This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Why use a Flex UNI?

Why use a Flex UNI?

Go to solution
Anonymous
Not applicable

‎12-17-2020 10:39 AM

Hi,

Just looking through the automated campus EVD:

https://kapost-files-prod.s3.amazonaws.com/kapost/55ba7c9e07003d9aab000394/studio/content/5bd9c9a319...3de4d4f7e73/19904-Automated-Campus-EVD_v2.pdf

The query I have is in relation to page 90 where all host attached interfaces will be set to using Flex-UNI, specifically Switched UNI, which I understand is a combination of the VLAN ID and port to a L2VSN, which allows you to re-use the VLAN ID’s to a different VSN.

What I haven’t grasped is the reason to do it in this context, as an example here in the same section lists the I-SID mappings:

8d9a6783036f4cb99dd8650acb88dd27_eeacb941-d078-4133-b0de-61dd18578075.png

I see the reference that the VLAN ID’s configured on the Leaf nodes is only a logical value, but it still only has a VLAN ID associated to I-SID, I don’t see a re-use of a VLAN-ID to a different I-SID and an example of why that would be needed. What I can’t see is where in this case the requirement is dictating the need for it to be a flex port?

Maybe its simply has to be configured that way in the context of using DVR?

The only other time I’ve seen the use of a flex UNI is using fabric attach down to say and EXOS switch, am I right in thinking the port will automatically be configured as a flex UNI, again, I would be interested in reasoning.

Appreciate there maybe a lack of knowledge here, but sure there is a small component I am missing here for the light bulb moment.

Many thanks in advance.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Roger_Lapuh
Extreme Employee

‎12-17-2020 11:04 AM

Hi Martin

yes, DVR, Fabric Attach and with VOSS 8.3 Auto-Sense and enhanced EAP/NEAP ports are/will be using Flex-UNIs.

 

Here are some of the reasons why we are using Flex-UNIs for these capabilities:

 

FA:

Using Flex-UNIs with Fabric Attach allowed us to avoid any VLAN collisions, meaning we did not have to worry about VLAN IDs when an FA device is signalling VLAN/ISIDs to an FA Server. The ISID defines to what service the traffic is mapped to, irrespective of the VLAN that was chosen on the FA link. This makes the solution much more robust and removes a lot of corner cases.

DVR:

DVR leafs are L2 only devices from the configuration perspective. CVLAN are typically used for L3 configurations. By using Flex-UNIs for DVR leafs, we were able to avoid any provisioning collisions on that level. ISID matching is the only thing that matters again.

Auto-Sense with VOSS 8.3:

Autosense with 8.3 will automatically put the port into a configuration state based on what it is connected to (NNI, FA, IP Phone port, EAP/NEAP port, Guest/onboarding port). Again, in order to avoid collisions and to better match up with FA port states, using Flex-UNI was a key reason as we don't have to create platform VLANs on demand. 

EAP/NEAP: 

Radius responses with VLAN and ISID: We wanted to avoid having to create platform VLANs on demand dynamically and possibly collide with user configurations, it is much more elegant to create a port specific VID (VLAN-ID) and map it to an ISID. This is much less intrusive and again avoids collisions.

 

It is our vision that fabric edge switches should have as little configurations as possible on them and get services (VLAN/ISID) applied on demand through user authentication only if possible.

 

On devices where you want to enable routing interfaces, of course CVLANs are the VLANs of choice, but also there you can assign flex-UNI ports to the same ISIDs on the same box. 

 

Makes sense?

 

Roger

 

 

View solution in original post

0 Kudos
9 REPLIES 9

Go to solution
StephanH
Valued Contributor III

‎12-17-2020 12:28 PM

Hello Roger,

thank you very much for the detailed explanation. You mentioned

“On devices where you want to enable routing interfaces, of course CVLANs are the VLANs of choice, but also there you can assign flex-UNI ports to the same ISIDs on the same box. “

are there other use cases  in which a c-vlan is better suited  (or necessary) as a flex-UNI port?

