cancel
Showing results for 
Search instead for 
Did you mean: 

Wired and Wireless with ERS/EXOS and Cloud APs

Wired and Wireless with ERS/EXOS and Cloud APs

RobertD1
Contributor II

Hello,

Seeking guidance on best practice for designing an Extreme Control solution for Wired (ERS and EXOS) and Cloud APs (AP 4000). 

The site is a large campus with 6000 wired/wireless devices. There are hundreds of VLANs and unique VLANs for Data and Voice.

What is the advice for creating a new Policy Domain, is it okay to stick with the Default or should I create a Policy Domain for Wired and Wireless?

Same for Access-Control, should I create a configuration for Wired Rules and one for Wireless Rules?

I think the list of Policy Mappings will grow, especially where different floor VLANs are required, but this is expected and can map to a policy from any of the Policy Domains?

Want to keep the Wired and Wireless separate for general management purposes which makes sense.

Should the EXOS switches use a Policy Domain or can they use Access-Control in the same way as ERS does.?

There is no Fabric Attach so what RADIUS Attributes to Send, are used for ERS and EXOS, is it RFC 3580 for both types of switch? 

Understand how the XIQ SSID uses User Profiles to place the Wireless client into the right VLAN (uses Filter-ID).

ERS requires Manual RADIUS Configuration and EAPOL.

EXOS requires RADIUS Configuration which can be automatically applied and Netlogin which can be deployed at the CLI or via Policy Domain - so should the EXOS use the default Policy Domain then?

Another question, can the control engine only use one Access Control Configuration. If create a rule set for Wired an Wireless they will be different Configurations so I think the engine can only reference one of them right?

Thanks

Rob

 

 

 

1 ACCEPTED SOLUTION

Ryan_Yacobucci
Extreme Employee

Hello Rob,

What is the advice for creating a new Policy Domain, is it okay to stick with the Default or should I create a Policy Domain for Wired and Wireless?
I would recommend a policy domain for wired and for wireless. There can be subtle differences between how policies need to be created between the two, so allowing for flexibility when creating policies as well as reducing the amount of devices affected by a policy change by separating into two policy domains is beneficial.  By separating them a change to the wireless domain policies won't cause a change to the wired policies. 


Same for Access-Control, should I create a configuration for Wired Rules and one for Wireless Rules?

If you have a significant amount of rules that are unique to either wired or wireless you can absolutely break them into different configurations and have dedicated Control appliances for wired and wireless. This provides you with same type of flexibility as the domain question above. If you split them into wired/wireless configurations, changes to the wired configurations will not affect wireless, reducing the risk when making configuration changes. 

I think the list of Policy Mappings will grow, especially where different floor VLANs are required, but this is expected and can map to a policy from any of the Policy Domains?

You can use either Policy Domain Islands which allows you to map a VLAN name to a number of different VLAN IDs based on VLAN island membership. "Data" VLAN ID will be configured based on policy VLAN mapping.  There is also a concept of Location Based Policy mappings that can change the AVP sent to devices based on their location group. A single rule and Control Profile can result in different AVPs based on the location criteria configured. Location Criteria is very commonly used tool in this situation. 

Should the EXOS switches use a Policy Domain or can they use Access-Control in the same way as ERS does.?
This depends on what you have decided to use for a control AVP. If you are using Dynamic Policy on EXOS the only way to manage policies across your network is policy manager. ERS does not support dynamic policy.

There is no Fabric Attach so what RADIUS Attributes to Send, are used for ERS and EXOS, is it RFC 3580 for both types of switch?
EXOS can use dynamic policy or RFC 3580, or a hybrid of both. Policy can be configured to contain to VLAN. ERS will need to use RFC 3580.

Another question, can the control engine only use one Access Control Configuration. If create a rule set for Wired an Wireless they will be different Configurations so I think the engine can only reference one of them right?
Each Control engine is assigned to an Engine Group, each Engine Group can only be assigned one Configuration. 
If you want to use multiple configurations you need to create a new engine group and assign it the new configuration, then assign a new engine to the engine group.

This sounds like it would benefit from professional services to come in and scope and plan out an appropriate solution. Control has the tools to scale to hundreds of thousands of devices, wired or wireless. Our PS teams are very well equipped to provide a scalable solution that would fit your needs. 

Thanks
Ryan

View solution in original post

2 REPLIES 2

Ryan_Yacobucci
Extreme Employee

Hello Rob,

What is the advice for creating a new Policy Domain, is it okay to stick with the Default or should I create a Policy Domain for Wired and Wireless?
I would recommend a policy domain for wired and for wireless. There can be subtle differences between how policies need to be created between the two, so allowing for flexibility when creating policies as well as reducing the amount of devices affected by a policy change by separating into two policy domains is beneficial.  By separating them a change to the wireless domain policies won't cause a change to the wired policies. 


Same for Access-Control, should I create a configuration for Wired Rules and one for Wireless Rules?

If you have a significant amount of rules that are unique to either wired or wireless you can absolutely break them into different configurations and have dedicated Control appliances for wired and wireless. This provides you with same type of flexibility as the domain question above. If you split them into wired/wireless configurations, changes to the wired configurations will not affect wireless, reducing the risk when making configuration changes. 

I think the list of Policy Mappings will grow, especially where different floor VLANs are required, but this is expected and can map to a policy from any of the Policy Domains?

You can use either Policy Domain Islands which allows you to map a VLAN name to a number of different VLAN IDs based on VLAN island membership. "Data" VLAN ID will be configured based on policy VLAN mapping.  There is also a concept of Location Based Policy mappings that can change the AVP sent to devices based on their location group. A single rule and Control Profile can result in different AVPs based on the location criteria configured. Location Criteria is very commonly used tool in this situation. 

Should the EXOS switches use a Policy Domain or can they use Access-Control in the same way as ERS does.?
This depends on what you have decided to use for a control AVP. If you are using Dynamic Policy on EXOS the only way to manage policies across your network is policy manager. ERS does not support dynamic policy.

There is no Fabric Attach so what RADIUS Attributes to Send, are used for ERS and EXOS, is it RFC 3580 for both types of switch?
EXOS can use dynamic policy or RFC 3580, or a hybrid of both. Policy can be configured to contain to VLAN. ERS will need to use RFC 3580.

Another question, can the control engine only use one Access Control Configuration. If create a rule set for Wired an Wireless they will be different Configurations so I think the engine can only reference one of them right?
Each Control engine is assigned to an Engine Group, each Engine Group can only be assigned one Configuration. 
If you want to use multiple configurations you need to create a new engine group and assign it the new configuration, then assign a new engine to the engine group.

This sounds like it would benefit from professional services to come in and scope and plan out an appropriate solution. Control has the tools to scale to hundreds of thousands of devices, wired or wireless. Our PS teams are very well equipped to provide a scalable solution that would fit your needs. 

Thanks
Ryan

Thanks for your detailed response Ryan.

GTM-P2G8KFN