Vlan issue

[dhibsystel]

I have a BD8806 version 12.2.17 installed and different Vlans are configured.

my customer ask:

is it possible to dynamically assign the vlan to the user ?

when the user plug his PC in the port, based to the MAC address, the switch assigned the port to the vlan.

 

[ExtremeTek]

Yes, you can do this in ExtremeXOS switches. It's known as Netlogin with MAC-based VLANs. It's a little bit tricky because you have to use a RADIUS database to authenticate each MAC-address and assign the port to the appropriate VLAN. Howeverk, you can simply the deployment by using a local authentication databased on the switch itself to authtenticate against a local list of MAC addresses. Unfortunately, this will not scale well if you want to place hundreds or thousands of MAC addresses on one or more VLANS because your configuration on the switch will start to chew up memory. If you have a large amount of MAC addresses it makes more sense to offload the MAC table that you are authenticating against to an external RADIUS server and database. I've seen customers use Microsoft Internet Authentication Service (IAS) coupled with Microsoft Active Directory (AD) to accomplish this. If you are doing it for a limited amount of device you can just use the local database. However, keep in mind you'll need replicate the Netlogin configuration and MAC list on each edge switch.

If your cusotmer is only using the BD8810 it's not so bad. Here is how you can do it and where to find more information. I would suggest you test it out on a few "pilot" ports to make sure that it works the way you want it to. Don't deploy it on the entire switch right away, you'll probably be sorry because you might accidentally block necessary traffic. Just test on like 10 ports to get started using hte local database.

Download Software user guide for 12.2 here and begin referencing on page 709:

http://www.extremenetworks.com/libraries/services/ExtremeXOSConceptsGuideSoftwareVersion12_2_2.zip

There is a simple example starting on page 711 of Secure MAC Configuration Example. In this example, you are relying on a local database of MAC addresses for authentication instead of a third party RADIUS server like IAS or Free Radius as follows:

Secure MAC Configuration Example
The following configuration example shows how to configure secure MAC on your Extreme Networks
switch. To configure secure MAC:

? Create a VLAN used for netlogin.
? Configure the VLAN for netlogin.
? Enable MAC-based netlogin on the switch.
? Enable MAC-based netlogin on the ports used for authentication.
? Specify one or more ports to accept authentication requests from a specific MAC address.

Network Login
In the following example, authentication requests from MAC address:
? 00:00:00:00:00:10 are only accepted on ports 1:1 through 1:5
? 00:00:00:00:00:11 are only accepted on ports 1:6 through 1:10
? 00:00:00:00:00:12 are accepted on all other ports
create vlan nlvlan
configure netlogin vlan nlvlan
enable netlogin mac
enable netlogin ports 1:1-1:10 mac
configure netlogin add mac-list 00:00:00:00:00:10 ports 1:1-1:5
configure netlogin add mac-list 00:00:00:00:00:11 ports 1:6-1:10
configure netlogin add mac-list 00:00:00:00:00:12

Page 715 shows how to put different MACs on different VLANs using the local database as follows:

Netlogin MAC-Based VLAN Example
The following example configures the netlogin MAC-based VLAN feature:
create vlan users12
create vlan nlvlan
configure netlogin vlan nlvlan
enable netlogin mac
enable netlogin ports 1:1-1:10 mac
configure netlogin ports 1:1-1:10 mode mac-based-vlans
configure netlogin add mac-list default MySecretPassword

Expanding upon the previous example, you can also utilize the local database for authentication rather
than the RADIUS server:
create netlogin local-user 000000000012 vlan-vsa untagged default
create netlogin local-user 000000000010 vlan-vsa untagged users12

This should get you started.

Warm Regards,
ExtremeTek

Evil will always triumph, because good is dumb.