Download - EXOS Universal Port 1371

8/21/2019 EXOS Universal Port 1371

http://slidepdf.com/reader/full/exos-universal-port-1371 1/59

Extreme Networks Configuration Guide

ExtremeXOS™

Universal PortConfiguration Guide

Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved.


http://slidepdf.com/reader/full/exos-universal-port-1371 2/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page


Extreme Networks White PaperExtreme Networks Configuration Guide

Table of Contents

1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Profiles and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Static Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Dynamic Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Profile Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 Types of Dynamic Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Device Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Link Layer Discovery Protocol (LLDP or 802.1AB) and LLDP-MED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Sample information provided through LLDP about an IP phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

How Device Detection Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Network Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

802.1x IEEE Standards-based Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Web-based Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

MAC-based Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

How User Profiles Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Trigger Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 Universal Port Commands and Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Universal Port Command Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Universal Port Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Common Variables for all Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Variables for Device Detect Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Variables for User Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

5 Configuration Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuration for Device Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Configuration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuration for User Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17



Extreme Networks Configuration GuideExtreme Networks White PaperExtreme Networks Configuration GuideExtreme Networks Configuration Guide


Configuration for Time-of-day Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21



6 Universal Port Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23



Create New Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Test the Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Deploy the Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Track Profile Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Redeploy a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

To Import a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Customize an Existing Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

7 Example Universal Port Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Static Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Timer Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Generic VoIP LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Generic VoIP 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Avaya VoIP 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Dynamic Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Video Camera . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57




1. Overview

The ExtremeXOS™ Universal Port framework enables the

switch to take actions based on events. Leveraging the

ExtremeXOS CLI scripting capability, Universal Port

activates profiles that are created and managed either

manually via the ExtremeXOS CLI or through the

EPICenter® Universal Port Manager.

Universal Port is primarily used for simplifying edge

configuration but can be used for other tasks such as

automating conflict resolution.

The Universal Port framework is embedded in all

Extreme Networks switches that run on the ExtremeXOS

operating system with an Edge License or higher.

The EPICenter Universal Port Manager is a simple-to-use

GUI that supports editing and debugging, mass deployments

and updates, and can also run audits on Universal Port

profiles and modules in the network.

Profiles and Policies

Universal Port has two types of profiles: Static and Dynamic.

Profiles must not be confused with policies. Policies are

special cases for a profile. A policy usually implies a security

rule that takes action on traffic flows. A profile is a variable

command set that can take action based on different types

of events. For example, a profile can automatically provision

a VoIP phone and the attached switch port with appropriate

power and Quality of Service (QoS) settings.

Static ProfilesStatic profiles are port profiles that include port settings,

including Access Control Lists (ACLs), rate limiting, rate

shaping, QoS, VLAN, interface speed, Power over Ethernet

(PoE) budget, etc.

Static profiles are not limited to individual ports but can

include system wide configuration changes.

Static profiles are default settings, and are NOT event

driven. Static profiles are assigned to a port and are not

specific to a device or a user. Static profiles are default

settings or baselines for ports, leveraging ExtremeXOSscripting.

Before ExtremeXOS introduced scripting capabilities, when

an administrator needed to make a network change, the

administrator had two choices.

Open up a Telnet or console session, then issue the1.

commands directly into the CLI ad-hoc.

Use a template and modify the template with required2.

changes, then paste the commands into a Telnet or

Console session.

By using profiles, other options are available. Static profiles

provide the ability to create common templates and deploy

these templates on demand. Because the configuration

changes made from static profiles are saved in the configu-

ration file, changes are permanent and remain after a

reboot. This is sometimes also referred to as CLI Persistent

Mode.

Dynamic ProfilesDynamic profiles are special scripts that incorporate

runtime variables that provide information about trigger

events. Because dynamic profiles are event or action driven

and do not require administrator invocation, network

changes can be automated.

Universal Port currently supports the following trigger

events:

Device discovery•

User or standards-based authentication•

Time of Day•

Dynamic profiles can be activated automatically based on

what is connecting to the network or who is logging onto

the network. The flexibility of Universal Port saves configu-

ration time while protecting the network from configuration

errors.

Before the advent of Universal Port, when devices were

added, moved, or changed, IT personnel had to be available

to place equipment and then configure both the network

port and the new device. These tedious tasks typically took

a long time, did not support mobility and were prone to

human error.

