ExtremeSwitching (EOS)

  • 1.  Enterasys C5 dynamic policy role/vlan assignment

    Posted 04-15-2015 17:44
    How do I configure Enterasys C5 dynamic policy role/vlan assignment for 3com IP Phone?
    Basically what I need to happen is vlan 150 to be assigned as untagged and vlan 120 (voice vlan) assigned as tagged. The problem I am having is that vlan 150 although showing as untagged does not show up as the FID when entering the command show mac port ge.X.X. Anyone guidance would be much appreciated!



  • 2.  RE: Enterasys C5 dynamic policy role/vlan assignment

    Posted 04-15-2015 19:08
    To manually do what you are asking (I think) do the following:
    (Assuming the port is ge.1.4, data VLAN is 150 and voice VLAN is 120)

    set port vlan ge.1.4 150 modify (the modify removes the port from all other VLANs )
    set vlan egress 120 ge.1.4 tagged

    show port egress ge.1.4 should now say something like
    Port Vlan Egress Registration
    Number Id Status Status
    ------------------------------------------------------------
    ge.1.4 150 untagged static
    ge.1.4 120 tagged static

    You need to have the phone sending voice out tagged on vlan 1319 and the data port
    on the phone will be 1306.

    I strongly advise the use of the "modify" portion of the command to remove all other VLANs
    on the port. Without it, it is possible to put multiple UNTAGGED VLANs onto a port and
    get you and the data flow very confused. (Outbound from the switch would be no problem,
    but inbound...)

    You build trunk ports exactly the same way. Set vlan egress for each VLAN; the old assignments
    remain. (clear vlan egress to remove a particular VLAN from a port)
    James



  • 3.  RE: Enterasys C5 dynamic policy role/vlan assignment

    Posted 04-15-2015 19:08
    James, thank you for the information. Setting up ports manually is not an issue, I am trying to use role based policy assignment via Radius. Most of this I have working except when it comes to our IP Phones. Vlan 120 (tagged) is applied as expected which i verified running the command (show mac port ge.X.X) where the FID is 120. Its applying vlan 150 (untagged). The mac address does not get added to the FID for vlan 150. see below configuration.

    #vlan
    set vlan create 120
    set vlan create 150
    set vlan create 4089
    set vlan name 120 "VoIP"
    set vlan name 150 "ITS"
    set vlan name 4089 "Guest"
    clear vlan egress 1 ge.1.1-48
    set vlan egress 120 ge.1.47-48 tagged
    set vlan egress 150 ge.1.47-48 tagged
    set vlan egress 4089 ge.1.47-48 tagged
    set vlan egress 4089 ge.1.1-24 untagged
    !
    !
    #eapol
    set dot1x enable
    set eapol enable
    set eapol auth-mode forced-auth ge.1.47
    set eapol auth-mode forced-auth ge.1.48
    !
    !
    #macauthentication
    set macauthentication enable
    set macauthentication auth-mode radius-username
    set macauthentication port enable ge.1.1-46
    !
    !
    #multiauth
    set multiauth port mode opt-auth ge.1.1-46
    set multiauth port mode force-auth ge.1.47-48
    set multiauth port numusers 2 ge.1.1-46
    set multiauth precedence mac dot1x cep pwa
    !
    !

    #nodealias
    set nodealias disable ge.1.47
    set nodealias disable ge.1.48
    !
    !

    #policy
    set policy maptable response both
    set policy profile 1 name "Guest" cos-status enable cos 4
    set policy profile 120 name "VoIP" pvid-status enable pvid 120 cos-status enable cos 5 egress-vlans 120 forbidden-vlans 4089 untagged-vlans 150
    set policy profile 150 name "FAcStaff" pvid-status enable pvid 150
    set policy rule 1 udpsourceport 68 mask 16 forward
    set policy rule 1 udpdestport 53 mask 16 forward
    set policy rule 1 udpdestport 67 mask 16 forward
    set policy rule 1 tcpdestport 80 mask 16 forward
    set policy rule 1 tcpdestport 443 mask 16 forward
    set policy rule 1 tcpdestport 8080 mask 16 forward
    set policy rule 1 ether 0x806 mask 16 forward
    set policy rule 120 macsource 00-e0-00-00-00-00 mask 16 forward
    set policy rule 120 udpsourceport 68 mask 16 forward
    set policy rule 120 udpdestport 53 mask 16 forward
    set policy rule 120 udpdestport 67 mask 16 forward
    set policy rule 120 tcpdestport 80 mask 16 forward
    set policy rule 120 tcpdestport 443 mask 16 forward
    set policy rule 120 tcpdestport 8080 mask 16 forward
    set policy rule 120 ipproto 1 mask 8 forward
    set policy rule 120 ether 0x806 mask 16 forward
    set policy port ge.1.1-46 1
    !
    !

