cancel
Showing results for 
Search instead for 
Did you mean: 

Return only VLAN RADIUS VSA to Fabric Auto-Sense Port

Return only VLAN RADIUS VSA to Fabric Auto-Sense Port

Configterminal
Contributor

Hi - does anyone know if its possible to keep all ports on a Fabric Switch with Auto-Sense configured and return only the VLAN VSA from a RADIUS server?  The VLAN to I-SID association will already be configured on the switch manually.

This is similar to the VSA's returned to an ERS switch running in FA Standalone Proxy Mode as so (no I-SIDS necessary).  It appears like a FLEX-UNI port (which the port becomes after auto-sense detects a client) requires an I-SID association to the VLAN.

FA-VLAN-ISID='48:0'
FA-VLAN-ISID='64:0'
FA-VLAN-ISID='72:0'
FA-VLAN-ISID='76:0'
FA-VLAN-ISID='108:0'
FA-VLAN-PVID='108'

1 ACCEPTED SOLUTION

Thanks for the Workflow, I will take a look at it.  But I would actually argue that the solution I came to is easier to manage.  You just create a Custom Variable per site called "AutoISIDOffset" and as part of ZTP+ the Fabric Switch can configure itself with the offset.  Then with XIQ-SE all you need to do is send back Extreme-Dynamic-Client-Assignments=create=vlan,pv=10,ev=U,vn=DATA and its a single policy mapping for all sites.  

E.g.: If site one has an Auto-ISID-Offset configured as 1000 and you send back VLAN 10 it will auto configure the ISID to be 1010.

If site two has an Auto-ISID-Offset configured as 2000 and you send back VLAN 10 it will auto configure the ISID to be 2010.

Kind of a neat feature that's not really talked about that I happened to stumble across.

View solution in original post

4 REPLIES 4

ExtremeNorth
New Contributor III

I assume you have a switch running VOSS (fabric-engine) since you said FLEX-UNI, so these responses are based on that assumption.

FLEX-UNI ports only require the I-SID, and don't utilize a VLAN when using the Radius VSA's.  You can use the following VSA to add a service to a FLEX-UNI port:

FA-VLAN-ISID=0:xxxxx  - where xxxxx is the Fabric i-sid, or a variable like %CUSTOM1% to provide a dynamic assignment.

Terrel Hobbs

Thanks but I have 20 rules (1  perVLAN) and 75 sites.  Each site uses unique isids per rule so that’s roughly 1500+ policy mappings which is not scalable.  I actually think I came across a solution but am currently testing. 
You can configure an auto-isid-offset value on a switch and then just send back the VLAN assignment using the Extreme-Dynamic-Client-Assignment=pv=20, ev=U - and then it will add the VLAN to the isid offset and dynamically compute the ISID value for the VLAN

You can import the policy mappings with a csv file. The script is in the Extreme Networks Github. The effort is almost peanuts to provision  thousands of policy mappings.

Managing the i-sid in the policy mapping checking the location is a better solution from an operational point of view playing with the i-sid index on the switches.

All the config is in the Control instead of having pieces of config spread on switches.

Regards,

Mig

Thanks for the Workflow, I will take a look at it.  But I would actually argue that the solution I came to is easier to manage.  You just create a Custom Variable per site called "AutoISIDOffset" and as part of ZTP+ the Fabric Switch can configure itself with the offset.  Then with XIQ-SE all you need to do is send back Extreme-Dynamic-Client-Assignments=create=vlan,pv=10,ev=U,vn=DATA and its a single policy mapping for all sites.  

E.g.: If site one has an Auto-ISID-Offset configured as 1000 and you send back VLAN 10 it will auto configure the ISID to be 1010.

If site two has an Auto-ISID-Offset configured as 2000 and you send back VLAN 10 it will auto configure the ISID to be 2010.

Kind of a neat feature that's not really talked about that I happened to stumble across.

GTM-P2G8KFN