Configuration changes are applied to or removed from a

port based on profiles activated or deactivated by a trigger.

When a trigger event occurs, a profile associated with the

trigger is executed.

Triggers respond to events such as device detection using

LLDP, user authentication onto the network via network

login, or a timer event. Data from these events can be used

to select specific profiles and even make decision points

within profiles. A typical example is the use of a RADIUS

server to specify a particular profile and then applying

port-based policies to that user based on location.

Information passed to Dynamic Profiles can be saved in

variables. When a setting is activated, to roll back to the

previous default setting, some information must be saved,

such as the default VLAN setting or the default setting on a

port. Essentially anything modified from the previous

setting can be preserved for future use.




Dynamic Profiles are temporary states. When a device appears

at an edge port, a triggering event occurs that applies a profile

to the port and configures appropriately. Examples of configu-

ration parameters include VLAN, QoS, ACL, PoE and IP

Security. When the device is no longer connected, another

triggering event occurs to reverse the configuration parame-

ters applied.

There is no need to save the configuration change caused by

the Dynamic Profile in the switch configuration; after a rebootthe device is detected and the Dynamic Profile triggered again.

This temporary state is critical. Imagine a situation where the

profile for Dynamic Security policies was used. If the informa-

tion granting access to specific resources in the network were

saved in the configuration, and a reboot performed with the

user losing network connectivity, that particular security policy

would be set in stone and anybody else coming onto the

network would have access to these network resources simply

by plugging into that port.

Dynamic Profiles are triggered and applied based on an event.

Another event such as the disappearance of a device, some-body logging out, or a reboot clears the state.

2. Profile Rules

Both static and dynamic Universal Port profiles have the

following restrictions:

Profiles cannot exceed 5000 characters.3.

Only 128 Universal Port profiles are allowed per switch.4.

Profiles are stored as part of the switch configuration file.5.

Typing and cutting-and-pasting are the only methods to6.

transfer profile data using the CLI.

Unless explicitly stated with the command7. congure

cli mode persistent, configurations set by Universal

Port profiles are non-persistent and cannot be saved to the

switch configuration file.

Note: Setting configuration changes invoked by a profile8.

to be non-persistent allows for rollback changes. Rollback

changes enable ports to return to initial states in the case

of a reboot or power cycle.

3. Types of Dynamic Profiles

Dynamic profiles are applied to or removed from a port based

on an activation or deactivation trigger. When a trigger event

occurs, a profile script associated with the trigger is executed.

The following events are trigger events:

Device Detection based on discovery protocols such as•

IEEE 802.1ab LLDP and ANSI/TIA-1057 LLDP-MED for

Voice-over-IP (VoIP) phone extensions

User-based Login defined by standards-based authentica-•

tion such as a Network Login framework with 802.1x

support, web-based login or MAC-based Network LoginTimer events•

A user can assign Dynamic Profiles to a trigger event via the

ExtremeXOS CLI or the EPICenter® Universal Port Manager.

Dynamic Profile supported commands include VLAN port

assignments, QoS settings, rate limiting capabilities of the port,

PoE budget and dynamic ACLs. These parameters are not

saved in the switch configuration.

When using dynamic user-based security policies, implementa-

tion details are stored directly in the switch. There is no

dependency on anything in the critical path. After a RADIUSserver is configured and running, the RADIUS server specifies

the policy to be applied as part of the authentication response

packet via a RADIUS Vendor Specific Attribute (VSA). The

switch takes this information and executes the correct

Dynamic Profile.

Note: The RADIUS server can be in proxy mode with

information stored in a central directory service such

as LDAP or Active Directory.

Note: There is no profile hierarchy, which means users must

verify there are no conflicting rules in static anddynamic profiles. This is a normal requirement for

ACLs, and is standard when using policy files or

dynamic ACLs.

To test a profile or execute a profile, use the following run upm

profile command:

>>run upm prole <prole-name> {event

<event-name>} {variables <variable-string>}

Example:

run upm prole afterhours

If the variables keyword is not present but an event variable is

specified in the profile, the ExtremeXOS operating system

prompts for environmental variables appropriate to the event,

including the VSA string for user authentication.

Note: Variables are not validated for correct syntax.

