ExtremeSwitching (VSP)

  • 1.  Creative uses for the I-SID!

    Posted 12-21-2020 10:20

    Hi,

    The reason I am opening this thread on the topic is to help me break my traditional approach to networking and help me understand and develop ideas that creatively use the fabric.

    I’m trying to grasp ideas of how I can use the function of the fabric to do things or solves problems that are currently not in my periphery.

    As an example, on this post

    Mig mentions how the use of Flex UNI was used to keep a phone on the same VLAN but provision it in a DMZ then back into the LAN by alternating the I-SID.

    When reading the various manuals you observe from a high level things that are sometimes hard to put into a real world context, like being able to join different VLAN ID’s on a single I-SID, but what sort of problems would that solve?

    I understand the hyper virtualisation aspect of the fabric, but what about pulling it together, using the i-SID as service and the addition of L3VSN’s. How complicated or practical or widespread would it be to use lots of IS-IS accept polices to allow access to services or is the use of a Firewall more prevalent for intra service communication or generally this is just for special cases?

    Also not sure about the idea where Fabric is extensively being used for the VLAN /IP  to follow the client anywhere in the network as the norm i.e. if you have a network with lots of edge cabinets through ExtremeControl I’ve kept say logical /24 subnets for Data, Voice etc contained to location - kept traditional best practices. If a client moves it simply gets a different IP in the new location based on the switch it connects too. I am seeing that the fabric is removing those boundaries but is that a good idea? I get it for specific cases but not adopted as the norm. What about prospect of VLAN loops with the VLAN potentially anywhere in the network?

    Appreciate this is a very open ended topic, but even just a few ideas would really help me understand and hopefully develop my own ideas.

    Many thanks in advance.



  • 2.  RE: Creative uses for the I-SID!

    Posted 12-21-2020 13:50

    Let me add my views on a couple of the points your raised:

    Q: “When reading the various manuals you observe from a high level things that are sometimes hard to put into a real world context, like being able to join different VLAN ID’s on a single I-SID, but what sort of problems would that solve?”

    A: Here are a couple use cases where port based VIDs can come in handy:

    • If you are a provider or multi-tenant offering and you have multiple customers with their own VLAN space. With this feature you can serve each customer individually per port and you don’t have to worry what VLANs they are using. This gives 24bits to address the customer segments and removes the 12bit VLAN limitation.
    • I already talked about collision avoidance with FA and Auto-Sense, where VLANs are used as multi-plexing Id and less about a VLAN identifier.
    • We have used switched/flex UNIs on ports where we had L2 firewalls between two ISIDs. This allowed us to route the traffic through FW elegantly.

     Q: “I understand the hyper virtualisation aspect of the fabric, but what about pulling it together, using the i-SID as service and the addition of L3VSN’s. How complicated or practical or widespread would it be to use lots of IS-IS accept polices to allow access to services or is the use of a Firewall more prevalent for intra service communication or generally this is just for special cases?”

    A: We do see both heavily used. As you say, using IS-IS accept policies allows you to build nice hub-and-spoke L3 domains where you can create a shared segment that all spokes can access. This is a nice way to provide a shared voice infrastructure to many tenants. However some customers need more security and they interconnect L3 VSNs only through firewalls. Either approach is fine and can be used in conjunction.

     

    Q: “Also not sure about the idea where Fabric is extensively being used for the VLAN /IP  to follow the client anywhere in the network as the norm i.e. if you have a network with lots of edge cabinets through ExtremeControl I’ve kept say logical /24 subnets for Data, Voice etc contained to location - kept traditional best practices. If a client moves it simply gets a different IP in the new location based on the switch it connects too. I am seeing that the fabric is removing those boundaries but is that a good idea? I get it for specific cases but not adopted as the norm. ”

    A: Actually, that is happening quite often; when you take this approach, you can define the security per service (VLAN/ISID/IP Subnet) and not per physical location. It does not matter anymore where users connect to the network. Wired mobility becomes as flexible as wireless mobility to support adds moves and changes. Especially with IOT this is becoming more and more important.

     

    Q: “What about prospect of VLAN loops with the VLAN potentially anywhere in the network?”

    A: “Loops within the fabric itself are not happening. When there are loops, then it is at the edge. All edge nodes MAC table for the looping service (VLAN/ISID) will be affected, no matter whether they are spread out or locallized. The core switches will not be affected, except that they might see more traffic. We do recommend using loop-protection features such as BPDU-guard and SLPP. However I think using EAP/NEAP will reduce the likelyhood of loops greatly as ports are not by default open anymore.

     

    I hope other folks will chime in as well in provide their perspectives.

    regards

    Roger

     

     



  • 3.  RE: Creative uses for the I-SID!

    Posted 12-21-2020 18:05

    Hi Martin,

    Another use case of same VLAN/multiple i-sid I use is to standardize the vlan config on different remote sites at customer premises.

    All the sites are using the same vlan ids while the i-sid are different on all sites. A I use this within different VRFs.

    This is keeping the infrastructure understanding quite easy for the customer.

    I manage this through aggregated rules in the NAC where the site is the discriminator for the i-sid.

    See here some screenshots for the printers with MAC Auth but it applies to all VLANs and with 802.1X Auth:

     

     

     

    As you see, one rule fits all the sites (30+).

    This is my radius attribute profile for BOSS switches:

    FA-VLAN-Create=1

    FA-VLAN-ISID=%VLAN_ID%:%CUSTOM1%

    Egress-VLANID=0x%CUSTOM2%

    FA-Service-Request=BPDU

    FA-Service-Request=SLPPGUARD

    FA-Service-Request=DHCPSNOOP:%VLAN_ID%

    Service-Type=%MGMT_SERV_TYPE%

    %CUSTOM3%

    You can see that we are able to enable BPDU-Filtering, SLPP-Guard, DHCP-Snooping and WOL on a port where we provision a VLAN.

     

    For what concerns inter VRF traffic, my golden rule is “a switch is not a firewall and a firewall is not a switch”. If you need ACL type of filtering, do that in a firewall and you will be happy.

     

    Regards,

    Mig

     



  • 4.  RE: Creative uses for the I-SID!

    Posted 12-21-2020 19:37

    Roger and Mig, this is really useful. Very much appreciate the detail and the time taken to answer the post.

    Have a question about the RADIUS attributes. I had not realised you could enable some of those features and wondered how they got configured on the port when the VLAN was dynamically being assigned!

    My question is, do you know if those same attributes work with EXOS? or what attributes are available in EXOS I could use. Guess I am most interested in the FA attribute options?

    Thanks



  • 5.  RE: Creative uses for the I-SID!

    Posted 12-21-2020 19:56

    Not yet as many attributes as for the BOSS:

    It will maybe come in futur releases if we ask it enough :wink:

    Mig



  • 6.  RE: Creative uses for the I-SID!

    Posted 12-22-2020 11:00

    Ah, that’s a shame, those attributes seemed like a revelation then. Fingers crossed they will come along soon!

    In relation to how you have configured the locations I’ve done a similar thing but using VLAN islands instead. I don’t have access to a system at moment to post screenshots, but when I do I will post. 

    What the VLAN islands do in policy does pretty much the same thing but in a different way. In summary you can configure a VLAN island for say printers, and then program the VLAN / I-SID information for each switch. Then for the policy of ‘Printers’ you just select the VLAN island container for Printers and it will automatically associate the corresponding VLAN / I-SID for that switch. Basically all it does is use the VLAN island details as a database reference and then just writes the Printer policy to each switch with the corresponding VLAN / I-SID it correlates to.

    Anyway, might be useful for someone to know.