This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

4048 onboarding-vlan in VOSS 8.2

4048 onboarding-vlan in VOSS 8.2

Go to solution
tfsnetman
Contributor

‎11-02-2020 03:54 AM

Hello,

On a new GNS3 VSP switch running VOSS 8.2 all ports are members of vlan 4048 called onboarding-vlan.

Haven’t seen this before and I was wondering what it is being used for.

Thanks, Klaus

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Roger_Lapuh
Extreme Employee

‎11-02-2020 07:45 AM

Hi Klaus

 

With release 8.2 we have introduced the first step of zero-touch-onboarding. With 8.3 we will be introducing the second step. Step 1 is a per device functionality, while 8.3 will be expanding it to be a network wide onboarding solution. 

8.2 puts all ports by default into a private VLAN, with 8.3 this PVLAN is extended to be a network wide ETREE. The idea is that the ETREE is terminated at one switch that provides access to the network management segment (DHCP, DNS, XMC, XIQ, Radius...). In addition, in 8.3 all ports will be up by default. This means, that you can power up a device and then it will:

  1. enable its ports
  2. make all ports member of the onboarding PVLAN/ISID 4048
  3. make all ports auto-sense
  4. auto-sense ports will detect whether they are connected to another fabric node, FA device, or regular device and then automatically bring up the ports accordingly. This means zero-touch-fabric will establish your fabric without any manual intervention. The only thing is that there needs to be a nick-name-server enabled somewhere in the fabric and access to the management segment provided.
  5. non network devices will end up in the onboarding pvlan/ETREE and thus won’t be able to communicate with each other, but only with the onboarding / management segment.

The reason for the PVLAN/ETREE is to ensure we don’t just create an onboarding flooding domain that includes all ports of the network, but a securely segmented onboarding segment where devices can only "see” the management segment and nothing else.

For details and a demo of this, please go to my Extreme vConnect session under the ITWarrior topic. 

 

I hope this helps.

 

Roger

 

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
Roger_Lapuh
Extreme Employee

‎11-02-2020 07:45 AM

Hi Klaus

 

With release 8.2 we have introduced the first step of zero-touch-onboarding. With 8.3 we will be introducing the second step. Step 1 is a per device functionality, while 8.3 will be expanding it to be a network wide onboarding solution. 

8.2 puts all ports by default into a private VLAN, with 8.3 this PVLAN is extended to be a network wide ETREE. The idea is that the ETREE is terminated at one switch that provides access to the network management segment (DHCP, DNS, XMC, XIQ, Radius...). In addition, in 8.3 all ports will be up by default. This means, that you can power up a device and then it will:

  1. enable its ports
  2. make all ports member of the onboarding PVLAN/ISID 4048
  3. make all ports auto-sense
  4. auto-sense ports will detect whether they are connected to another fabric node, FA device, or regular device and then automatically bring up the ports accordingly. This means zero-touch-fabric will establish your fabric without any manual intervention. The only thing is that there needs to be a nick-name-server enabled somewhere in the fabric and access to the management segment provided.
  5. non network devices will end up in the onboarding pvlan/ETREE and thus won’t be able to communicate with each other, but only with the onboarding / management segment.

The reason for the PVLAN/ETREE is to ensure we don’t just create an onboarding flooding domain that includes all ports of the network, but a securely segmented onboarding segment where devices can only "see” the management segment and nothing else.

For details and a demo of this, please go to my Extreme vConnect session under the ITWarrior topic. 

 

I hope this helps.

 

Roger

 

0 Kudos

Go to solution
KlausD
New Contributor II
In response to Roger_Lapuh

‎06-21-2023 11:00 PM

Hello,

I hope, you are well.
I am testing the onboarding / ZTP of a universal 5540 switch but cannot get to the DHCP server.

Physical connection:

5540 -> 5520 (vIST) SMLT -> FortiGate (LAG)

All switches are on 8.10.0.0 (GA)

DHCP server is on the FortiGate and VLAN 4048 is a subinterface of the LAG - with a DHCP server configured.
When adding VLAN 4048 to the SMLT on the 5520 I am getting an error

Error: MLTs added to the private-vlan must have private-vlan type set to isolated, promiscuous, or trunk.

Core-2:1(config)#mlt 13 private-vlan trunk

Error: This MLT is used for link aggregation(LACP)

Thank you,
Klaus

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎11-02-2020 07:24 AM

Klaus,

 

A lof of info is in the doc d30a9f6328094821946824f98fb4f1d7_1f609.png

Zero Touch Deployment Configuration

With Zero Touch Deployment, the switch configuration consists of the following:

• The ssh and sshd boot configuration flags are enabled by default.

• All ports are Private VLAN isolated ports.

• VLAN 4048 is created for host-only connectivity as the In Band management interface. Port 1/8 is the only member of VLAN 4048 on the XA1400 Series.

 

Regards

Mig

0 Kudos
GTM-P2G8KFN