Mappings (Role)

This tab lets you view and configure four different mapping lists for the selected role:

MAC to Role Mapping — Lets you assign the role to an end user based on the user's MAC address.
IP to Role Mapping — Lets you assign the role to an end user based on the user's IP address.
Tagged Packet VLAN to Role Mapping — Lets you assign the role to network traffic based on the traffic's VLAN ID.
Authentication-Based VLAN to Role Mapping — Lets you assign the role to an end user during the authentication process, based on a VLAN Attribute.

To access this tab, select a role in the left-panel Roles tab and select the Mappings tab in the right panel. Any additions or changes you make to this tab must be enforced in order to take effect.

	NOTE:	TCI Overwrite Requirement -- Tagged Packet VLAN to Role Mapping applies the Role definition to incoming packets using a mapped VLAN. This definition applies a CoS and determine if the packet is discarded or permitted, and if TCI Overwrite is enabled re-specifies the VLAN ID defined by the Rule / Role Default. If TCI Overwrite is disabled, the packet egresses (if permitted by the Rule Hit) with the original VLAN ID with which it ingressed. -- If supported by the device, you can enable TCI Overwrite for an individual role in the role's General tab. The stackable devices support rewriting the CoS values but not the VLAN ID.

Primary Stackable Tagged VLAN Mapping: Use this column to select the device-level VLAN to role mapping used for C2/C3/C5 and B2/B3/B5 devices (C2 firmware version 03.02.xx and higher/B2 firmware version 02.00.16 and higher), and D2, A4, and G3 devices (G3 firmware version 6.03.xx and higher). These devices only support one device-level VLAN to role mapping. If you do not make a selection, there will be no device-level mapping for these devices. Use the Mappings tab in the Enforce Preview window to quickly see which VLAN to role mapping is selected for these devices.

Type: This column indicates the type of mapping: MAC to Role, IP to Role, Tagged Packet VLAN to Role, and Authentication based VLAN to Role.

Value: The MAC addresses, IP addresses, or VLAN mapped to this role.

Src/Dst: Specifies whether the MAC address is a source or destination address.

Device/Port Level: This column indicates whether the mapping is a device-level mapping (all devices) or a port-level mapping (IP address and port description).

Add Button: Opens the Add Role Mapping window, where you can add a new Role mapping by entering the Mapping Type, Value, and Direction.

Remove Button: Remove the selected mapping from the list by selecting Remove.

MAC to Role Mapping

MAC to Role mapping provides a way to assign a role to an end station based on its MAC address. This enables you to create a specific role for a group of end stations (such as IP phones), and assign it to them based on their MAC address. When the end stations connect to the network, the policy-enabled device identifies the source MAC address and applies the mapped role.

IP to Role Mapping

IP to Role mapping provides a way to assign a role to an end station based on its IP address. For example, in networks that haven't deployed authentication, this would enable you to map an individual IP address such as an administrator's laptop, to a specific role. When the end station connects to the network, the policy-enabled device identifies the IP address and applies the mapped role.

Tagged Packet VLAN to Role Mapping

Tagged Packet VLAN to Role mapping provides a way to let policy-enabled devices assign a role to network traffic, based on a VLAN ID. When a device receives network traffic that has been tagged with a VLAN ID (tagged packet) it uses the Tagged Packet VLAN to Role mapping list to determine what role to assign the traffic based on the VLAN ID. For more information, see VLAN to Role Mapping in the Concepts Help topic.

Authentication-Based VLAN to Role Mapping

Authentication-Based VLAN to Role mapping provides a way to assign a role to a user during the authentication process, based on a VLAN Attribute. An end user connects to a policy-enabled device that supports 802.1X authentication using a RADIUS Server. During the authentication process, the RADIUS server returns a VLAN ID in its RADIUS VLAN Tunnel Attribute. The device uses the Authentication-Based VLAN to Role mapping list to determine what role to assign to the end user, based on the VLAN Tunnel Attribute. Use this table to view and configure the VLANs that will map to the selected role. For more information, see VLAN to Role Mapping in the Concepts Help topic.

Related Information

For information on related help topics:

VLAN to Role Mapping