ExtremeSwitching (EXOS)

  • 1.  dot1x authentication

    Posted 01-07-2014 21:56
    Create Date: Oct 13 2012 3:04AM

    Hello All,

    We are in the process of migrating from old EW based switches to XOS based ones at our corporate office. On the old EW switches, I had dot1x (netlogin) working wherein I would have a port manually assigned to a VLAN and netlogin enabled for it. My Radius server would authenticate on the basis of computer/user name and would return no VSA or vlan tag. So once authenticated, the client would belong to the vlan the port was originally assigned to. This I guess is ISP mode operation.

    On our new XOS based switches, I see that you need to assign a netlogin vlan to even enable the dot1x feature. Although the extreme documentation is detailed, I am trying to see how to get this to work for my scenario. I have a summit stack of around 4-5 nodes with localized vlans on each node. I dont use a dedicated mgmt vlan but an ip from one of these vlans for switch mgmt. This would be the Radius client ip.

    I have a floor migration this weekend https://. Any help would be most appreciated. Tks again. (from Anush_Santhanam)

  • 2.  RE: dot1x authentication

    Posted 01-07-2014 21:57
    Create Date: Oct 16 2012 6:02AM

    Hello All,

    I thankfully managed to get this working. Ideally, you would want your Radius to return the appropriate VSA for placing a port in the necessary VLAN. But as indicated I am only trying to get ISP mode to work so I statically assigned the port to the necessary vlan and added the dot1x authentication feature and it worked.

    On a slightly unrelated note, I can see from the documentation that ELRP is not supported with Netlogin. Is this correct. For the edge loop prevention, I am guessing that netlogin would in a way handle that as well and I can possibly set a mac learning limit. Can you please advise. Tks. (from Anush_Santhanam)

  • 3.  RE: dot1x authentication

    Posted 01-07-2014 21:57
    Create Date: Oct 16 2012 7:49AM

    Hi Excalibur,

    I recommend using STP on the edge with netlogin. What I have done at some customers is create a dummy vlan only for STP and then add that to all of my edge ports. Then enable BPDU restrict and edge-safeguard on every edge port as well.

    I have tested this and it works. I like it better than ELRP. If you're using ELRP and someone creates a loop between 2 switches you run the risk of the uplink port being disabled on one of the switches. STP with BPDU-restrict and edge-safeguard means that the port is administratively disabled once it receives a single BPDU. The admin must then login to the switch and reenable the port.

    If you're trying to protect users from creating loops at the edge then mac-limit-learning won't help. That won't prevent loops of unknown unicast packets. You really do need something like STP or ELRP at the edge to prevent loops.

    Andrew (from Andrew_McConachie)

  • 4.  RE: dot1x authentication

    Posted 01-07-2014 21:57
    Create Date: Oct 20 2012 7:40PM

    Hello Andrew,

    Thank you so much for taking the time. This is an excellent suggestion and one that I have also used. I should have been a bit clearer. Sorry for that. One of the biggest problems in my environment relates to the uncontrolled use of hubs and possibility of loops through them (edge ports). I can see the edge safeguard and bpdu restrict helping with problems that switches can cause. How about hubs. One clarification. When you setup the dummy vlan would you setup the edge ports as tagged for that vlan. The reason i ask this is because the edge ports will be configured for the necessary data/voice vlans anyway. Tks. (from Anush_Santhanam)

  • 5.  RE: dot1x authentication

    Posted 01-07-2014 21:57
    Create Date: Mar 15 2013 1:29PM

    Hey Andrew,

    How did you do that? Could you please post the commands here if you don't mind?
    Does it look something like this:

    create stpd stp-test
    conf stp-test mode dot1d
    conf stp-test add vlan