This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- RE: Mac Authentication, Dynamic VLANs and Silent D...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Mac Authentication, Dynamic VLANs and Silent Devices
Mac Authentication, Dynamic VLANs and Silent Devices
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-16-2017 04:24 PM
Hi,
if dynamic VLAN assignment is used together with MAC authentication, so called silent devices pose a problem.
A silent device in this context is any end system that does not regularly send data. This results in both the MAC address and authentication session timing out sooner or later. Because the device's VLAN was assigned dynamically, with the end of the authentication session the VLAN is removed from the port. Thus the device is no longer reachable, because no frame, not even the ARP broadcast (or ND multicast) searching for the device's MAC will reach the device.
Common examples are printers, card readers, or even small 4 port switches installed in cable channels. Devices that are switched off but react to wake-on-LAN (WoL) packets fall into this categorie, too.
I know of two common strategies to handle those devices:
EXOS devices with OnePolicy support can use a policy to add untagged VLANs to the egress list of the port (this works on EOS as well).
A variant of the first method can be used with EXOS for wake-on-LAN devices, by using a UDP profile that moves WoL packets to a VLAN configured statically on the port (see e.g. How to Allow Wake on LAN Magic Packets to be forwarded across vlans in EXOS). This works for UDP packets only, not for ARP or ND and thus cannot be used as a general silent device solution.
The second method can be implemented with EXOS switches, if the ARP timer is set low enough to expire before MAC and authentication session expire, and using ARP refresh (on by default).
Another method is to add the device to some monitoring software. Ping monitoring with a high enough frequency (not less than once inside the MAC and authentication timeout periods) suffices. This can be done with Extreme Management Center (EMC licensing depends on the number of monitored device). Open-Source software (e.g. Nagios or Icinga) can be used as well.
I have seen all of the above strategies used with success. Can anyone add additional methods to the list?
Thanks,
Erik
if dynamic VLAN assignment is used together with MAC authentication, so called silent devices pose a problem.
A silent device in this context is any end system that does not regularly send data. This results in both the MAC address and authentication session timing out sooner or later. Because the device's VLAN was assigned dynamically, with the end of the authentication session the VLAN is removed from the port. Thus the device is no longer reachable, because no frame, not even the ARP broadcast (or ND multicast) searching for the device's MAC will reach the device.
Common examples are printers, card readers, or even small 4 port switches installed in cable channels. Devices that are switched off but react to wake-on-LAN (WoL) packets fall into this categorie, too.
I know of two common strategies to handle those devices:
- Add the device's VLAN as untagged to the port's VLAN egress list
- Regularly contact the device so that neither MAC nor authentication time out
EXOS devices with OnePolicy support can use a policy to add untagged VLANs to the egress list of the port (this works on EOS as well).
A variant of the first method can be used with EXOS for wake-on-LAN devices, by using a UDP profile that moves WoL packets to a VLAN configured statically on the port (see e.g. How to Allow Wake on LAN Magic Packets to be forwarded across vlans in EXOS). This works for UDP packets only, not for ARP or ND and thus cannot be used as a general silent device solution.
The second method can be implemented with EXOS switches, if the ARP timer is set low enough to expire before MAC and authentication session expire, and using ARP refresh (on by default).
Another method is to add the device to some monitoring software. Ping monitoring with a high enough frequency (not less than once inside the MAC and authentication timeout periods) suffices. This can be done with Extreme Management Center (EMC licensing depends on the number of monitored device). Open-Source software (e.g. Nagios or Icinga) can be used as well.
I have seen all of the above strategies used with success. Can anyone add additional methods to the list?
Thanks,
Erik
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-16-2017 04:50 PM
If your device is realy so silenct i would not enable authentication in this case.
Otherwise a client normally react to a port link up with some packets. In my projects i also see that EXOS need more than one packet to authentication (unfortunately i do not know the cause) - EOS is much quicker in this case.
Maybe in EXOS environment you can work with a autoexec script or UPM Script to trigger some reaction from this silent device at switch start or restart.
If you want to automate VLAN assignment only you can also work with MAC-to-VLAN-mapping or may also a UPM without authentication for VLAN assignment.
Regards,
Matthias
Otherwise a client normally react to a port link up with some packets. In my projects i also see that EXOS need more than one packet to authentication (unfortunately i do not know the cause) - EOS is much quicker in this case.
Maybe in EXOS environment you can work with a autoexec script or UPM Script to trigger some reaction from this silent device at switch start or restart.
If you want to automate VLAN assignment only you can also work with MAC-to-VLAN-mapping or may also a UPM without authentication for VLAN assignment.
Regards,
Matthias
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-16-2017 04:50 PM
I see a possible problem if the switch is rebooted (firmware update, power outage, ...) and the device does not send any data on link down/up events (it is a silent device...).
Thanks,
Erik
Thanks,
Erik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-16-2017 04:50 PM
i use this method too!
I disable session timeout globally if i have no 4- or 8-port Desktop switches. I have never trouble with this.
Regards
I disable session timeout globally if i have no 4- or 8-port Desktop switches. I have never trouble with this.
Regards