To view profile history, use the show upm history command.

show upm history <………………>

Example:

show upm history

Device Detection

A variety of different devices can be connected to a port. When

devices connect to the network, the Universal Port helps

provide the right configuration at the port.

Devices are detected and undetected as trigger events. Link

Layer Discovery Protocol (IEEE 802.1AB, LLDP) is one of the

predominant methods that use this trigger.




E911 Emergency Call Service location is automatically updated

from the phone’s new port.

The lack of location identification information has at times

hindered the adoption of VoIP. LLDP-MED solves this problem

and it is expected to become mandatory in all VoIP

deployments.

The following LLDP-MED extensions provide VoIP-specific

information as well as allow transmission of configuration andlocation information to VoIP phones.

Network Policy (which VLAN tag, .1p, DSCP, for the•

phone to use)

ECS Location ID (for E911 – coordinates or street/ •

building/floor address), compliant with NENA and

TIA-TSB-146 directions, the switch advertises a configu-

rable physical location information to the phone

Extended Power-via-MDI (finer grain PoE budget•

requirement, in Watts)

Inventory information such as firmware version, serial•

number, etc

Note: Avaya and Extreme Networks have developed a series

of extensions for submission to the standards

consortium for inclusion in a later version of the

LLDP-MED standard.

Avaya Power conservation mode•

Avaya file server•

Avaya call server•

There can only be one profile for the device-detect

event trigger per port. This is important because there is no

capability or external entity such as a RADIUS server that

distinguishes the connecting device as part of the event

trigger. Instead, the switch receives this information as part of

the event data itself. Because individual ports can only have

one device-detect profile, if-then-else statements in

profiles along with detailed information provided through

LLDP can be used to distinguish between connecting devices.

For example, Voice-over-IP (VoIP) phones can send and

receive information in addition to normal device identification

information. The information sent through LLDP can be used

to identify the maximum power draw of the device. The switch

can then set the maximum allocated power for that port.

If the switch does not have enough PoE left, the switch can

advise certain handsets to switch to a lower power mode and

try again. The switch can also transmit additional VoIP files and

call server configuration information to the phone so the phone

can register itself and receive necessary software and configu-

ration information.

Link Layer Discovery Protocol (LLDP or802.1AB) and LLDP-MED

Link Layer Discovery Protocol (LLDP or 802.1AB) is an IEEE

standard that allows devices to exchange information about

themselves to connected devices.

Similar to Extreme Networks Discovery Protocol (EDP) or

Cisco Discovery Protocol (CDP), LLDP defines a standard

method for Ethernet network devices such as switches,

routers, wireless LAN APs, IP phones, and any other network

attached device to advertise information about themselves.Information about the device such as device configuration,

capabilities, identification and software version can be

advertised. This information is passed along using Type Length

Value (TLV) fields within LLDP advertisements.

LLDP defines a set of common advertisement messages, a

protocol for transmitting the advertisements and a method for

storing the information contained in received advertisements.

LLDP is an extensible standard, providing a framework for

industry consortiums to define application specific extensions

without causing compatibility issues. The ANSI/TIA-1057

LLDP-Media Endpoint Discovery (LLDP-MED) standard

defines extensions specifically for VoIP.

The switch can advertise VLAN information and Quality of

Service 802.1p marking service to the phone, and it can also

advertise where the phone is actually connected to the wall

jack. That location is called the E911 Emergency Call Service

location, which represents a physical location using IETF

standard formats, NOT just port information. The E911

emergency call service location can be configured on the

switch port and used later to advertise the call location in case

of an emergency call. Should a phone be moved, the phone’s




Sample information provided through LLDP about an IP phone

LLDP Port 1 detected 1 neighbor

Neighbor: (5.1)192.168.10.168/00:04:0D:E9:AF:6B, age 7 seconds

- Chassis ID type: Network address (5); Address type: IPv4 (1)

Chassis ID : 192.168.10.168

- Port ID type: MAC address (3)

Port ID : 00:04:0D:E9:AF:6B

- Time To Live: 120 seconds - System Name: “AVAE9AF6B”

- System Capabilities : “Bridge, Telephone”

Enabled Capabilities: “Bridge, Telephone”

- Management Address Subtype: IPv4 (1)

Management Address : 192.168.10.168

Interface Number Subtype : System Port Number (3)

Interface Number : 1

Object ID String : “1.3.6.1.4.1.6889.1.69.1.13”

