
VLAN Moves
Using the information derived from the snooping procedure, the device then attempts to resolve something based on the policy it is trying to enforce. For example, if the policy is a
Configuration
Following snooping and resolution, the device enforcing a policy will make the necessary configuration changes in the device to enforce the policy.
For example, if a device is enforcing a security policy on a segment, the device first snoops for the MAC address of the station connected to that segment. The device then resolves (concludes) if that MAC address is allowed to use the network. The resolution may be based on a query to an external MAC address inventory server. If the device resolves not to allow the endstation to use the network, (if the MAC address is unknown to the inventory server), the device can configure the port into a partitioned state, thus enforcing a security policy on that port.
The following configuration policies are available in this release:
■
Segments or devices assigned to this policy automatically are configured into various VLANs based on a predefined MAC address to VLAN mapping. This policy can be applied to the CoreBuilder
The MAC address to VLAN mapping information is stored in a parameter database named MAC Vdb. This database can be automatically populated with MAC address information by using the BuildvDB tool. The BuildvDB tool, once activated, automatically builds an inventory of MAC addresses that exist in the network.
■
This policy is exactly same as the above MAC based policy but in this case the MAC address to VLAN mapping is stored in an external VLAN server parameter database. This policy is to be used when an external