Enterasys C5 dynamic policy role/vlan assignment

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
How do I configure Enterasys C5 dynamic policy role/vlan assignment for 3com IP Phone?
Basically what I need to happen is vlan 150 to be assigned as untagged and vlan 120 (voice vlan) assigned as tagged. The problem I am having is that vlan 150 although showing as untagged does not show up as the FID when entering the command show mac port ge.X.X. Anyone guidance would be much appreciated!
Photo of Matt Dillion

Matt Dillion

  • 374 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of JAMES WIEDEL

JAMES WIEDEL

  • 780 Points 500 badge 2x thumb
To manually do what you are asking (I think) do the following:
(Assuming the port is ge.1.4, data VLAN is 150 and voice VLAN is 120)

set port vlan ge.1.4 150 modify       (the modify removes the port from all other VLANs )
set vlan egress 120 ge.1.4 tagged

show port egress ge.1.4 should now say something like
  Port       Vlan      Egress          Registration
  Number      Id        Status            Status
  ------------------------------------------------------------
ge.1.4      150       untagged        static   
ge.1.4      120       tagged          static   

You need to have the phone sending voice out tagged on vlan 1319 and the data port
on the phone will be 1306.

I strongly advise the use of the "modify" portion of the command to remove all other VLANs
on the port.   Without it, it is possible to put multiple UNTAGGED VLANs onto a port and
get you and the data flow very confused.  (Outbound from the switch would be no problem,
but inbound...)

You build trunk ports exactly the same way.    Set vlan egress for each VLAN;  the old assignments
remain.   (clear vlan egress to remove a particular VLAN from a port)
     James
Photo of Matt Dillion

Matt Dillion

  • 374 Points 250 badge 2x thumb
James, thank you for the information. Setting up ports manually is not an issue, I am trying to use role based policy assignment via Radius. Most of this I have working except when it comes to our IP Phones. Vlan 120 (tagged) is applied as expected which i verified running the command (show mac port ge.X.X) where the FID is 120. Its applying vlan 150 (untagged). The mac address does not get added to the FID for vlan 150. see below configuration.

#vlan
set vlan create 120
set vlan create 150
set vlan create 4089
set vlan name 120 "VoIP"
set vlan name 150 "ITS"
set vlan name 4089 "Guest"
clear vlan egress 1 ge.1.1-48
set vlan egress 120 ge.1.47-48 tagged
set vlan egress 150 ge.1.47-48 tagged
set vlan egress 4089 ge.1.47-48 tagged
set vlan egress 4089 ge.1.1-24 untagged
!
!
#eapol
set dot1x enable
set eapol enable
set eapol auth-mode forced-auth ge.1.47
set eapol auth-mode forced-auth ge.1.48
!
!
#macauthentication
set macauthentication enable
set macauthentication auth-mode radius-username
set macauthentication port  enable ge.1.1-46
!
!
#multiauth
set multiauth port mode opt-auth ge.1.1-46
set multiauth port mode force-auth ge.1.47-48
set multiauth port numusers 2 ge.1.1-46
set multiauth precedence mac dot1x cep pwa
!
!

#nodealias
set nodealias disable ge.1.47
set nodealias disable ge.1.48
!
!

#policy
set policy maptable response both
set policy profile 1 name "Guest" cos-status enable cos 4
set policy profile 120 name "VoIP" pvid-status enable pvid 120 cos-status enable cos 5 egress-vlans 120 forbidden-vlans 4089 untagged-vlans 150
set policy profile 150 name "FAcStaff" pvid-status enable pvid 150
set policy rule 1 udpsourceport 68  mask 16 forward
set policy rule 1 udpdestport 53  mask 16 forward
set policy rule 1 udpdestport 67  mask 16 forward
set policy rule 1 tcpdestport 80  mask 16 forward
set policy rule 1 tcpdestport 443  mask 16 forward
set policy rule 1 tcpdestport 8080  mask 16 forward
set policy rule 1 ether 0x806  mask 16 forward
set policy rule 120 macsource 00-e0-00-00-00-00  mask 16 forward
set policy rule 120 udpsourceport 68  mask 16 forward
set policy rule 120 udpdestport 53  mask 16 forward
set policy rule 120 udpdestport 67  mask 16 forward
set policy rule 120 tcpdestport 80  mask 16 forward
set policy rule 120 tcpdestport 443  mask 16 forward
set policy rule 120 tcpdestport 8080  mask 16 forward
set policy rule 120 ipproto 1  mask 8 forward
set policy rule 120 ether 0x806  mask 16 forward
set policy port ge.1.1-46 1
!
!