- IEEE802.3 MAC/PHY Conguration/Status

Auto-negotiation : Supported, Enabled (0x03)

Operational MAU Type : 100BaseTXFD (16)

- MED Capabilities: “MED Capabilities, Network Policy, Inventory”

MED Device Type : Endpoint Class III (3)

- MED Network Policy

Application Type : Voice (1)

Policy Flags : Known Policy, Tagged (0x1)

VLAN ID : 0

L2 Priority : 6

DSCP Value : 46

- MED Hardware Revision: “4625D01A”

- MED Firmware Revision: “b25d01a2_7.bin”

- MED Software Revision: “a25d01a2_7.bin”

- MED Serial Number: “061622014487”

- MED Manufacturer Name: “Avaya”

- MED Model Name: “4625”

- Avaya/Extreme Conservation Level Support

Current Conservation Level: 0

Typical Power Value : 7.4 Watts

Maximum Power Value : 9.8 Watts

Conservation Power Level : 1=7.4W

- Avaya/Extreme Call Server(s): 192.168.10.204

- Avaya/Extreme IP Phone Address: 192.168.10.168 255.255.255.0

Default Gateway Address : 192.168.10.254

- Avaya/Extreme CNA Server: 0.0.0.0

- Avaya/Extreme File Server(s): 192.168.10.194

- Avaya/Extreme IEEE 802.1q Framing: Tagged

Note: Because LLDP is tightly integrated with IEEE 802.1x authentication at edge ports, when used together, LLDP informa-

tion from authenticated end point devices is trustable for automated configuration purposes. This tight integration

between 802.1x and LLDP protects the network from automation attacks.




How Device Detection Works

Figure 1 illustrates how dynamic profiles work with device

detection. There are two aspects shown in the illustration.

Preparation is on the left and typically is only used occasion-

ally, when rolling out a new network or updating profiles. The

right side shows ongoing operations.

Preparation

The administrator pushes out the device profile to the

network; it will be stored on the switch and enabled for

specific ports. A profile can be either downloaded from an

Extreme Networks website, received from another

Extreme Networks user or partner, written by

Extreme Networks professional services, or written by the

end user. A dynamic device profile can also be a customiza-

tion of an existing profile, e.g., Universal Port HandsetProvisioning Module.

Profiles can be written using any editor; they can be

cut-and-pasted or typed into the CLI or they can be created

using a sophisticated GUI such as the EPICenter Universal

Port Manager. The Universal Port Manager provides several

types of templates that can be stored and customized.

Dynamic device profiles can be pushed out onto the

network to entire lists of ports for massive deployments.

When it is time to update or enhance these profiles, the

Universal Port Manager can be used to refresh the same set

of ports quickly.

Operation

During runtime, an end user can walk up and plug in a VoIP

phone. Once the phone is plugged in, the user enters a

personal username and password, which was provided with

the phone. The phone starts 802.1x authentication

supported by the latest firmware releases from vendors

such as Avaya and Mitel.

This authentication step protects the network from

spoofing attacks that can occur if authentication is not

performed before advertising who is there. This method is

much more secure than unauthenticated discovery.

Extreme Networks recommends using 802.1x-authenticat-

ed LLDP; however, because the Universal Port framework

is very flexible and the profiles can be customized, unau-

thenticated LLDP can be used as well, for example, as part

of testing and debugging.

After a successful authentication event, the switch enables

LLDP and starts interpreting the information sent by thephone. The phone specifically advertises its PoE budget

needs, its serial number that can be used for inventory

purposes, and detailed model information. This information

allows the switch to configure the edge port automatically

and appropriately. The switch can now allocate the PoE

budget, move the port into the voice VLAN, and configure

QoS for voice on the port.

In the last step, the switch also begins advertising informa-

tion to the phone. With this additional information, the

phone goes through a boot-strap mechanism to tag traffic

for QoS as well as VLAN, and to find the call server todownload additional configuration information. The phone

now has its physical location based on the E911 emergency

location information advertised by the switch.

User Authentication

User authentication profiles are used for network access

security.

Universal Port integrates with ExtremeXOS Network Login

user authentication to support three authentication methods.

802.1x IEEE standards-based Network Login•

Web-based Network Login•

MAC-based Network Login•

Multiple user profiles can be applied to a port or a group of

ports. This means that a port can have one device profile and

multiple user profiles.

