cancel
Showing results for 
Search instead for 
Did you mean: 

Extreme Control with Policy

Extreme Control with Policy

Jay2009
New Contributor

I am currently doing a Control deployment. Initially starting with ERS devices and than migrating to EXOS. I am using FA to do the automated campus. I have all the dynamic VLAN assignments working with I-SIDs.

 

Since I can’t use policy on ERS devices I am just using dynamic vlan assignments with I-SIDs and ACLs on the VSP core. With this I can see VLANs+I-SIDs dynamically added to switch if a user authenticates on a stack. That VLAN+I-SID is also removed if that user is gone and there is no need for that VLAN. So, this is working as intended. The only downside is no policy.

I have an EXOS stack I am experimenting with. The issue I am seeing is when I create policies in the policy domain with VLANS, everything gets pushed to the switch when enforced. So If I have 50 policies with 50 VLANS, they all exist on the EXOS switch and are not dynamically added as need like on the ERS. Its not as clean as the ERS, so I am wondering if this is working as designed or am I doing something wrong?

1 ACCEPTED SOLUTION

Bill_Handler
Contributor II

Jay,

Any needed VLANs will nearly always need to be on the XOS switches - this is what is happening when you are pushing the policies to the switch.  The VLAN is created, the role/rule info is created as well.  Usually the VLAN would not be assigned to any port(s).  With Policy/Control, the edge port would be dynamically changed to use the proper VLAN, and with FA, that VLAN would be tagged on the uplink as well.

 

Now, if you just need dynamic VLANs (RFC3580) and do not need other attributes you can set via Policy, you can use FA/Control to get the results you are looking for…

Check this GTAC Article:  https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-setup-Fabric-attach-dynamic-NSI-map...

 

 

View solution in original post

4 REPLIES 4

Jay2009
New Contributor

Thanks Bill, that cleared it up for me.

Bill_Handler
Contributor II

Jay,

Any needed VLANs will nearly always need to be on the XOS switches - this is what is happening when you are pushing the policies to the switch.  The VLAN is created, the role/rule info is created as well.  Usually the VLAN would not be assigned to any port(s).  With Policy/Control, the edge port would be dynamically changed to use the proper VLAN, and with FA, that VLAN would be tagged on the uplink as well.

 

Now, if you just need dynamic VLANs (RFC3580) and do not need other attributes you can set via Policy, you can use FA/Control to get the results you are looking for…

Check this GTAC Article:  https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-setup-Fabric-attach-dynamic-NSI-map...

 

 

Jay2009
New Contributor

I am using authentication and the policies are dynamically assigned. lets say for example I have VLAN 100 for VTC.

I connect a VTC to an ERS switch the RADIUS server send the attributes for the VLAN and I-SID and does a CoA for my port the VTC was connected to. VLAN 100 did not exist on this switch before I connected the VTC. So now the VLAN is extended to my L2 switch, and if I remove the VTC it pulls it away.

When doing this in policy with and EXOS switch in that policy domain it will push that VLAN 100 to my switch regardless if their is a VTC on the switch or not.

Bill_Handler
Contributor II

Are you using authentication on the XOS Stack?  The policy roles should be dynamically assigned via Control when the end-user/system authenticates to the network…

 

I’d start there...

GTM-P2G8KFN