topic Re: RFC 3580 - VLAN ID and EXOS in ExtremeControl

RFC 3580 - VLAN ID and EXOS

RobertD1 — Wed, 01 Mar 2023 15:59:57 GMT

Hello,

When I configure RFC3580 - VLAN ID for RADIUS Attributes to Send to an EXOS switch I was expecting the MAC to appear in the VLAN sent in the Tunnel-Private-Group-Id value ie VLAN 41.

Tunnel-Private-Group-Id='41:0'
Tunnel-Type='13:0'
Tunnel-Medium-Type='6:0'

But the MAC address still show learnt in the Default VLAN.

* X435-2.54 # show fdb port 7
MAC VLAN Name( Tag) Age Flags Port / Virtual Port List
------------------------------------------------------------------------------------------------------
58:8a:5a:44:a4:83 Default(0001) 0006 nd m v 7

Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,
b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,
D - drop packet, h - Hardware Aging (Age=0), o - IEEE 802.1ah Backbone MAC,
S - Software Controlled Deletion, r - MSRP,
X - VXLAN, E - EVPN

Total: 18 Static: 0 Perm: 0 Dyn: 18 Dropped: 0 Locked: 0 Locked with Timeout: 0
FDB Aging time: 300

The Netlogin appears to have received the VLAN so why did it not apply to the port?

* X435-2.53 # show netlogin session port 7
Multiple authentication session entries
---------------------------------------

Port : 7 Station address : 58:8a:5a:44:a4:83
Auth status : success Last attempt : Wed Mar 1 15:50:19 2023
Agent type : mac Session applied : true
Server type : radius VLAN-Tunnel-Attr : 41
Policy index : 0 Policy name : No Policy applied
Session timeout : 0 Session duration : 0:00:22
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated

I enabled vlanauthentication globally and is enabled on all ports too.

* X435-2.55 # show config | i vlanauth
configure policy vlanauthorization enable
* X435-2.56 #

* X435-2.20 # show policy vlanauthorization
VLAN Authorization Global Status: ENABLED

Admin Oper
Port Status Egress Egress VLAN ID
=========================================
1 enabled untagged untagged none
2 enabled untagged untagged none
3 enabled untagged untagged none
4 enabled untagged untagged none
5 enabled untagged untagged none
6 enabled untagged untagged none
7 enabled untagged untagged none
8 enabled untagged untagged none
9 enabled untagged untagged none
10 enabled untagged untagged none
11 enabled untagged untagged none
12 enabled untagged untagged none

What am I missing please?

Rob

Re: RFC 3580 - VLAN ID and EXOS

RobertD1 — Wed, 01 Mar 2023 17:34:33 GMT

Think I solved it by adding these two lines....

configure policy maptable response both
configure policy vlanauthorization enable

* X435-2.30 # show port 7 vlan
Untagged
Port /Tagged VLAN Name(s)
-------- -------- ------------------------------------------------------------
7 Untagged VLAN41
* X435-2.31 #
* X435-2.31 # show fdb port 7
MAC VLAN Name( Tag) Age Flags Port / Virtual Port List
------------------------------------------------------------------------------------------------------
58:8a:5a:44:a4:83 VLAN41(0041) 0015 nd m v 7

Total: 18 Static: 0 Perm: 0 Dyn: 18 Dropped: 0 Locked: 0 Locked with Timeout: 0
FDB Aging time: 300
* X435-2.32 #

Re: RFC 3580 - VLAN ID and EXOS

RobertD1 — Wed, 01 Mar 2023 18:23:20 GMT

Following on from this, can I use RFC 3580 to apply a VLAN untagged for Data and a VLAN tagged for a Voice IP Phone?

When I try to send VLAN as Tagged from Policy Mapping it does not show as tagged VLAN on the port but Untagged.

Re: RFC 3580 - VLAN ID and EXOS

RobertD1 — Thu, 02 Mar 2023 10:18:01 GMT

I wasn't able to get RFC3580 to create a tagged VLAN but I did succeed if I used Policy (Filter-Id). Changed the RADIUS attributes to Send to RFC3580 - VLAN ID and Network Policy. Added a VLAN 100 under Policy>VLANs. Changed Voice Phone Policy VLAN Egress to 100 tagged.

Re: RFC 3580 - VLAN ID and EXOS

OscarK — Thu, 02 Mar 2023 13:09:08 GMT

When netlogin and policy are used, policy will only honor vlan attributes if policy maptable response is set to both and vlanauthorization is enabled.

configure policy maptable response both
configure policy vlanauthorization enable

Re: RFC 3580 - VLAN ID and EXOS

Ryan_Yacobucci — Thu, 02 Mar 2023 22:47:58 GMT

Hello,

RFC 3580 does not have any considerations for tagged egress. You would need to look into RFC 4675, I'm not sure if it's supported by EXOS.

You can however use one policy to define a tagged egress.

Within the policy role there is a "VLAN Egress" tab which you can define VLAN as tagged or untagged. So if there was an IP_Phone role you could assign it a tagged egress through Policy.

One caveat to be aware of when using one policy is that you cannot assign a dynamic tagged egress of a VLAN is that already statically assigned to the port as untagged.

EG, If your data VLAN is 100 and it's set as the default VLAN on a port, and you plug in an AP to that port that gets an AP Aware policy assigned dynamically that is configured to egress VLAN 100 tagged. This doesn't work.

Thanks
Ryan

Re: RFC 3580 - VLAN ID and EXOS

RobertD1 — Mon, 06 Mar 2023 08:37:41 GMT

Thanks Ryan.

Re: RFC 3580 - VLAN ID and EXOS

RobertD1 — Mon, 06 Mar 2023 08:37:59 GMT

Thanks Oscar.