Regards Stephan
0 Kudos

Go to solution
Roger_Lapuh
Extreme Employee

‎12-17-2020 11:20 AM

Yes you got it, it is about looking at the ISIDs as connectivity service enablers. At the end, the users really care about IP subnets and how they are enabled. The VLAN or ISIDs are just an abstraction of that.

 

Roger

0 Kudos

Go to solution
Anonymous
Not applicable

‎12-17-2020 11:17 AM

Thanks Mig & Roger, but really help.

@Roger, it is getting used to the idea / mindset of the abstraction rather then traditional and putting in context of the I-SID being king rather then the VLAN. Seeing it as a service driven architecture, instead of things being set in stone as before.

Appreciate both the responses. It has helped a lot in grasping the concept a bit better.

Many thanks.

 

0 Kudos

Go to solution
Roger_Lapuh
Extreme Employee

‎12-17-2020 11:04 AM

Hi Martin

yes, DVR, Fabric Attach and with VOSS 8.3 Auto-Sense and enhanced EAP/NEAP ports are/will be using Flex-UNIs.

 

Here are some of the reasons why we are using Flex-UNIs for these capabilities:

 

FA:

Using Flex-UNIs with Fabric Attach allowed us to avoid any VLAN collisions, meaning we did not have to worry about VLAN IDs when an FA device is signalling VLAN/ISIDs to an FA Server. The ISID defines to what service the traffic is mapped to, irrespective of the VLAN that was chosen on the FA link. This makes the solution much more robust and removes a lot of corner cases.

DVR:

DVR leafs are L2 only devices from the configuration perspective. CVLAN are typically used for L3 configurations. By using Flex-UNIs for DVR leafs, we were able to avoid any provisioning collisions on that level. ISID matching is the only thing that matters again.

Auto-Sense with VOSS 8.3:

Autosense with 8.3 will automatically put the port into a configuration state based on what it is connected to (NNI, FA, IP Phone port, EAP/NEAP port, Guest/onboarding port). Again, in order to avoid collisions and to better match up with FA port states, using Flex-UNI was a key reason as we don't have to create platform VLANs on demand. 

EAP/NEAP: 

Radius responses with VLAN and ISID: We wanted to avoid having to create platform VLANs on demand dynamically and possibly collide with user configurations, it is much more elegant to create a port specific VID (VLAN-ID) and map it to an ISID. This is much less intrusive and again avoids collisions.

 

It is our vision that fabric edge switches should have as little configurations as possible on them and get services (VLAN/ISID) applied on demand through user authentication only if possible.

 

On devices where you want to enable routing interfaces, of course CVLANs are the VLANs of choice, but also there you can assign flex-UNI ports to the same ISIDs on the same box. 

 

Makes sense?

 

Roger

 

 

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎12-17-2020 10:59 AM

Martin,

 

Here an example I use with IP Tel (an also AP’s) showing a use case for same VLAN Id and different i-sid:

  1. IP Phone comes out of the box and is plugged into a switch where EAPOL (MAC+802.1X) is configured
  2. The switch is adverttising with LLDP-MED the voice VLAN Id, the taging and the QoS to be used
  3. The IP Phone is coming out of the box with factory config and by this doing a MAC Auth
  4. The radius detects the MAC OUI and the auth type (MAC Auth) => it assigns the vlan voice with the i-sid of a staging vlan in a DMZ behind the firewall. This is done using flex-uni vlan type
  5. The IP Phone is able to contact the provisioning server, gets the config and reboots
  6. at reboot the IP Phone is doing 802.1X auth (defined in the config file) => the radius assigns the voice vlan (same as in point 4) but with the production i-sid

So different ports can run the same vlan but with different i-sid’s

 

In the document you mention, the reason for such config is few pages before:

6b9cc6f76dc64ae2bd845d84fbd30141_26df1e8d-3bd7-4356-ada9-6e4d6e80f2f6.png

Mig

0 Kudos
GTM-P2G8KFN