ExtremeCloud IQ- Site Engine & Extreme Management Center

 View Only
  • 1.  UPM or mac address based vlan switching?

    Posted 04-05-2017 17:29
    I'm looking for suggestions on our design.

    We currently have a mixture of extreme products (8806, X670, X450, X440) with multiple VLANS.

    Right now I've been assigning ports to vlans manually which is turning into a bit of a pain. I was wondering what the best approach would be to implement a policy whereby machines/ports get their VLAN assignment based on the devices mac address plugging into said port.

    EG:
    All mac's that begin with XX:XX go into VLAN 1
    All mac's that begin with XY:XY go into VLAN 2

    Would UPM or Mac Based Netlogin be the better option ?


  • 2.  RE: UPM or mac address based vlan switching?

    Posted 04-05-2017 22:19
    You wouldn't need to use UPM for VLAN assignment, but it could be used for other things. The easiest approach would be to use local MAC authentication with a mask filtering certain OUIs and creating local users in the local user database with VLAN VSAs (and UPM scripting if needed) locally on the switch.

    I'll follow with an example shortly.



  • 3.  RE: UPM or mac address based vlan switching?

    Posted 04-05-2017 22:19
    Sounds good to me, keen to see an example if you have time. Appreciate it.


  • 4.  RE: UPM or mac address based vlan switching?

    Posted 04-05-2017 22:19
    bump 🙂


  • 5.  RE: UPM or mac address based vlan switching?

    Posted 04-05-2017 22:19
    Sorry for the tardiness. So here is an example configuration:

    # delete the default vlan off of ports 1-3
    config vlan default delete port 1-3
    # create the netlogin VLAN
    create vlan "nl"
    # create the VLAN used by a specific device type in this example
    create vlan "ouiVLAN"

    # config the netlogin vlan
    configure netlogin vlan nl
    # enable netlogin mac generally
    enable netlogin mac
    # enable netlogin for mac authentication on ports 1-3
    enable netlogin ports 1-3 mac

    # create a mac-list filter that will pass the first 24bits + 24 0 bits and "ouipass"
    # as the credentials for devices that have the matching OUI
    # (a VOIP phone, for instance).
    configure netlogin add mac-list 08:00:27:00:00:00 24 ouipass

    # create a mac-list filter set which will match all other devices and use 48 bits of
    # 0s and "otherpass" as the credentials for devices not having
    # the desired OUI.
    configure netlogin add mac-list 00:00:00:00:00:00 1 otherpass

    #create the accounts with passwords with the appropriate VLAN-VSA assignment
    create netlogin local-user "000000000000" otherpass vlan-vsa untagged Default
    create netlogin local-user "080027000000" ouipass vlan-vsa ouiVLAN

    The above configuration will have any device of the specific manufacture that you want put into the "ouiVLAN".

    All others end up in the "Default" VLAN.

    Let me know if this helps.


  • 6.  RE: UPM or mac address based vlan switching?

    Posted 04-05-2017 22:19
    Also here is the latest version of a quick doc I put together on this sort of thing including using freeradius


  • 7.  RE: UPM or mac address based vlan switching?

    Posted 04-05-2017 22:19
    This is great, thank you Matthew! Going to give it a go this weekend.


  • 8.  RE: UPM or mac address based vlan switching?

    Posted 04-05-2017 22:19
    I've tested this configuration and seems to be what i need.

    Is it possible to pass "2 untagged vlan" in the same port using this? (like dataVlan and voiceVlan)?

    Or at least "1 untagged + 1 tagged" ?


  • 9.  RE: UPM or mac address based vlan switching?

    Posted 04-05-2017 22:19
    Are two devices connecting to the same port (e.g. a PC connecting to a VOIP phone which is connected to the switch)?


  • 10.  RE: UPM or mac address based vlan switching?

    Posted 04-05-2017 22:19
    Yes, they are.

    I have those scenarios:
    Extreme Switch -> Computer
    Extreme Switch -> Avaya Phone
    Extreme Switch -> Not managed Switch -> Computer/Avaya (or another brand...) Phone
    Extreme Switch -> Avaya Phone -> Computer
    Extreme Switch -> Avaya Phone -> Another brand (that cant do vlan) Phone