User profiles can be assigned to a port or a port list easily using

the EPICenter Universal Port Manager. User profiles can be

mass deployed out onto the network and be assigned to every

single port in the network if required.

By assigning user profiles to a port list, security policies can

follow the user as he roams around a campus. For example, an

engineer can walk from Building 1 to Building 5, plug his PC

into the network and be authenticated. Based on that, he

automatically receives certain access rights and ACLs.

Note: In most cases, User-based really means user group-

based. Most Security IT managers define groups of

users with the same access rights. This makes

managing network privileges easy. In this case, a user

group has one profile name sent to the switch during

authentication.

Administrator configures

VoIP policies (VoIP VLAN,

Dot1p priority, etc.)

Administrator pushes

policies to switch

After 802.1x authentication,

phone sends LLDP message

with model, PoE, serial

number, etc.

Switch configures VLAN,

Dot1p priority, ACLs and PoE

on the port

Administrator

Preparation Operation

1

3

4

Switch sends VLAN,

Call Server, E911 location,

QoS, etc. to the phone

5

2

`

5119-01

Figure 1: Device Detection




The implementation of the policy sits in the switch and can

differ based on the location and can be changed based on time.

With this mechanism, security policies can follow the user as

he roams around a campus. For example, an engineer can walk

from Building 1 to Building 5, plug his PC into the network and

authenticate. Based on that, he automatically receives certain

access rights. In most cases, user-based really means user

group-based. Most Security IT managers define groups of users

with the same access rights. This makes management of rights

easy. In our example, a user group would have the same profilename sent to the switch during authentication.

The entire concept of user-based security profiles is integrated

with device-based profiles. When a VoIP phone is connected to

the network, a PC or laptop can connect to the network

through a data port on that VoIP phone. This means the VoIP

phone and the PC must be identified individually and both

must be authenticated separately. This is known as true

Multiple Supplicant support.

Note: Some vendors use the term Multiple Supplicant

without allowing separate authentication. These vendors simply blackhole the traffic of the second

MAC address and do not let the second device pass

authentication. Even worse, other vendors take a

different approach and allow all traffic from any

additional device through after the first device has

been authenticated on a port, leaving the network

wide open.

In addition to separate authentication for the phone and the

user via the PC, ExtremeXOS switches also support multiple

VLAN assignment. Without multiple supplicant support with

multiple VLANs, PCs have weak security in voice VLANs. The

other option is not using the phone dataport.

Note: MAC-based authentication can also be used to identify

devices. For example, an entire MAC address or some

bits of the MAC address can identify a device and

perform switch port auto-configuration similar to the

LLDP-based device detect event. The difference

between this approach and LLDP authentication is

that no information can be transmitted to that device.

When authenticating to the network, user-based login can be

combined with a timer trigger. Combining user authentication

with time triggers puts different user policies in place based onthe time of day. Universal Port triggers are then used to modify

the assignment and implementation of user-based security

policies.

Network Login

Network Login is paramount when implementing dynamic

security policies. ExtremeXOS software supports three

different login methods integrated into the Universal Port:

802.1x IEEE standards-based Login•

Web-based Network Login•

MAC-based Network Login•

Any of these three methods can be enabled individually or

combined to provide the smooth implementation of a

secured network.

802.1x IEEE Standards-based Login

802.1x IEEE protocol is an edge port authentication

protocol that requires a special client be installed on the

system accessing the network.

802.1x has been designed as a secure protocol that usesseveral different secure authentication techniques.

ExtremeXOS software has been tested against most of

these techniques, including MD5, PEAP, TLS and TTLS,

and support password, as well as certificate-based authenti-

cation. The most popular authentication method is

probably Microsoft PEAP, using encrypted username/

passwords.

Web-based Network Login

Because not all devices use 802.1x, the ExtremeXOS

operating system also supports web-based Network Login.

Web-based login does NOT require any specific client sidesoftware (which 802.1x does). Instead web-based login

uses standard built-in technologies on clients (DHCP and a

web browser). Web-based login is an easy-to-deploy

security mechanism for client devices.

After opening a web browser, a user enters a userID/

password pair for authentication. Extreme Networks

switches redirect traffic to the Network Login welcome

page. The login welcome page is configurable to allow a

custom greeting or guest login information for network

access via a dedicated guest VLAN. This type of login

allows machines that are not under the control of an IT

department to get network access.

