Extreme Networks

Configterminal · ‎07-15-2024

Hi - does anyone know if its possible to keep all ports on a Fabric Switch with Auto-Sense configured and return only the VLAN VSA from a RADIUS server? The VLAN to I-SID association will already be configured on the switch manually.

This is similar to the VSA's returned to an ERS switch running in FA Standalone Proxy Mode as so (no I-SIDS necessary). It appears like a FLEX-UNI port (which the port becomes after auto-sense detects a client) requires an I-SID association to the VLAN.

FA-VLAN-ISID='48:0'
FA-VLAN-ISID='64:0'
FA-VLAN-ISID='72:0'
FA-VLAN-ISID='76:0'
FA-VLAN-ISID='108:0'
FA-VLAN-PVID='108'

Configterminal · ‎07-19-2024

Thanks for the Workflow, I will take a look at it. But I would actually argue that the solution I came to is easier to manage. You just create a Custom Variable per site called "AutoISIDOffset" and as part of ZTP+ the Fabric Switch can configure itself with the offset. Then with XIQ-SE all you need to do is send back Extreme-Dynamic-Client-Assignments=create=vlan,pv=10,ev=U,vn=DATA and its a single policy mapping for all sites.

E.g.: If site one has an Auto-ISID-Offset configured as 1000 and you send back VLAN 10 it will auto configure the ISID to be 1010.

If site two has an Auto-ISID-Offset configured as 2000 and you send back VLAN 10 it will auto configure the ISID to be 2010.

Kind of a neat feature that's not really talked about that I happened to stumble across.

View solution in original post

ExtremeNorth · ‎07-16-2024

I assume you have a switch running VOSS (fabric-engine) since you said FLEX-UNI, so these responses are based on that assumption.

FLEX-UNI ports only require the I-SID, and don't utilize a VLAN when using the Radius VSA's. You can use the following VSA to add a service to a FLEX-UNI port:

FA-VLAN-ISID=0:xxxxx - where xxxxx is the Fabric i-sid, or a variable like %CUSTOM1% to provide a dynamic assignment.

Terrel Hobbs

Configterminal · ‎07-16-2024

Thanks but I have 20 rules (1 perVLAN) and 75 sites. Each site uses unique isids per rule so that’s roughly 1500+ policy mappings which is not scalable. I actually think I came across a solution but am currently testing.
You can configure an auto-isid-offset value on a switch and then just send back the VLAN assignment using the Extreme-Dynamic-Client-Assignment=pv=20, ev=U - and then it will add the VLAN to the isid offset and dynamically compute the ISID value for the VLAN

Miguel-Angel_RO · ‎07-19-2024

You can import the policy mappings with a csv file. The script is in the Extreme Networks Github. The effort is almost peanuts to provision thousands of policy mappings.

Managing the i-sid in the policy mapping checking the location is a better solution from an operational point of view playing with the i-sid index on the switches.

All the config is in the Control instead of having pieces of config spread on switches.

Regards,

Mig

Configterminal · ‎07-19-2024

Thanks for the Workflow, I will take a look at it. But I would actually argue that the solution I came to is easier to manage. You just create a Custom Variable per site called "AutoISIDOffset" and as part of ZTP+ the Fabric Switch can configure itself with the offset. Then with XIQ-SE all you need to do is send back Extreme-Dynamic-Client-Assignments=create=vlan,pv=10,ev=U,vn=DATA and its a single policy mapping for all sites.

E.g.: If site one has an Auto-ISID-Offset configured as 1000 and you send back VLAN 10 it will auto configure the ISID to be 1010.

If site two has an Auto-ISID-Offset configured as 2000 and you send back VLAN 10 it will auto configure the ISID to be 2010.

Kind of a neat feature that's not really talked about that I happened to stumble across.

Extreme Networks

Return only VLAN RADIUS VSA to Fabric Auto-Sense Port

Return only VLAN RADIUS VSA to Fabric Auto-Sense Port