This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extreme Control with ERS: Accept traffic upon active VLAN + MAC

Extreme Control with ERS: Accept traffic upon active VLAN + MAC

SDR
New Contributor III

‎08-30-2019 02:08 PM

Hello community,
I´m new to Extreme control.

Can somebody explain step by step how to create the following rule with Control and BOSS/VOSS-Devices:

Customer wants to accept traffic, If VLAN ID already (!) configure on a specific port matches e.g. 100 AND MAC-addresse connected to this port matches a predefined MAC-List.
Customer does not want to change VLAN-ID, if MAC matches, but configure VLAN on port does not match.
In this case, access should be rejected.

Thanks in advance!
0 Kudos
5 REPLIES 5

Zdeněk_Pala
Extreme Employee

‎09-02-2019 07:58 PM

Here is example of GraphQL API call to create Group:
code:
mutation {
  accessControl {
    createGroup(input: {name: "Location XYZ", description: "Description XYZ", type: LOCATION}) {
      status
      message
    }
  }
}

Here is response from my XMC:
code:
{
  "data": {
    "accessControl": {
      "createGroup": {
        "status": "SUCCESS",
        "message": null
      }
    }
  }
}

Here is result:

36625d62cc824e70b07c5e742769d8b8_edb5e21b-bf33-4c1c-afcd-ac85a9cd0aff.png



Here is example of GraphQL API call to insert value to the location group:
code:
mutation {
  accessControl {
    addEntryToGroup(input: {group: "Location XYZ",value:"1.1.1.1;1/1" ,description: "Description XYZ"}) {
      status
      message
    }
  }
}

Here is response
code:
{
  "data": {
    "accessControl": {
      "addEntryToGroup": {
        "status": "SUCCESS",
        "message": null
      }
    }
  }
}

Here is result

36625d62cc824e70b07c5e742769d8b8_75595157-ac77-4da4-b217-7c6cf94d7dde.png



Here is example of the API call made by script/worfklow:
code:
varQuery='''
mutation {
  accessControl {
    createGroup(input: {name: "Location XYZ", description: "Description XYZ", type: LOCATION}) {
      status
      message
    }
  }
}'''
varResult = emc_nbi.query(varQuery)


Hope it helps you. Regards
Regards Zdeněk Pala
0 Kudos

SDR
New Contributor III

‎09-02-2019 07:46 AM

Thank you once again,
We will check about this workflow/script idea.
Do you have some example/documentation on how to realize something like that on ERS/VSP
0 Kudos

Zdeněk_Pala
Extreme Employee

‎08-30-2019 07:41 PM

option 1: you can manually define locations. Today the customer define on what port is what vlan by CLI, with the new ExtremeControl this will be defined in Locations.
old approach:
customer defines port P switch S is vlan V
new approach:
customer define location V contain switch S and port P

option 2:
there will be workflow/script executed once or periodically what will update the locations based on current config in switches. Such workflow/script is not extra difficult and Professional Services team can scope it or partnet/customer can do it. The workflow/script can be executed once or periodically or on demand

I understand that the customer does use some 3rd party tools. However, instead of customizing the new system to old behavior it may be opportunity to think about new approach, more easy, more flexible, more modern, more secure...
Regards Zdeněk Pala
0 Kudos

SDR
New Contributor III

‎08-30-2019 04:47 PM

Thank you for your quick reply.

But I am missing the explanation on how to check the configured vlan on any port.
So: investigate/verify the configuration (not changing it) on any random port?


impossible with Control?
At the moment Customer does this kind of “NAC” with some 3rd party software and expects the to do (at least) the same with Control (as Extreme sales obviously promised this to him)

0 Kudos
GTM-P2G8KFN