The process of deriving VLAN through various methods is a very widely used functionality.
Vlan hardening changes are done in order to:
- Have a predictable scheme of derivation and well defined priorities.
- Have a history of VLANs derived.
- Capture better debugging logs.
- Have clear areas where VLAN information is communicated with STM
- Check using show commands what VLANs would count for a contention if a current VLAN is to be chosen.
Below step by Step Flow of VLANs Derivation:
- After Client Associates and Station UP
- Controller stores the Default incoming VLAN
- Does Vlan derivation from the initial role and store it.
- Does Vlan derivation from UDR or UDR based role and store the Vlan.
- Does Vlan derivation from mac-auth or dot1x auth if authenticated. Honor SDR if configured.
- Does Vlan derivation from any VSA if configured.
- Checks if any dhcp-option based UDR is configured under AAA profile.
- Controller allocates the correct vlan to client based on the highest priority rule.
Below is the diagram explains the lowest and highest priority of UDR to assign VLAN.