in Policy Manager for the mappings to take effect. (From the menu bar, select the Edit > Port Level Role Mappings checkbox.) If the feature is not enabled, the mappings will be ignored and any mappings listed here will be grayed out. — Port-level mappings cannot be added or removed to or from frozen ports. You must clear the frozen state on a port in order to add or remove a mapping. Once you have created a mapping, you can freeze the port. The port-level mappings of the frozen port will still be enforced and verified.

Add/Remove Mappings: Opens the Add/Remove Mappings window where you can add or remove port-level mappings. You can also configure port-level mappings using the Mappings sub-tab in the Port Properties General tab.

Authentication-Based VLAN to Role Mapping

Authentication-Based VLAN to Role Mapping provides a way to assign a role to a user during the authentication process, based on a VLAN Attribute. (For more information, see VLAN to Role Mapping in the Concepts help topic.) This area displays what role (if any) the VLAN is mapped to (at the device-level) and lets you configure a mapping, if desired.

	NOTE:	When configuring Authentication-Based VLAN to role mapping, you must enable RFC3580 VLAN Authorization on the device via the device Authentication tab.

Mapped to Role: The role the VLAN is mapped to. To select a role, click Select, choose a role, and click OK.

Select: Opens the role Selection View, where you can choose a role to associate with the VLAN.

Related Information

For information on related concepts:

For information on related tasks: