topic RE: Enterasys C5 dynamic policy role/vlan assignment in ExtremeSwitching (EOS)

Enterasys C5 dynamic policy role/vlan assignment

Matt_Dillion — Thu, 16 Apr 2015 00:44:00 GMT

How do I configure Enterasys C5 dynamic policy role/vlan assignment for 3com IP Phone?
Basically what I need to happen is vlan 150 to be assigned as untagged and vlan 120 (voice vlan) assigned as tagged. The problem I am having is that vlan 150 although showing as untagged does not show up as the FID when entering the command show mac port ge.X.X. Anyone guidance would be much appreciated!

RE: Enterasys C5 dynamic policy role/vlan assignment

JAMES_WIEDEL — Thu, 16 Apr 2015 02:08:00 GMT

To manually do what you are asking (I think) do the following:
(Assuming the port is ge.1.4, data VLAN is 150 and voice VLAN is 120)

set port vlan ge.1.4 150 modify (the modify removes the port from all other VLANs )
set vlan egress 120 ge.1.4 tagged

show port egress ge.1.4 should now say something like
Port Vlan Egress Registration
Number Id Status Status
------------------------------------------------------------
ge.1.4 150 untagged static
ge.1.4 120 tagged static

You need to have the phone sending voice out tagged on vlan 1319 and the data port
on the phone will be 1306.

I strongly advise the use of the "modify" portion of the command to remove all other VLANs
on the port. Without it, it is possible to put multiple UNTAGGED VLANs onto a port and
get you and the data flow very confused. (Outbound from the switch would be no problem,
but inbound...)

You build trunk ports exactly the same way. Set vlan egress for each VLAN; the old assignments
remain. (clear vlan egress to remove a particular VLAN from a port)
James

RE: Enterasys C5 dynamic policy role/vlan assignment

Matt_Dillion — Thu, 16 Apr 2015 02:08:00 GMT

James, thank you for the information. Setting up ports manually is not an issue, I am trying to use role based policy assignment via Radius. Most of this I have working except when it comes to our IP Phones. Vlan 120 (tagged) is applied as expected which i verified running the command (show mac port ge.X.X) where the FID is 120. Its applying vlan 150 (untagged). The mac address does not get added to the FID for vlan 150. see below configuration.

#vlan
set vlan create 120
set vlan create 150
set vlan create 4089
set vlan name 120 "VoIP"
set vlan name 150 "ITS"
set vlan name 4089 "Guest"
clear vlan egress 1 ge.1.1-48
set vlan egress 120 ge.1.47-48 tagged
set vlan egress 150 ge.1.47-48 tagged
set vlan egress 4089 ge.1.47-48 tagged
set vlan egress 4089 ge.1.1-24 untagged
!
!
#eapol
set dot1x enable
set eapol enable
set eapol auth-mode forced-auth ge.1.47
set eapol auth-mode forced-auth ge.1.48
!
!
#macauthentication
set macauthentication enable
set macauthentication auth-mode radius-username
set macauthentication port enable ge.1.1-46
!
!
#multiauth
set multiauth port mode opt-auth ge.1.1-46
set multiauth port mode force-auth ge.1.47-48
set multiauth port numusers 2 ge.1.1-46
set multiauth precedence mac dot1x cep pwa
!
!

#nodealias
set nodealias disable ge.1.47
set nodealias disable ge.1.48
!
!

#policy
set policy maptable response both
set policy profile 1 name "Guest" cos-status enable cos 4
set policy profile 120 name "VoIP" pvid-status enable pvid 120 cos-status enable cos 5 egress-vlans 120 forbidden-vlans 4089 untagged-vlans 150
set policy profile 150 name "FAcStaff" pvid-status enable pvid 150
set policy rule 1 udpsourceport 68 mask 16 forward
set policy rule 1 udpdestport 53 mask 16 forward
set policy rule 1 udpdestport 67 mask 16 forward
set policy rule 1 tcpdestport 80 mask 16 forward
set policy rule 1 tcpdestport 443 mask 16 forward
set policy rule 1 tcpdestport 8080 mask 16 forward
set policy rule 1 ether 0x806 mask 16 forward
set policy rule 120 macsource 00-e0-00-00-00-00 mask 16 forward
set policy rule 120 udpsourceport 68 mask 16 forward
set policy rule 120 udpdestport 53 mask 16 forward
set policy rule 120 udpdestport 67 mask 16 forward
set policy rule 120 tcpdestport 80 mask 16 forward
set policy rule 120 tcpdestport 443 mask 16 forward
set policy rule 120 tcpdestport 8080 mask 16 forward
set policy rule 120 ipproto 1 mask 8 forward
set policy rule 120 ether 0x806 mask 16 forward
set policy port ge.1.1-46 1
!
!