Note: Web-based Network Login is an excellent way to

deploy 802.1x client software and certificates in a

secure fashion on a port without opening up the

network. Instead of installing 802.1x client software

before turning on Network Login, users can log into

the network via the web-based login, be redirected

to an IT server to receive instructions on download-

ing and installing an 802.1x client and any additional

software. This process dramatically reduces the

costs and complexity of a user authentication rollout

in an IT network because installation can beoffloaded to the end user.

Note: Beginning with ExtremeXOS Release 12.0, web-

based Network Login welcome and authentication

failure pages are completely user-configurable

including custom graphics and advanced features

such as Javascript code. ExtremeXOS Release 12.0

supports any web technology that a client browser

supports and does not require HTTP server-based

actions.




MAC-based Network Login

MAC-based Network Login can be used for devices that

have no means of performing manual authentication or

using certificates. Devices such as older VoIP phones,

printers, IP camera or wireless access points can be

authenticated using a MAC address. This allows for

authentication enforcement on all edge ports on the

network.

This method provides more flexibility to the Universal Portnetwork login infrastructure. With MAC-based Network

Login, edge authentication can be turned on at every single

port, no matter what connects to the network.

MAC-based Network Login can help protect ports that

connect devices such as printers or older generation VoIP

phones should someone walk up and unplug the device and

gain access to the network. While not fully secure because

of potential MAC spoofing, with MAC-based Network Login

it becomes more complicated for people to hack into the

network. In most cases this is sufficient when combined

with physical access restrictions.

Authentication Process

A common network authentication architecture has three

components, a supplicant, access device (switch, access

point) and authentication server (RADIUS). This architec-

ture leverages decentralized access devices to provide

scalable, but computationally expensive, encryption to

multiple supplicants while centralizing access control to a

few authentication servers. This latter feature makes

authentication manageable in large installations. Figure 2

shows user authentication in a basic three component

architecture.

When Extensible Authentication Protocol (EAP) is run

over a LAN, EAP packets are encapsulated by EAP over

LAN (EAPOL) messages. (The format of EAPOL packets is

defined in the 802.1x specification.) EAPOL communica-

tion occurs between the end-user station (supplicant) and

the wireless access point (authenticator). The RADIUS

protocol is used for communication between the authenti-

cator and the RADIUS server.

The authentication process begins when the end user tries to

connect to the LAN. The authenticator (Extreme Networks

switch) receives the request and creates a virtual port withthe supplicant. The authenticator acts as a proxy for the

end user passing authentication information to and from

the authentication server on its behalf. The authenticator

limits traffic to authentication data to the server. A

negotiation takes place, which includes the following

activities:

Client sends an EAP-start message•

Access device sends an EAP-request identity message•

Client EAP-response packet with the client’s identity is•

“proxied” to the authentication server by the authenticator

Authentication server challenges the client to prove himself•

and can send its credentials to prove itself to the client (if

using mutual authentication)

Client checks server’s credentials (if using mutual authenti-•

cation) and then sends his credentials to the server to prove

himself

Authentication server accepts or rejects the client’s request•

for connection

If the end user is accepted, the authenticator changes the•

virtual port with the end user to an authorized state

allowing full network access to the end user

At log-off, the client virtual port is changed back to the•

unauthorized state

Multiple Universal Port profiles can be created on a switch,

but only one Universal Port profile per event can be applied

per port. Different profiles on the same port apply to

different events; for example, different authentication

events for different devices or users.

When 802.1x is enabled on the switch port, the following

sequence of events occurs when using an 802.1x and LLDP

capable device:

When a device is plugged in, the switch edge port1.

sends an EAPOL start packet which triggers the device

to start the 802.1x authentication process.

In standard 802.1x terminology, the device is the2.

supplicant, the switch is the authenticator, and

Windows IAS or FreeRADIUS on Linux is the authenti-

cation server. An exchange of keys occurs and device

credentials are checked.

