Policy VLAN Islands

This tab displays a table of the Island VLANs being used in the Policy VLAN Island, and the names created on the devices in the island. To display this tab, select Control > Policy > VLANs > Policy VLANs Islands.

The VLANs Tab provides two sub-tabs:

(VLAN) - VIDs Tab
(VLAN) - Role Mappings Tab

(VLANs) - VIDs Tab

This tab provides information on VIDs assigned to specific islands. When an island is selected, the VIDs tab shows all VIDs for the defined PVI VLANs used for that island.

VLANs: Name of all defined VLANs. Select a VLAN to see the policy VLAN islands in the VLAN Settings section of the window and the VIDs with which that island is associated.

Create: Opens the Create VLAN window from which you can create a PVI VLAN. Unlike global VLANs, PVI VLANs are not created by the Policy tab during enforce. It is left to the user to configure these on the device(s) externally. The Policy tab only associates the appropriate VIDs to the rules during enforce.

Island Name: Shows the names of all VLAN Islands for the PVI VLAN selected in the VLANs section of the window.

Island VLAN ID: Shows the VID used for this PVI VLAN in this Island.

Edit Island VLAN ID: Selecting an island in the table and selecting this button opens the Edit Island VLAN ID window, where you can change the VID for the Island VLAN.

(VLANs) - Role Mappings Tab

This tab displays the role mappings for the Policy VLAN Island.

General

This area provides general information about the VLAN and allows you to configure the VLAN.

Name: Name of the VLAN selected in the left panel.

VID: Unique number assigned to the VLAN, also called VID (for VLAN ID). This ID was either assigned by an administrator or assigned automatically by the system when the VLAN was created. The value can be anywhere between 1 and 4094, with VID 1 being reserved for the DEFAULT VLAN (a name for a particular VLAN, not to be confused with a role's assigned default VLAN).

Dynamic Egress: Dynamically add all ports which use this VLAN to this VLAN's egress list. Dynamic Egress is enabled by default in Policy Manager. Leave disabled for discard VLANs. See Dynamic Egress for more information.

Always write VLAN to device(s)

If the box is checked, the VLAN is written to the device whether the VLAN is being used in a rule or role, or not. If it is not checked, the VLAN is not written to the device even though it is being used in a rule or role. Enabling this option is a way of ensuring that the device is aware of a VLAN that is being used for something other than policy configuration, and it allows you to configure that VLAN for Dynamic Egress. If the Default VLAN (VID=1) is selected in the left panel, this option is checked and cannot be edited, as the default VLAN is always on the device.

	NOTE:	On wireless devices (for example, ExtremeWireless and ExtremeCloud Appliance), the VLAN is always written to the device if it is being used in a rule or role, regardless whether this checkbox is checked or not.

Authentication-Based VLAN to Role Mapping

Authentication-Based VLAN to Role Mapping provides a way to assign a role to a user during the authentication process, based on a VLAN Attribute. (For more information, see VLAN to Role Mapping in the Concepts help topic.) This area displays what role (if any) the VLAN is mapped to (at the device-level) and lets you configure a mapping, if desired.

Mapped to Role: The role to which the VLAN is mapped. To select a role, select Select, select the Assign RFC3580 VLAN -> Role Mapping radio button, choose a role in the drop-down list, and select OK.

Select: Opens the role Selection View, where you can choose a role to associate with the VLAN.

Tagged Packet VLAN to Role Mapping

Tagged Packet VLAN to Role Mapping provides a way to let policy-enabled devices assign a role to network traffic, based on a VLAN ID. (For more information, see VLAN to Role Mapping in the Concepts help topic.) This area displays what role (if any) the VLAN is mapped to at both the device-level and port-level, and lets you configure mappings, if desired.

	NOTE:	TCI Overwrite Requirement Tagged Packet VLAN to Role Mapping will apply the Role definition to incoming packets using a mapped VLAN. This definition will apply a CoS and determine if the packet is discarded or permitted, and if TCI Overwrite is enabled will re-specify the VLAN ID defined by the Rule / Role Default. If TCI Overwrite is disabled, the packet will egress (if permitted by the Rule Hit) with the original VLAN ID it ingressed with. If supported by the device, you can enable TCI Overwrite for an individual role in the role's General tab. The stackable devices support rewriting the CoS values but not the VLAN ID.

Device Level Mapping: The role the VLAN is mapped to at the device level (all devices). To select a role, select Select, choose a role, and select OK.

Select: Opens the role Selection View, where you can choose a role to associate with the VLAN at the device level.

Primary C2/B2/D2/C3/B3/G3/C5/B5/A4 mapping: Use this checkbox to specify that this VLAN to role mapping will be the primary mapping for C2/C3/C5 and B2/B3/B5 devices (C2 firmware version 03.02.xx and higher/B2 firmware version 02.00.16 and higher), and D2, A4, and G3 devices (G3 firmware version 6.03.xx and higher). These devices only support one device-level VLAN to role mapping. If you do not make this selection, there will be no device-level mapping for these devices.

Port Level Mappings

This table lists any port-level Tagged Packet VLAN to Role Mappings configured for this VLAN. Port-level mappings override any device-level mapping.

	NOTE:	This functionality is not yet enabled.

Related Information

For information on related help topics: