03-01-2023 07:59 AM
Hello,
When I configure RFC3580 - VLAN ID for RADIUS Attributes to Send to an EXOS switch I was expecting the MAC to appear in the VLAN sent in the Tunnel-Private-Group-Id value ie VLAN 41.
Tunnel-Private-Group-Id='41:0'
Tunnel-Type='13:0'
Tunnel-Medium-Type='6:0'
But the MAC address still show learnt in the Default VLAN.
* X435-2.54 # show fdb port 7
MAC VLAN Name( Tag) Age Flags Port / Virtual Port List
------------------------------------------------------------------------------------------------------
58:8a:5a:44:a4:83 Default(0001) 0006 nd m v 7
Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,
b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,
D - drop packet, h - Hardware Aging (Age=0), o - IEEE 802.1ah Backbone MAC,
S - Software Controlled Deletion, r - MSRP,
X - VXLAN, E - EVPN
Total: 18 Static: 0 Perm: 0 Dyn: 18 Dropped: 0 Locked: 0 Locked with Timeout: 0
FDB Aging time: 300
The Netlogin appears to have received the VLAN so why did it not apply to the port?
* X435-2.53 # show netlogin session port 7
Multiple authentication session entries
---------------------------------------
Port : 7 Station address : 58:8a:5a:44:a4:83
Auth status : success Last attempt : Wed Mar 1 15:50:19 2023
Agent type : mac Session applied : true
Server type : radius VLAN-Tunnel-Attr : 41
Policy index : 0 Policy name : No Policy applied
Session timeout : 0 Session duration : 0:00:22
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated
I enabled vlanauthentication globally and is enabled on all ports too.
* X435-2.55 # show config | i vlanauth
configure policy vlanauthorization enable
* X435-2.56 #
* X435-2.20 # show policy vlanauthorization
VLAN Authorization Global Status: ENABLED
Admin Oper
Port Status Egress Egress VLAN ID
=========================================
1 enabled untagged untagged none
2 enabled untagged untagged none
3 enabled untagged untagged none
4 enabled untagged untagged none
5 enabled untagged untagged none
6 enabled untagged untagged none
7 enabled untagged untagged none
8 enabled untagged untagged none
9 enabled untagged untagged none
10 enabled untagged untagged none
11 enabled untagged untagged none
12 enabled untagged untagged none
What am I missing please?
Rob
Solved! Go to Solution.
03-02-2023 02:46 PM - edited 03-02-2023 02:47 PM
Hello,
RFC 3580 does not have any considerations for tagged egress. You would need to look into RFC 4675, I'm not sure if it's supported by EXOS.
You can however use one policy to define a tagged egress.
Within the policy role there is a "VLAN Egress" tab which you can define VLAN as tagged or untagged. So if there was an IP_Phone role you could assign it a tagged egress through Policy.
One caveat to be aware of when using one policy is that you cannot assign a dynamic tagged egress of a VLAN is that already statically assigned to the port as untagged.
EG, If your data VLAN is 100 and it's set as the default VLAN on a port, and you plug in an AP to that port that gets an AP Aware policy assigned dynamically that is configured to egress VLAN 100 tagged. This doesn't work.
Thanks
Ryan
03-02-2023 02:46 PM - edited 03-02-2023 02:47 PM
Hello,
RFC 3580 does not have any considerations for tagged egress. You would need to look into RFC 4675, I'm not sure if it's supported by EXOS.
You can however use one policy to define a tagged egress.
Within the policy role there is a "VLAN Egress" tab which you can define VLAN as tagged or untagged. So if there was an IP_Phone role you could assign it a tagged egress through Policy.
One caveat to be aware of when using one policy is that you cannot assign a dynamic tagged egress of a VLAN is that already statically assigned to the port as untagged.
EG, If your data VLAN is 100 and it's set as the default VLAN on a port, and you plug in an AP to that port that gets an AP Aware policy assigned dynamically that is configured to egress VLAN 100 tagged. This doesn't work.
Thanks
Ryan
03-06-2023 12:37 AM
Thanks Ryan.
03-02-2023 05:09 AM
When netlogin and policy are used, policy will only honor vlan attributes if policy maptable response is set to both and vlanauthorization is enabled.
configure policy maptable response both
configure policy vlanauthorization enable
03-06-2023 12:37 AM
Thanks Oscar.