#port
set port vlan ge.1.1-46 4089
!
!

#radius
set radius enable
set radius accounting enable
set radius accounting server 10.1.11.1 1813 XXXXXXXXXXXXXXX
set radius server 1 10.1.11.1 1812 XXXXXXXXXXX realm network-access
!
!

#spantree
set spantree adminedge ge.1.1-46 true

TEST-SWITCH(su)->show vlanauthorization

Vlan Authorization: - disabled

port status administrative operational authenticated vlan id
egress egress mac address
------- -------- -------------- ----------- ----------------- -------
ge.1.1-48 enabled untagged

RE: Enterasys C5 dynamic policy role/vlan assignment

Jason_Parker — Thu, 16 Apr 2015 02:21:00 GMT

To add to James comments, you will need to also run the command Set multiAuth port numusets users to 2

RE: Enterasys C5 dynamic policy role/vlan assignment

Matt_Dillion — Thu, 16 Apr 2015 02:21:00 GMT

Thank you for the information, I have responded to James's comment. On another note, would you clarify how policy works for me? My biggest question is when you create rules is there an inherant deny or permit? If I create rules to specifically allow traffic will all other traffic be discarded? If not what is the best way to create a rule like that? Is there a good document on Policy out there I can review besides the Feature Guides and Config Guides?

RE: Enterasys C5 dynamic policy role/vlan assignment

Matt_Dillion — Thu, 16 Apr 2015 02:21:00 GMT

I changed multiauth port numusers to 3 but no luck. When I perform a show mac port ge.X.X the only FID that shows up is 120, however when doing a show port egress ge.X.X I do see both vlan 150 (untagged) and vlan 120 (tagged). I think the problem is the MAC address of the phone isn't added to FID 150. Any thoughts?

RE: Enterasys C5 dynamic policy role/vlan assignment

Matt_Dillion — Thu, 16 Apr 2015 02:21:00 GMT

I got it working! I ended up changing the set policy profile from;

(set policy profile 120 name "VoIP" pvid-status enable pvid 120 cos-status enable cos 5 egress-vlans 120 forbidden-vlans 4089 untagged-vlans 150)

to;

(set policy profile 120 name "VoIP" pvid-status enable pvid 150 cos 5 egress-vlans 12)

So one last question, how are policy rules executed (in what order) or all they all at once? What would be the best way to deny all traffic after allowing only specific ports/protocols?

RE: Enterasys C5 dynamic policy role/vlan assignment

JAMES_WIEDEL — Thu, 16 Apr 2015 02:21:00 GMT

Matt,
That is great news.
As for the policy order, I believe they are executed sequentially, top to bottom, so you want to put any "allows" first, then end with the "deny all".
James

RE: Enterasys C5 dynamic policy role/vlan assignment

Paul_Poyant — Thu, 16 Apr 2015 02:21:00 GMT

Here is some food for thought from GTAC Knowledge, in answer to the two questions...

Execution Sequence for EOS Policy Rules
How to Configure EOS Policy to Deny all other traffic after Permitting only certain traffic

These were written for the EOS Modular (S/N/K/7100) products. The policy command set is slightly more limited with the EOS C5-Series, in that for instance the lowest precedence rule type is "VLANTag" rather than "Port" ('

code:

show policy profile

code:

profile_ID

>'), and VLAN assignment is restricted unless numusers=1 ('

code:

show policy capability

'). But it's sufficiently similar to provide guidance.

RE: Enterasys C5 dynamic policy role/vlan assignment

JAMES_WIEDEL — Thu, 16 Apr 2015 02:21:00 GMT

Matt,
show vlanauthorization does indeed seem to only show the untagged port information. Do a

show port egress ge.x.y which should tell you all the VLANs associated with that port.
Likewise show port vlan ge.x.y only tell you about the default (untagged ) VLAN.

show mac port ge.x.y should should you the MAC of both the phone and data device, unless of course they haven't talked or the bridging table timed out.

When I did a show mac port, I actually saw 3 entries for a phone plus data. The phone, for whatever reason popped up on both VLANs. I don't understand why
since the phone itself shouldn't be talking to that VLAN. You might try changing your set multiauth port numusers 2 to 3 just incase you are seeing the same thing and the switch is dumping the 3rd entry, which in my case was the VOIP VLAN.
James