5153-01

RADIUS

Summit Switch

VoIP Phone

Unauthorized

Authorized

EAPOL – Start

EAP – Response/MD5, Challenge

EAP – Request/Identity

EAP – Success/Vendor Attributes

EAP – Request/MD5, Challenge

EAP – Response/Identity

Figure 2: User Authentication Process


http://slidepdf.com/reader/full/exos-universal-port-1371 11/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1


After the device has been authenticated, the RADIUS3.

server tells the switch which Universal Port scripts to

use and the VLAN for the port. This data is passed

using a VSA between the RADIUS server and the

switch.

After the switch recognizes the authentication event4.

and the VSAs from the RADIUS server, the Universal

Port script is triggered and the port is added to the

correct VLAN. After the device has been authenti-

cated, DHCP requests on the device are passed

through the switch to the DHCP server.

When the device has received an IP address, LLDP5.

messages sent by the device are updated and device

provisioning continues via the Universal Port script.

The Universal Port script triggers and the device are6.

configured along with any PoE settings for the port.

A user either logs in or the switch sees a MAC address in

the case of MAC-based Network Login. Then the switch, on

the backend side, sends the RADIUS server identifying

information (either the MAC address, a user name with

password that has been entered in web-based NetworkLogin mode, or the 802.1x credentials that have been

advertised from the client PC).

802.1x uses EAP, an IETF standard. With a simple extrac-

tion from EAP over Ethernet into EAP over RADIUS, the

RADIUS server receives login credential information, looks

up the credentialing information in the database, deter-

mines whether the user or device does or does not have

authorized access to the network, and responds back to the

switch. If authenticated, the RADIUS server requests that

the switch put the port in forwarding mode.

The traffic sent down from the RADIUS server includes

vendor-specific attributes. Most vendors support VLAN ID

as a vendor specific attribute, (standards committees are

currently trying to standardize which attributes to use

instead of vendor-specific attributes). Extreme Networks

goes one step further by providing security policy informa-

tion during authentication, including names of policies and

additional information that can be used within policies to

narrow down network level access rights even further via

ACLs and QoS. This process is accomplished in a single

step without opening up the network, and without any

dependency on an external policy server (that after login

would apply a security policy).

Note: The RADIUS server can be a proxy between RADIUS

on the front end towards the switch and either

LDAP or Active Directory on the backend. All

popular RADIUS servers support this proxy mode.

This is one way to integrate network level enforce-

ment and security policies easily with application

level enforcement such as user logins into business

applications.

How User Profiles Work

In most cases, single users do not have individual user

profiles. User profiles are normally assigned to user groups.

As an example, a company like Extreme Networks may

have security profiles for groups such as software engineer-

ing, hardware engineering, marketing, sales, technical

support, operations and executive. These kinds of catego-

ries make profile management more streamlined and

simple. However, in theory, profiles can be on a per-user

basis.

A user name and password, or credentials used with a

smart card put into a PC with an identifying certificate, are

sent into 802.1 xs. The switch authenticates with a RADIUS

server which acts a centralized repository for security

policies. The RADIUS server can be a proxy going to LDAP

or to Active Directory to obtain credentials and the user

policy assigned.

The switch learns which security policies to assign to a port

via RADIUS attributes in the authentication response. The

RADIUS server embeds Vendor Specific Attributes (VSAs),in the RADIUS packet sent back after a successful authen-

tication. Extreme Networks has vendor specific attributes

that identify the name of the security policy as well as

ExtremeXOS script variables that provide profile

information.

For example, an additional variable can be added to a

generic profile for software engineering for five designated

engineers. The variables give these engineers access to a

specific additional application. This method minimizes the

number of profiles to be maintained and also increases

implementation flexibility.

User profiles can also be used for devices that do not

support LLDP. This method still performs switch port

auto-configuration for voice VLAN, configures QoS, and

provides VoIP auto configuration. However, with this

method, the device does not receive configuration informa-

tion and must rely on other mechanisms, usually DHCP

using option fields, to receive information such as file and

communication server addresses, QoS and VLAN settings.

Figure 3 illustrates how user profiles are managed. There

are two aspects shown in the illustration, the Preparation

phase, which typically happens only occasionally when anew network is rolled out or profiles are updated, and the

Operation phase for ongoing operations.




Because policy implementation can be change from port to

port, Universal Port allows for location-based policies (for

example, a restricted area). Integration with a timer event

provides time-based policies, such as disabling wireless

access after business hours.