    #port
    set port vlan ge.1.1-46 4089
    !
    !

    #radius
    set radius enable
    set radius accounting enable
    set radius accounting server 10.1.11.1 1813 XXXXXXXXXXXXXXX
    set radius server 1 10.1.11.1 1812 XXXXXXXXXXX realm network-access
    !
    !

    #spantree
    set spantree adminedge ge.1.1-46 true

    TEST-SWITCH(su)->show vlanauthorization

    Vlan Authorization: - disabled

    port status administrative operational authenticated vlan id
    egress egress mac address
    ------- -------- -------------- ----------- ----------------- -------
    ge.1.1-48 enabled untagged



  • 4.  RE: Enterasys C5 dynamic policy role/vlan assignment

    Posted 04-15-2015 19:21
    To add to James comments, you will need to also run the command Set multiAuth port numusets users to 2


  • 5.  RE: Enterasys C5 dynamic policy role/vlan assignment

    Posted 04-15-2015 19:21
    Thank you for the information, I have responded to James's comment. On another note, would you clarify how policy works for me? My biggest question is when you create rules is there an inherant deny or permit? If I create rules to specifically allow traffic will all other traffic be discarded? If not what is the best way to create a rule like that? Is there a good document on Policy out there I can review besides the Feature Guides and Config Guides?


  • 6.  RE: Enterasys C5 dynamic policy role/vlan assignment

    Posted 04-15-2015 19:21
    Matt,
    show vlanauthorization does indeed seem to only show the untagged port information. Do a

    show port egress ge.x.y which should tell you all the VLANs associated with that port.
    Likewise show port vlan ge.x.y only tell you about the default (untagged ) VLAN.

    show mac port ge.x.y should should you the MAC of both the phone and data device, unless of course they haven't talked or the bridging table timed out.

    When I did a show mac port, I actually saw 3 entries for a phone plus data. The phone, for whatever reason popped up on both VLANs. I don't understand why
    since the phone itself shouldn't be talking to that VLAN. You might try changing your set multiauth port numusers 2 to 3 just incase you are seeing the same thing and the switch is dumping the 3rd entry, which in my case was the VOIP VLAN.
    James



  • 7.  RE: Enterasys C5 dynamic policy role/vlan assignment

    Posted 04-15-2015 19:21
    I changed multiauth port numusers to 3 but no luck. When I perform a show mac port ge.X.X the only FID that shows up is 120, however when doing a show port egress ge.X.X I do see both vlan 150 (untagged) and vlan 120 (tagged). I think the problem is the MAC address of the phone isn't added to FID 150. Any thoughts?


  • 8.  RE: Enterasys C5 dynamic policy role/vlan assignment

    Posted 04-15-2015 19:21
    I got it working! I ended up changing the set policy profile from;

    (set policy profile 120 name "VoIP" pvid-status enable pvid 120 cos-status enable cos 5 egress-vlans 120 forbidden-vlans 4089 untagged-vlans 150)

    to;

    (set policy profile 120 name "VoIP" pvid-status enable pvid 150 cos 5 egress-vlans 12)

    So one last question, how are policy rules executed (in what order) or all they all at once? What would be the best way to deny all traffic after allowing only specific ports/protocols?



  • 9.  RE: Enterasys C5 dynamic policy role/vlan assignment

    Posted 04-15-2015 19:21
    Matt,
    That is great news.
    As for the policy order, I believe they are executed sequentially, top to bottom, so you want to put any "allows" first, then end with the "deny all".
    James



  • 10.  RE: Enterasys C5 dynamic policy role/vlan assignment

    Posted 04-15-2015 19:21
    Here is some food for thought from GTAC Knowledge, in answer to the two questions...

    Execution Sequence for EOS Policy Rules
    How to Configure EOS Policy to Deny all other traffic after Permitting only certain traffic

    These were written for the EOS Modular (S/N/K/7100) products. The policy command set is slightly more limited with the EOS C5-Series, in that for instance the lowest precedence rule type is "VLANTag" rather than "Port" ('
    code:
    show policy profile
    <
    code:
    profile_ID
    >'), and VLAN assignment is restricted unless numusers=1 ('
    code:
    show policy capability
    '). But it's sufficiently similar to provide guidance.