10-11-2023 07:28 AM - edited 10-11-2023 07:30 AM
Hello,
We're having an issue in our onboarding VLAN.
Since we use IS-IS authentication, a newly connected device on an autosense port will get auto-sense state NNI-ONBOARDING and not be immediately allowed into the fabric.
The problem that we have is that it's able to obtain an IP address (and DNS server and default gw) in VLAN 4048 from our DHCP server, but nothing else is working, like access to DNS etc.
For example, I can see our firewall arping for the new switch on the onboarding LAN but no reply.
It looks like broadcast is working fine in that scenario (DHCP is all broadcasts until the IP address is obtained) but the rest is not working (unicasts). I suspect it has something to do with 4048 being a PVLAN (private VLAN) and the way we are egressing it out to the rest of our network where for example our DNS is located (no fabric).
---> On switch to be onboarded everything is standard
# show run mod i-sid
...
i-sid name 15999999 "Onboarding I-SID"
...
i-sid 15999999 elan
exit
# show run mod vlan
...
vlan create 4048 name "onboarding-vlan" type pvlan-mstprstp 0 secondary 4049
vlan i-sid 4048 15999999
---> On switch(es) egressing the VLAN to the network with DHCP, DNS etc. it's done like this
i-sid 15999999 elan
c-vid 20 mlt 99
exit
vlan create 4048 name "onboarding-vlan" type pvlan-mstprstp 0 secondary 4049
vlan i-sid 4048 15999999
I.e. onboarding VLAN on the traditional infra is VLAN 20.
Fabric Engine User Guide 8.8 on page 856 is writing about these things, but it's not clear to me
For example it says
"The same I-SID could be attached to a regular VLAN. In that case, all ports on the regular VLAN behave like Promiscuous ports on the PVLAN."
But it also says
"The CVLAN ID must match the primary PVLAN ID"
I suspect it has sth to do with this but from the user guide I don't understand exactly how they would want this to be set up so that it works.
Thanks
Marki
PS. VOSS 8.8.1.0
10-12-2023 07:32 AM
Your config is correct. You are using a PVLAN on your second switch, with the same matching VIDs 4048 & 4049.
If your 2nd switch was not using a PVLAN you could have created it like this:
vlan create 4048 name "onboarding-vlan" type port-mstprstp 0
But, still using VID 4048.
This is a constraint of L2VSNs created with terminating Private-VLANs, it becomes an E-TREE service and the Q-tags are used to enforce the Private VLAN restriction that Isolated end-points (using 4049) cannot talk to other Isolated end-points, but only Promiscuous end-points (using 4048).
Can you try again with 8.10.2.0 ?
There is a fix there that should make onboarding with an ISIS auth key set work better.
This depends on the topology; the problem normally was if the onboarding switch has 2 uplinks into two separate distribution switches and both go into NNI-ONBOARDING state and, it's a race condition, the distribution switches can end up pointing the onboarding switch's MAC to each other instead of to the relevant port. With 8.10.2.0 the onboarding switch will use only the 1st NNI-ONBOARDING port.
But if you just have the 2 switches with just one NNI-ONBOARDING link, it should work already.
10-12-2023 07:49 AM - edited 10-12-2023 07:49 AM
Hmm, so it's correct but it's not working, as described there is no connectivity e.g. to DNS.
There are no multiple uplinks.
What can I check?
When you write "if your 2nd switch was not using a PVLAN you could have created it like this:"
And then you write: "vlan create 4048 name "onboarding-vlan" type port-mstprstp 0"
What does it mean? (That wouldn't be a private vlan?)
Thanks