Solved

Why use a Flex UNI?

  • 17 December 2020
  • 9 replies
  • 250 views

Userlevel 6
Badge

Hi,

Just looking through the automated campus EVD:

https://kapost-files-prod.s3.amazonaws.com/kapost/55ba7c9e07003d9aab000394/studio/content/5bd9c9a3193af30012000087/revisions/1546453394-8fcd5c70-5e23-4837-bea6-93de4d4f7e73/19904-Automated-Campus-EVD_v2.pdf

The query I have is in relation to page 90 where all host attached interfaces will be set to using Flex-UNI, specifically Switched UNI, which I understand is a combination of the VLAN ID and port to a L2VSN, which allows you to re-use the VLAN ID’s to a different VSN.

What I haven’t grasped is the reason to do it in this context, as an example here in the same section lists the I-SID mappings:

I see the reference that the VLAN ID’s configured on the Leaf nodes is only a logical value, but it still only has a VLAN ID associated to I-SID, I don’t see a re-use of a VLAN-ID to a different I-SID and an example of why that would be needed. What I can’t see is where in this case the requirement is dictating the need for it to be a flex port?

Maybe its simply has to be configured that way in the context of using DVR?

The only other time I’ve seen the use of a flex UNI is using fabric attach down to say and EXOS switch, am I right in thinking the port will automatically be configured as a flex UNI, again, I would be interested in reasoning.

Appreciate there maybe a lack of knowledge here, but sure there is a small component I am missing here for the light bulb moment.

Many thanks in advance.

icon

Best answer by Roger Lapuh 17 December 2020, 12:04

Hi Martin

yes, DVR, Fabric Attach and with VOSS 8.3 Auto-Sense and enhanced EAP/NEAP ports are/will be using Flex-UNIs.

 

Here are some of the reasons why we are using Flex-UNIs for these capabilities:

 

FA:

Using Flex-UNIs with Fabric Attach allowed us to avoid any VLAN collisions, meaning we did not have to worry about VLAN IDs when an FA device is signalling VLAN/ISIDs to an FA Server. The ISID defines to what service the traffic is mapped to, irrespective of the VLAN that was chosen on the FA link. This makes the solution much more robust and removes a lot of corner cases.

DVR:

DVR leafs are L2 only devices from the configuration perspective. CVLAN are typically used for L3 configurations. By using Flex-UNIs for DVR leafs, we were able to avoid any provisioning collisions on that level. ISID matching is the only thing that matters again.

Auto-Sense with VOSS 8.3:

Autosense with 8.3 will automatically put the port into a configuration state based on what it is connected to (NNI, FA, IP Phone port, EAP/NEAP port, Guest/onboarding port). Again, in order to avoid collisions and to better match up with FA port states, using Flex-UNI was a key reason as we don't have to create platform VLANs on demand. 

EAP/NEAP: 

Radius responses with VLAN and ISID: We wanted to avoid having to create platform VLANs on demand dynamically and possibly collide with user configurations, it is much more elegant to create a port specific VID (VLAN-ID) and map it to an ISID. This is much less intrusive and again avoids collisions.

 

It is our vision that fabric edge switches should have as little configurations as possible on them and get services (VLAN/ISID) applied on demand through user authentication only if possible.

 

On devices where you want to enable routing interfaces, of course CVLANs are the VLANs of choice, but also there you can assign flex-UNI ports to the same ISIDs on the same box. 

 

Makes sense?

 

Roger

 

 

View original

9 replies

Userlevel 6
Badge +1

Martin,

 

Here an example I use with IP Tel (an also AP’s) showing a use case for same VLAN Id and different i-sid:

  1. IP Phone comes out of the box and is plugged into a switch where EAPOL (MAC+802.1X) is configured
  2. The switch is adverttising with LLDP-MED the voice VLAN Id, the taging and the QoS to be used
  3. The IP Phone is coming out of the box with factory config and by this doing a MAC Auth
  4. The radius detects the MAC OUI and the auth type (MAC Auth) => it assigns the vlan voice with the i-sid of a staging vlan in a DMZ behind the firewall. This is done using flex-uni vlan type
  5. The IP Phone is able to contact the provisioning server, gets the config and reboots
  6. at reboot the IP Phone is doing 802.1X auth (defined in the config file) => the radius assigns the voice vlan (same as in point 4) but with the production i-sid

So different ports can run the same vlan but with different i-sid’s

 

In the document you mention, the reason for such config is few pages before:

Mig

Userlevel 4

Hi Martin

yes, DVR, Fabric Attach and with VOSS 8.3 Auto-Sense and enhanced EAP/NEAP ports are/will be using Flex-UNIs.

