12-17-2020 10:39 AM
Hi,
Just looking through the automated campus EVD:
https://kapost-files-prod.s3.amazonaws.com/kapost/55ba7c9e07003d9aab000394/studio/content/5bd9c9a319...3de4d4f7e73/19904-Automated-Campus-EVD_v2.pdf
The query I have is in relation to page 90 where all host attached interfaces will be set to using Flex-UNI, specifically Switched UNI, which I understand is a combination of the VLAN ID and port to a L2VSN, which allows you to re-use the VLAN ID’s to a different VSN.
What I haven’t grasped is the reason to do it in this context, as an example here in the same section lists the I-SID mappings:
I see the reference that the VLAN ID’s configured on the Leaf nodes is only a logical value, but it still only has a VLAN ID associated to I-SID, I don’t see a re-use of a VLAN-ID to a different I-SID and an example of why that would be needed. What I can’t see is where in this case the requirement is dictating the need for it to be a flex port?
Maybe its simply has to be configured that way in the context of using DVR?
The only other time I’ve seen the use of a flex UNI is using fabric attach down to say and EXOS switch, am I right in thinking the port will automatically be configured as a flex UNI, again, I would be interested in reasoning.
Appreciate there maybe a lack of knowledge here, but sure there is a small component I am missing here for the light bulb moment.
Many thanks in advance.
Solved! Go to Solution.
12-17-2020 11:04 AM
Hi Martin
yes, DVR, Fabric Attach and with VOSS 8.3 Auto-Sense and enhanced EAP/NEAP ports are/will be using Flex-UNIs.
Here are some of the reasons why we are using Flex-UNIs for these capabilities:
FA:
Using Flex-UNIs with Fabric Attach allowed us to avoid any VLAN collisions, meaning we did not have to worry about VLAN IDs when an FA device is signalling VLAN/ISIDs to an FA Server. The ISID defines to what service the traffic is mapped to, irrespective of the VLAN that was chosen on the FA link. This makes the solution much more robust and removes a lot of corner cases.
DVR:
DVR leafs are L2 only devices from the configuration perspective. CVLAN are typically used for L3 configurations. By using Flex-UNIs for DVR leafs, we were able to avoid any provisioning collisions on that level. ISID matching is the only thing that matters again.
Auto-Sense with VOSS 8.3:
Autosense with 8.3 will automatically put the port into a configuration state based on what it is connected to (NNI, FA, IP Phone port, EAP/NEAP port, Guest/onboarding port). Again, in order to avoid collisions and to better match up with FA port states, using Flex-UNI was a key reason as we don't have to create platform VLANs on demand.
EAP/NEAP:
Radius responses with VLAN and ISID: We wanted to avoid having to create platform VLANs on demand dynamically and possibly collide with user configurations, it is much more elegant to create a port specific VID (VLAN-ID) and map it to an ISID. This is much less intrusive and again avoids collisions.
It is our vision that fabric edge switches should have as little configurations as possible on them and get services (VLAN/ISID) applied on demand through user authentication only if possible.
On devices where you want to enable routing interfaces, of course CVLANs are the VLANs of choice, but also there you can assign flex-UNI ports to the same ISIDs on the same box.
Makes sense?
Roger
03-11-2021 11:42 AM
Come across another component to consider using a CVLAN, based on XMC 8.5.26.
In the help under ‘Import a Configuration to a Service Definition’
“Currently only CVLAN UNI services are supported in Release 8.4. Switched and Transparent UNI support will be added in a future release.”
Not a biggy, but just adding as something to be aware of.
12-17-2020 02:42 PM
One use case where the CVLAN is mandatory:
If you want to enable IGMP snooping you can only do it on a CVLAN as it is a CVLAN attribute
Mig
12-17-2020 01:35 PM
Prior to VOSS Release 8.3 you did need CVLANs for EAP authentication. With 8.3 EAP and NEAP (MAC based) will be using Flex-UNI (incl. auto-sense). So you can do MHMV as well as MHSA with Flex-UNI ports.
@StephanH I would say you do need a CVLAN whenever you need Unicast or Multicast routing interfaces, other than that, a Flex UNI is fine. I am sure some folks here will point out some other cases where CVLAN have to be used (for example PVLAN will require it currently as well).
Again, you can create an internal CVLAN with ISID and then attach Flex-UNI ports to the same ISID on a switch.
Roger
12-17-2020 01:30 PM
StephanH,
Personally I tried to avoid as much as possible CVLAN.
Where I can, I go for Fabric Connect up to the edge having edge switches with only B-VLANs configured and all ports with EAPOL.
Unfortunately some (old or not) devices (mainly in health-care and building automation domains) have very bad network stacks and the authentication+flex-uni doesn’t fit.
In those cases I still need to hard-code a CVLAN on the ports.
Mig