Extreme Networks

Matt_Dillion · ‎04-15-2015

How do I configure Enterasys C5 dynamic policy role/vlan assignment for 3com IP Phone?
Basically what I need to happen is vlan 150 to be assigned as untagged and vlan 120 (voice vlan) assigned as tagged. The problem I am having is that vlan 150 although showing as untagged does not show up as the FID when entering the command show mac port ge.X.X. Anyone guidance would be much appreciated!

Matt_Dillion · ‎04-15-2015

I got it working! I ended up changing the set policy profile from;

(set policy profile 120 name "VoIP" pvid-status enable pvid 120 cos-status enable cos 5 egress-vlans 120 forbidden-vlans 4089 untagged-vlans 150)

to;

(set policy profile 120 name "VoIP" pvid-status enable pvid 150 cos 5 egress-vlans 12)

So one last question, how are policy rules executed (in what order) or all they all at once? What would be the best way to deny all traffic after allowing only specific ports/protocols?

Matt_Dillion · ‎04-15-2015

I changed multiauth port numusers to 3 but no luck. When I perform a show mac port ge.X.X the only FID that shows up is 120, however when doing a show port egress ge.X.X I do see both vlan 150 (untagged) and vlan 120 (tagged). I think the problem is the MAC address of the phone isn't added to FID 150. Any thoughts?

Matt_Dillion · ‎04-15-2015

Thank you for the information, I have responded to James's comment. On another note, would you clarify how policy works for me? My biggest question is when you create rules is there an inherant deny or permit? If I create rules to specifically allow traffic will all other traffic be discarded? If not what is the best way to create a rule like that? Is there a good document on Policy out there I can review besides the Feature Guides and Config Guides?

JAMES_WIEDEL · ‎04-15-2015

To manually do what you are asking (I think) do the following:
(Assuming the port is ge.1.4, data VLAN is 150 and voice VLAN is 120)

set port vlan ge.1.4 150 modify (the modify removes the port from all other VLANs )
set vlan egress 120 ge.1.4 tagged

show port egress ge.1.4 should now say something like
Port Vlan Egress Registration
Number Id Status Status
------------------------------------------------------------
ge.1.4 150 untagged static
ge.1.4 120 tagged static

You need to have the phone sending voice out tagged on vlan 1319 and the data port
on the phone will be 1306.

I strongly advise the use of the "modify" portion of the command to remove all other VLANs
on the port. Without it, it is possible to put multiple UNTAGGED VLANs onto a port and
get you and the data flow very confused. (Outbound from the switch would be no problem,
but inbound...)

You build trunk ports exactly the same way. Set vlan egress for each VLAN; the old assignments
remain. (clear vlan egress to remove a particular VLAN from a port)
James

Matt_Dillion · ‎04-15-2015

James, thank you for the information. Setting up ports manually is not an issue, I am trying to use role based policy assignment via Radius. Most of this I have working except when it comes to our IP Phones. Vlan 120 (tagged) is applied as expected which i verified running the command (show mac port ge.X.X) where the FID is 120. Its applying vlan 150 (untagged). The mac address does not get added to the FID for vlan 150. see below configuration.

#vlan
set vlan create 120
set vlan create 150
set vlan create 4089
set vlan name 120 "VoIP"
set vlan name 150 "ITS"
set vlan name 4089 "Guest"
clear vlan egress 1 ge.1.1-48
set vlan egress 120 ge.1.47-48 tagged
set vlan egress 150 ge.1.47-48 tagged
set vlan egress 4089 ge.1.47-48 tagged
set vlan egress 4089 ge.1.1-24 untagged
!
!
#eapol
set dot1x enable
set eapol enable
set eapol auth-mode forced-auth ge.1.47
set eapol auth-mode forced-auth ge.1.48
!
!
#macauthentication
set macauthentication enable
set macauthentication auth-mode radius-username
set macauthentication port enable ge.1.1-46
!
!
#multiauth
set multiauth port mode opt-auth ge.1.1-46
set multiauth port mode force-auth ge.1.47-48
set multiauth port numusers 2 ge.1.1-46
set multiauth precedence mac dot1x cep pwa
!
!

#nodealias
set nodealias disable ge.1.47
set nodealias disable ge.1.48
!
!

#policy
set policy maptable response both
set policy profile 1 name "Guest" cos-status enable cos 4
set policy profile 120 name "VoIP" pvid-status enable pvid 120 cos-status enable cos 5 egress-vlans 120 forbidden-vlans 4089 untagged-vlans 150
set policy profile 150 name "FAcStaff" pvid-status enable pvid 150
set policy rule 1 udpsourceport 68 mask 16 forward
set policy rule 1 udpdestport 53 mask 16 forward
set policy rule 1 udpdestport 67 mask 16 forward
set policy rule 1 tcpdestport 80 mask 16 forward
set policy rule 1 tcpdestport 443 mask 16 forward
set policy rule 1 tcpdestport 8080 mask 16 forward
set policy rule 1 ether 0x806 mask 16 forward
set policy rule 120 macsource 00-e0-00-00-00-00 mask 16 forward
set policy rule 120 udpsourceport 68 mask 16 forward
set policy rule 120 udpdestport 53 mask 16 forward
set policy rule 120 udpdestport 67 mask 16 forward
set policy rule 120 tcpdestport 80 mask 16 forward
set policy rule 120 tcpdestport 443 mask 16 forward
set policy rule 120 tcpdestport 8080 mask 16 forward
set policy rule 120 ipproto 1 mask 8 forward
set policy rule 120 ether 0x806 mask 16 forward
set policy port ge.1.1-46 1
!
!

#port
set port vlan ge.1.1-46 4089
!
!

#radius
set radius enable
set radius accounting enable
set radius accounting server 10.1.11.1 1813 XXXXXXXXXXXXXXX
set radius server 1 10.1.11.1 1812 XXXXXXXXXXX realm network-access
!
!

#spantree
set spantree adminedge ge.1.1-46 true

TEST-SWITCH(su)->show vlanauthorization

Vlan Authorization: - disabled

port status administrative operational authenticated vlan id
egress egress mac address
------- -------- -------------- ----------- ----------------- -------
ge.1.1-48 enabled untagged