11
Mapping a static Ethernet service instance to a VSI
A static Ethernet service instance matches a list of VLANs on a site-facing interface. The VTEP
assigns customer traffic from the VLANs to a VXLAN by mapping the Ethernet service instance to a
VSI.
To map an Ethernet service instance to a VSI:
Step Command Remarks
1.
Enter system view.
system-view
N/A
2.
Enter Layer 2 Ethernet
interface view.
interface interface-type
interface-number
N/A
3.
Create an Ethernet
service instance and
enter Ethernet service
instance view.
service-instance
instance-id
By default, no Ethernet service
instances exist.
4.
Configure a frame match
criterion.
•
Match frames that do not match
any other service instance on the
interface:
encapsulation
default
•
Match any 802.1Q tagged or
untagged frames:
encapsulation
{
tagged
|
untagged
}
•
Match frames tagged with the
specified inner and outer 802.1Q
VLAN IDs:
encapsulation s-vid
vlan-id
[
c-vid
vlan-id-list
|
only-tagged
]
By default, an Ethernet service
instance does not contain a
frame match criterion.
To match frames from a VLAN
correctly, make sure you have
created the VLAN and assigned
the interface to the VLAN. If the
default
,
tagged
, or
untagged
criterion is used, you must
assign the interface to its default
VLAN.
5.
Map the Ethernet service
instance to a VSI.
xconnect vsi vsi-name
[
access-mode
vlan
]
By default, an Ethernet service
instance is not mapped to any
VSI.
Mapping dynamic Ethernet service instances to VSIs
About dynamic Ethernet service instances
The 802.1X or MAC authentication feature can use the authorization VSI, the guest VSI, the
Auth-Fail VSI, and the critical VSI to control the access of users to network resources. When
assigning a user to a VSI, 802.1X or MAC authentication sends the VXLAN feature the VSI
information and the user's access information, including access interface, VLAN, and MAC address.
Then the VXLAN feature creates a dynamic Ethernet service instance for the user and maps it to the
VSI. For more information about 802.1X authentication and MAC authentication, see
Security
Configuration Guide
.
A dynamic Ethernet service instance supports the following traffic match modes:
•
VLAN-based
mode
—Matches frames by VLAN ID.
•
MAC-based
mode
—Matches frames by VLAN ID and source MAC address.
To use MAC-based traffic match mode for dynamic Ethernet service instances, you must enable
MAC authentication or 802.1X authentication that uses MAC-based access control.
Configuration procedure
The device automatically creates a dynamic Ethernet service instance for an 802.1X or MAC
authentication user and maps the Ethernet service instance to a VSI in the following conditions:
•
The user is assigned to the guest VSI, Auth-Fail VSI, or critical VSI configured on the device.