11-02-2020 03:54 AM
Hello,
On a new GNS3 VSP switch running VOSS 8.2 all ports are members of vlan 4048 called onboarding-vlan.
Haven’t seen this before and I was wondering what it is being used for.
Thanks, Klaus
Solved! Go to Solution.
11-02-2020 07:45 AM
Hi Klaus
With release 8.2 we have introduced the first step of zero-touch-onboarding. With 8.3 we will be introducing the second step. Step 1 is a per device functionality, while 8.3 will be expanding it to be a network wide onboarding solution.
8.2 puts all ports by default into a private VLAN, with 8.3 this PVLAN is extended to be a network wide ETREE. The idea is that the ETREE is terminated at one switch that provides access to the network management segment (DHCP, DNS, XMC, XIQ, Radius...). In addition, in 8.3 all ports will be up by default. This means, that you can power up a device and then it will:
The reason for the PVLAN/ETREE is to ensure we don’t just create an onboarding flooding domain that includes all ports of the network, but a securely segmented onboarding segment where devices can only "see” the management segment and nothing else.
For details and a demo of this, please go to my Extreme vConnect session under the ITWarrior topic.
I hope this helps.
Roger
11-02-2020 07:45 AM
Hi Klaus
With release 8.2 we have introduced the first step of zero-touch-onboarding. With 8.3 we will be introducing the second step. Step 1 is a per device functionality, while 8.3 will be expanding it to be a network wide onboarding solution.
8.2 puts all ports by default into a private VLAN, with 8.3 this PVLAN is extended to be a network wide ETREE. The idea is that the ETREE is terminated at one switch that provides access to the network management segment (DHCP, DNS, XMC, XIQ, Radius...). In addition, in 8.3 all ports will be up by default. This means, that you can power up a device and then it will:
The reason for the PVLAN/ETREE is to ensure we don’t just create an onboarding flooding domain that includes all ports of the network, but a securely segmented onboarding segment where devices can only "see” the management segment and nothing else.
For details and a demo of this, please go to my Extreme vConnect session under the ITWarrior topic.
I hope this helps.
Roger
06-21-2023 11:00 PM
Hello,
I hope, you are well.
I am testing the onboarding / ZTP of a universal 5540 switch but cannot get to the DHCP server.
Physical connection:
5540 -> 5520 (vIST) SMLT -> FortiGate (LAG)
All switches are on 8.10.0.0 (GA)
DHCP server is on the FortiGate and VLAN 4048 is a subinterface of the LAG - with a DHCP server configured.
When adding VLAN 4048 to the SMLT on the 5520 I am getting an error
Error: MLTs added to the private-vlan must have private-vlan type set to isolated, promiscuous, or trunk.
Core-2:1(config)#mlt 13 private-vlan trunk
Error: This MLT is used for link aggregation(LACP)
Thank you,
Klaus
11-02-2020 07:24 AM
Klaus,
A lof of info is in the doc
Zero Touch Deployment Configuration
With Zero Touch Deployment, the switch configuration consists of the following:
• The ssh and sshd boot configuration flags are enabled by default.
• All ports are Private VLAN isolated ports.
• VLAN 4048 is created for host-only connectivity as the In Band management interface. Port 1/8 is the only member of VLAN 4048 on the XA1400 Series.
Regards
Mig