Question

Extreme Control with ERS: Accept traffic upon active VLAN + MAC

  • 30 August 2019
  • 5 replies
  • 125 views

  • New Member
  • 3 replies
Hello community,
I´m new to Extreme control.

Can somebody explain step by step how to create the following rule with Control and BOSS/VOSS-Devices:

Customer wants to accept traffic, If VLAN ID already (!) configure on a specific port matches e.g. 100 AND MAC-addresse connected to this port matches a predefined MAC-List.
Customer does not want to change VLAN-ID, if MAC matches, but configure VLAN on port does not match.
In this case, access should be rejected.

Thanks in advance!

5 replies

Userlevel 7
This is very unique approach.

you can define locations (set of switch and port).
Then you can create rule: if the mac is in group G100 and the location is L100 then apply vlan100. If the mac is in group G101 and location is L101 then apply vlan101. Otherwise reject.

with the approach above you can define the list of ports in management instead of in the CLI.
in advance: location groups can be synchronized by workflow from ERS switches...

other approach is to explain the customer that his approach is “not best practise and not optimal for troubleshooting (you need to check CLI and GUI”.
Thank you for your quick reply.

But I am missing the explanation on how to check the configured vlan on any port.
So: investigate/verify the configuration (not changing it) on any random port?


impossible with Control?
At the moment Customer does this kind of “NAC” with some 3rd party software and expects the to do (at least) the same with Control (as Extreme sales obviously promised this to him)

😞
Userlevel 7
option 1: you can manually define locations. Today the customer define on what port is what vlan by CLI, with the new ExtremeControl this will be defined in Locations.
old approach:
customer defines port P switch S is vlan V
new approach:
customer define location V contain switch S and port P

option 2:
there will be workflow/script executed once or periodically what will update the locations based on current config in switches. Such workflow/script is not extra difficult and Professional Services team can scope it or partnet/customer can do it. The workflow/script can be executed once or periodically or on demand

I understand that the customer does use some 3rd party tools. However, instead of customizing the new system to old behavior it may be opportunity to think about new approach, more easy, more flexible, more modern, more secure...
Thank you once again,
We will check about this workflow/script idea.
Do you have some example/documentation on how to realize something like that on ERS/VSP
Userlevel 7
Here is example of GraphQL API call to create Group:
code:
mutation {
accessControl {
createGroup(input: {name: "Location XYZ", description: "Description XYZ", type: LOCATION}) {
status
message
}
}
}

Here is response from my XMC:
code:
{
"data": {
"accessControl": {
"createGroup": {
"status": "SUCCESS",
"message": null
}
}
}
}

Here is result:



Here is example of GraphQL API call to insert value to the location group:
code:
mutation {
accessControl {
addEntryToGroup(input: {group: "Location XYZ",value:"1.1.1.1;1/1" ,description: "Description XYZ"}) {
status
message
}
}
}

Here is response
code:
{
"data": {
"accessControl": {
"addEntryToGroup": {
"status": "SUCCESS",
"message": null
}
}
}
}

Here is result



Here is example of the API call made by script/worfklow:
code:
varQuery='''
mutation {
accessControl {
createGroup(input: {name: "Location XYZ", description: "Description XYZ", type: LOCATION}) {
status
message
}
}
}'''
varResult = emc_nbi.query(varQuery)


Hope it helps you. Regards

Reply