cancel
Showing results for 
Search instead for 
Did you mean: 

4048 onboarding-vlan in VOSS 8.2

4048 onboarding-vlan in VOSS 8.2

tfsnetman
Contributor

Hello,

On a new GNS3 VSP switch running VOSS 8.2 all ports are members of vlan 4048 called onboarding-vlan.

Haven’t seen this before and I was wondering what it is being used for.

Thanks, Klaus

1 ACCEPTED SOLUTION

Roger_Lapuh
Extreme Employee

Hi Klaus

 

With release 8.2 we have introduced the first step of zero-touch-onboarding. With 8.3 we will be introducing the second step. Step 1 is a per device functionality, while 8.3 will be expanding it to be a network wide onboarding solution. 

8.2 puts all ports by default into a private VLAN, with 8.3 this PVLAN is extended to be a network wide ETREE. The idea is that the ETREE is terminated at one switch that provides access to the network management segment (DHCP, DNS, XMC, XIQ, Radius...). In addition, in 8.3 all ports will be up by default. This means, that you can power up a device and then it will:

  1. enable its ports
  2. make all ports member of the onboarding PVLAN/ISID 4048
  3. make all ports auto-sense
  4. auto-sense ports will detect whether they are connected to another fabric node, FA device, or regular device and then automatically bring up the ports accordingly. This means zero-touch-fabric will establish your fabric without any manual intervention. The only thing is that there needs to be a nick-name-server enabled somewhere in the fabric and access to the management segment provided.
  5. non network devices will end up in the onboarding pvlan/ETREE and thus won’t be able to communicate with each other, but only with the onboarding / management segment.

The reason for the PVLAN/ETREE is to ensure we don’t just create an onboarding flooding domain that includes all ports of the network, but a securely segmented onboarding segment where devices can only "see” the management segment and nothing else.

For details and a demo of this, please go to my Extreme vConnect session under the ITWarrior topic. 

 

I hope this helps.

 

Roger

 

View solution in original post

7 REPLIES 7

Roger_Lapuh
Extreme Employee

Hi Klaus

 

With release 8.2 we have introduced the first step of zero-touch-onboarding. With 8.3 we will be introducing the second step. Step 1 is a per device functionality, while 8.3 will be expanding it to be a network wide onboarding solution. 

8.2 puts all ports by default into a private VLAN, with 8.3 this PVLAN is extended to be a network wide ETREE. The idea is that the ETREE is terminated at one switch that provides access to the network management segment (DHCP, DNS, XMC, XIQ, Radius...). In addition, in 8.3 all ports will be up by default. This means, that you can power up a device and then it will:

  1. enable its ports
  2. make all ports member of the onboarding PVLAN/ISID 4048
  3. make all ports auto-sense
  4. auto-sense ports will detect whether they are connected to another fabric node, FA device, or regular device and then automatically bring up the ports accordingly. This means zero-touch-fabric will establish your fabric without any manual intervention. The only thing is that there needs to be a nick-name-server enabled somewhere in the fabric and access to the management segment provided.
  5. non network devices will end up in the onboarding pvlan/ETREE and thus won’t be able to communicate with each other, but only with the onboarding / management segment.

The reason for the PVLAN/ETREE is to ensure we don’t just create an onboarding flooding domain that includes all ports of the network, but a securely segmented onboarding segment where devices can only "see” the management segment and nothing else.

For details and a demo of this, please go to my Extreme vConnect session under the ITWarrior topic. 

 

I hope this helps.

 

Roger

 

KlausD
New Contributor II

Hello,

I hope, you are well.
I am testing the onboarding / ZTP of a universal 5540 switch but cannot get to the DHCP server.

Physical connection:

5540 -> 5520 (vIST) SMLT -> FortiGate (LAG)

All switches are on 8.10.0.0 (GA)

DHCP server is on the FortiGate and VLAN 4048 is a subinterface of the LAG - with a DHCP server configured.
When adding VLAN 4048 to the SMLT on the 5520 I am getting an error

Error: MLTs added to the private-vlan must have private-vlan type set to isolated, promiscuous, or trunk.

Core-2:1(config)#mlt 13 private-vlan trunk

Error: This MLT is used for link aggregation(LACP)

Thank you,
Klaus

Miguel-Angel_RO
Valued Contributor II

Klaus,

 

A lof of info is in the doc d30a9f6328094821946824f98fb4f1d7_1f609.png

Zero Touch Deployment Configuration

With Zero Touch Deployment, the switch configuration consists of the following:

• The ssh and sshd boot configuration flags are enabled by default.

• All ports are Private VLAN isolated ports.

• VLAN 4048 is created for host-only connectivity as the In Band management interface. Port 1/8 is the only member of VLAN 4048 on the XA1400 Series.

 

Regards

Mig

GTM-P2G8KFN