Header Only - DO NOT REMOVE - Extreme Networks

UPM or mac address based vlan switching?


I'm looking for suggestions on our design.

We currently have a mixture of extreme products (8806, X670, X450, X440) with multiple VLANS.

Right now I've been assigning ports to vlans manually which is turning into a bit of a pain. I was wondering what the best approach would be to implement a policy whereby machines/ports get their VLAN assignment based on the devices mac address plugging into said port.

EG:
All mac's that begin with XX:XX go into VLAN 1
All mac's that begin with XY:XY go into VLAN 2

Would UPM or Mac Based Netlogin be the better option ?

9 replies

Userlevel 4
You wouldn't need to use UPM for VLAN assignment, but it could be used for other things. The easiest approach would be to use local MAC authentication with a mask filtering certain OUIs and creating local users in the local user database with VLAN VSAs (and UPM scripting if needed) locally on the switch.

I'll follow with an example shortly.
Matthew Helm wrote:

You wouldn't need to use UPM for VLAN assignment, but it could be used for other things. The easiest approach would be to use local MAC authentication with a mask filtering certain OUIs and creating local users in the local user database with VLAN VSAs (and UPM scripting if needed) locally on the switch.

I'll follow with an example shortly.

Sounds good to me, keen to see an example if you have time. Appreciate it.
Matthew Helm wrote:

You wouldn't need to use UPM for VLAN assignment, but it could be used for other things. The easiest approach would be to use local MAC authentication with a mask filtering certain OUIs and creating local users in the local user database with VLAN VSAs (and UPM scripting if needed) locally on the switch.

I'll follow with an example shortly.

bump 🙂
Userlevel 4
Matthew Helm wrote:

You wouldn't need to use UPM for VLAN assignment, but it could be used for other things. The easiest approach would be to use local MAC authentication with a mask filtering certain OUIs and creating local users in the local user database with VLAN VSAs (and UPM scripting if needed) locally on the switch.

I'll follow with an example shortly.

Sorry for the tardiness. So here is an example configuration:

# delete the default vlan off of ports 1-3
config vlan default delete port 1-3
# create the netlogin VLAN
create vlan "nl"
# create the VLAN used by a specific device type in this example
create vlan "ouiVLAN"

# config the netlogin vlan
configure netlogin vlan nl
# enable netlogin mac generally
enable netlogin mac
# enable netlogin for mac authentication on ports 1-3
enable netlogin ports 1-3 mac

# create a mac-list filter that will pass the first 24bits + 24 0 bits and "ouipass"
# as the credentials for devices that have the matching OUI
# (a VOIP phone, for instance).
configure netlogin add mac-list 08:00:27:00:00:00 24 ouipass

# create a mac-list filter set which will match all other devices and use 48 bits of
# 0s and "otherpass" as the credentials for devices not having
# the desired OUI.
configure netlogin add mac-list 00:00:00:00:00:00 1 otherpass

#create the accounts with passwords with the appropriate VLAN-VSA assignment
create netlogin local-user "000000000000" otherpass vlan-vsa untagged Default
create netlogin local-user "080027000000" ouipass vlan-vsa ouiVLAN

The above configuration will have any device of the specific manufacture that you want put into the "ouiVLAN".

All others end up in the "Default" VLAN.

Let me know if this helps.
Userlevel 4
Matthew Helm wrote:

You wouldn't need to use UPM for VLAN assignment, but it could be used for other things. The easiest approach would be to use local MAC authentication with a mask filtering certain OUIs and creating local users in the local user database with VLAN VSAs (and UPM scripting if needed) locally on the switch.

I'll follow with an example shortly.

Also here is the latest version of a quick doc I put together on this sort of thing including using freeradius
Matthew Helm wrote:

You wouldn't need to use UPM for VLAN assignment, but it could be used for other things. The easiest approach would be to use local MAC authentication with a mask filtering certain OUIs and creating local users in the local user database with VLAN VSAs (and UPM scripting if needed) locally on the switch.

I'll follow with an example shortly.

This is great, thank you Matthew! Going to give it a go this weekend.
Matthew Helm wrote:

You wouldn't need to use UPM for VLAN assignment, but it could be used for other things. The easiest approach would be to use local MAC authentication with a mask filtering certain OUIs and creating local users in the local user database with VLAN VSAs (and UPM scripting if needed) locally on the switch.

I'll follow with an example shortly.

I've tested this configuration and seems to be what i need.

Is it possible to pass "2 untagged vlan" in the same port using this? (like dataVlan and voiceVlan)?

Or at least "1 untagged + 1 tagged" ?
Userlevel 4
Matthew Helm wrote:

You wouldn't need to use UPM for VLAN assignment, but it could be used for other things. The easiest approach would be to use local MAC authentication with a mask filtering certain OUIs and creating local users in the local user database with VLAN VSAs (and UPM scripting if needed) locally on the switch.

I'll follow with an example shortly.

Are two devices connecting to the same port (e.g. a PC connecting to a VOIP phone which is connected to the switch)?
Matthew Helm wrote:

You wouldn't need to use UPM for VLAN assignment, but it could be used for other things. The easiest approach would be to use local MAC authentication with a mask filtering certain OUIs and creating local users in the local user database with VLAN VSAs (and UPM scripting if needed) locally on the switch.

I'll follow with an example shortly.

Yes, they are.

I have those scenarios:
Extreme Switch -> Computer
Extreme Switch -> Avaya Phone
Extreme Switch -> Not managed Switch -> Computer/Avaya (or another brand...) Phone
Extreme Switch -> Avaya Phone -> Computer
Extreme Switch -> Avaya Phone -> Another brand (that cant do vlan) Phone

Reply