#port
set port vlan ge.1.1-46 4089
!
!

#radius
set radius enable
set radius accounting enable
set radius accounting server 10.1.11.1 1813 XXXXXXXXXXXXXXX
set radius server 1 10.1.11.1 1812 XXXXXXXXXXX realm network-access
!
!

#spantree
set spantree adminedge ge.1.1-46 true


TEST-SWITCH(su)->show vlanauthorization

Vlan Authorization:  - disabled

  port     status   administrative   operational   authenticated     vlan id
                        egress         egress       mac address
 -------  --------  --------------   -----------  -----------------  -------
 ge.1.1-48   enabled   untagged    
Photo of Jason Parker

Jason Parker, Employee

  • 3,038 Points 3k badge 2x thumb
To add to James comments, you will need to also run the command
Set multiAuth port numusets users to 2
Photo of JAMES WIEDEL

JAMES WIEDEL

  • 780 Points 500 badge 2x thumb
Matt,
 show vlanauthorization does indeed seem to only show the untagged port information.    Do a

show port egress ge.x.y       which should tell you all the VLANs associated with that port.
Likewise show port vlan ge.x.y only tell you about the default (untagged ) VLAN.

show mac port ge.x.y     should should you the MAC of both the phone and data device, unless of course they haven't talked or the bridging table timed out.

When I did a show mac port, I actually saw 3 entries for a phone plus data.   The phone, for whatever reason popped up on both VLANs.   I don't understand why
since the phone itself shouldn't be talking to that VLAN.      You might try changing your set multiauth port numusers 2    to 3 just incase you are seeing the same thing and the switch is dumping the 3rd entry, which in my case was the VOIP VLAN.
   James
Photo of Matt Dillion

Matt Dillion

  • 374 Points 250 badge 2x thumb
I changed multiauth port numusers to 3 but no luck. When I perform a show mac port ge.X.X the only FID that shows up is 120, however when doing a show port egress ge.X.X I do see both vlan 150 (untagged) and vlan 120 (tagged). I think the problem is the MAC address of the phone isn't added to FID 150. Any thoughts?
Photo of Matt Dillion

Matt Dillion

  • 374 Points 250 badge 2x thumb
I got it working! I ended up changing the set policy profile from;

(set policy profile 120 name "VoIP" pvid-status enable pvid 120 cos-status enable cos 5 egress-vlans 120 forbidden-vlans 4089 untagged-vlans 150)

to;

(set policy profile 120 name "VoIP" pvid-status enable pvid 150 cos 5 egress-vlans 12)

So one last question, how are policy rules executed (in what order) or all they all at once? What would be the best way to deny all traffic after allowing only specific ports/protocols?
Photo of JAMES WIEDEL

JAMES WIEDEL

  • 780 Points 500 badge 2x thumb
Matt,
   That is great news.
As for the policy order, I believe they are executed sequentially, top to bottom, so you want to put any "allows" first,  then end with the "deny all".
   James
Photo of Paul Poyant

Paul Poyant, Employee

  • 3,536 Points 3k badge 2x thumb
Here is some food for thought from GTAC Knowledge, in answer to the two questions...

Execution Sequence for EOS Policy Rules
How to Configure EOS Policy to Deny all other traffic after Permitting only certain traffic

These were written for the EOS Modular (S/N/K/7100) products. The policy command set is slightly more limited with the EOS C5-Series, in that for instance the lowest precedence rule type is "VLANTag" rather than "Port" ('show policy profile  <profile_ID>'), and VLAN assignment is restricted unless numusers=1 ('show policy capability'). But it's sufficiently similar to provide guidance.