 

Here are some of the reasons why we are using Flex-UNIs for these capabilities:

 

FA:

Using Flex-UNIs with Fabric Attach allowed us to avoid any VLAN collisions, meaning we did not have to worry about VLAN IDs when an FA device is signalling VLAN/ISIDs to an FA Server. The ISID defines to what service the traffic is mapped to, irrespective of the VLAN that was chosen on the FA link. This makes the solution much more robust and removes a lot of corner cases.

DVR:

DVR leafs are L2 only devices from the configuration perspective. CVLAN are typically used for L3 configurations. By using Flex-UNIs for DVR leafs, we were able to avoid any provisioning collisions on that level. ISID matching is the only thing that matters again.

Auto-Sense with VOSS 8.3:

Autosense with 8.3 will automatically put the port into a configuration state based on what it is connected to (NNI, FA, IP Phone port, EAP/NEAP port, Guest/onboarding port). Again, in order to avoid collisions and to better match up with FA port states, using Flex-UNI was a key reason as we don't have to create platform VLANs on demand. 

EAP/NEAP: 

Radius responses with VLAN and ISID: We wanted to avoid having to create platform VLANs on demand dynamically and possibly collide with user configurations, it is much more elegant to create a port specific VID (VLAN-ID) and map it to an ISID. This is much less intrusive and again avoids collisions.

 

It is our vision that fabric edge switches should have as little configurations as possible on them and get services (VLAN/ISID) applied on demand through user authentication only if possible.

 

On devices where you want to enable routing interfaces, of course CVLANs are the VLANs of choice, but also there you can assign flex-UNI ports to the same ISIDs on the same box. 

 

Makes sense?

 

Roger

 

 

Userlevel 6
Badge

Thanks Mig & Roger, but really help.

@Roger, it is getting used to the idea / mindset of the abstraction rather then traditional and putting in context of the I-SID being king rather then the VLAN. Seeing it as a service driven architecture, instead of things being set in stone as before.

Appreciate both the responses. It has helped a lot in grasping the concept a bit better.

Many thanks.

 

Userlevel 4

Yes you got it, it is about looking at the ISIDs as connectivity service enablers. At the end, the users really care about IP subnets and how they are enabled. The VLAN or ISIDs are just an abstraction of that.

 

Roger

Userlevel 7
Badge +1

Hello Roger,

thank you very much for the detailed explanation. You mentioned

“On devices where you want to enable routing interfaces, of course CVLANs are the VLANs of choice, but also there you can assign flex-UNI ports to the same ISIDs on the same box. “

are there other use cases  in which a c-vlan is better suited  (or necessary) as a flex-UNI port?

Userlevel 6
Badge +1

StephanH,

Personally I tried to avoid as much as possible CVLAN.

Where I can, I go for Fabric Connect up to the edge having edge switches with only B-VLANs configured and all ports with EAPOL.

Unfortunately some (old or not) devices (mainly in health-care and building automation domains) have very bad network stacks and the authentication+flex-uni doesn’t fit.

In those cases I still need to hard-code a CVLAN on the ports.

Mig

Userlevel 4

Prior to VOSS Release 8.3 you did need CVLANs for EAP authentication. With 8.3 EAP and NEAP (MAC based) will be using Flex-UNI (incl. auto-sense). So you can do MHMV as well as MHSA with Flex-UNI ports.

@StephanH I would say you do need a CVLAN whenever you need Unicast or Multicast routing interfaces, other than that, a Flex UNI is fine. I am sure some folks here will point out some other cases where CVLAN have to be used (for example PVLAN will require it currently as well).

 

Again, you can create an internal CVLAN with ISID and then attach Flex-UNI ports to the same ISID on a switch.

Roger

 

 

Userlevel 6
Badge +1

One use case where the CVLAN is mandatory:

If you want to enable IGMP snooping you can only do it on a CVLAN as it is a CVLAN attribute

Mig

Userlevel 6
Badge

Come across another component to consider using a CVLAN, based on XMC 8.5.26.

In the help under ‘Import a Configuration to a Service Definition’

“Currently only CVLAN UNI services are supported in Release 8.4. Switched and Transparent UNI support will be added in a future release.”

Not a biggy, but just adding as something to be aware of.

Reply