Note: VoIP phones are also capable of being authenticated

before being allowed on the network. The phone

begins 802.1x authentication based on a personal

username and password. This authentication step isavailable and supported by the latest firmware from

vendors such as Avaya and Mitel.

This early authentication step protects the network

from spoofing attacks that can occur if authentica-

tion is not performed before advertising who is

there. This method is much more secure than

unauthenticated CDP. Universal Port uses 802.1x-

authenticated LLDP

Time

Timers implement Time-of-Day profiles that can have various

applications. For example, these profiles can be used to disable

guest VLAN access after business hours, shut down a wireless

service or power down a port. “Access point being powered

down” can apply to a given time of the day or over a time span.

Time-of-Day profiles are flexible and are not limited to just

dynamic profile CLI commands. Time-of-Day profiles can use

any command in the ExtremeXOS CLI, as long as it is under-

stood that the change is permanent. This feature allows timed

backups for configurations, policies, statistics, etc. Anything

that needs to happen on a regular basis or at a specific timecan be incorporated into a Time-of-Day profile.

Figure 4 shows a simple example of how to do a periodic

configuration upload once an hour. To execute the upload, a

profile is created that includes a CLI command for uploading to

a specific address with a file name. This profile is attached to a

timer using the command create upm timer. The profile is then

linked to the timer and the timer is configured with the correct

time values and intervals.

Preparation

The administrator pushes out profiles and assigns profiles

to edge ports. Preparation is often performed using theEPICenter Universal Port Manager; however, preparation

can be done manually through the CLI, switch by switch.

Operation

The Operation phase begins when the user logs onto the

network. The switch passes the information up to the

RADIUS server, the RADIUS server sends down the name

of the policy as well as any additional ExtremeXOS variable

settings or information in the user profile. This allows the

switch to move the port into the correct VLAN (for

example an Engineering VLAN), configure ACLs to specific

servers or to specific application types such as enabling

CVS access, or configure port interface speed as well as

QoS for that port.

Network Login enforces authentication before granting

access to the network. All packets sent by a client on the

port do NOT go beyond the port into the network until

authentication using a RADIUS server occurs. In many

cases, the RADIUS server interacts with a central data

repository for user authentication such as Active Directory

or an LDAP directory without putting the burden of the

LDAP protocol into the network infrastructure. As a

fallback for mission critical devices, an authentication

database local to the switch can be used as well.

Dynamic user policies can include rate-limiting, QoS and

dynamic ACLs. These attributes are applied immediately

during the authentication process, with no dependency on

external second-step policy managers, instead using a

central repository (RADIUS or LDAP / Active Directory).

Dynamic security policies are activated and deactivated

based on authentication when users connect or disconnect

from the network.

Administrator configures user group policies

(VLAN, ACLs, por t speed, Dot1p priority, etc.)

then maps policies to user groups

Administrator pushes

policies to switch

User logs on to the network

RADIUS server pushes

user group via Vendor

Specific Attributes (VSA)

Administrator

EPICenter Server

13

4

Switch configures VLAN,

ACLs, port speed, Dot1p

priority . . . on the port

5

2

User

RADIUS Server `

Preparation Operation

5118-01

Figure 3: User-based Login

XXXX-01

Create upm profile <profileName>

Create upm timer <timerName>

Configure upm timer <timerName> profile <profileName>

Configure upm timer <timerName> every 3600

Figure 4: Example of Periodic Configuration




Trigger Events

There are seven trigger events that activate a Universal Port

profile. Table 1 summarizes these trigger events.

Table 1: Trigger Events

Device-detect and Device-undetect events are triggered by

an LLDP packet when it reaches the port and when periodical-

ly transmitted LLDP packets are no longer received respective-

ly. LLDP age-out occurs when a device has disappeared or

age-out time has been reached.

User-Authenticated and User-Unauthenticated events are

triggered by any Network Login mechanism. Successful login

triggers the User-Authenticated event and either explicit

logout or sessions timing out trigger the User-Unauthenticated

event.

MAC-based authentication requires no interaction from the

user. 802.1x authentication requires 802.1x client software on

the device.

Timer-AT and Timer-AFTER events can be set to a specific

time of the day or a periodic event, for example, one-time after

15 minutes or at 1 hour intervals.

The User-Request trigger is a manual request by an adminis-

trator via CLI command to trigger a static or a dynamic profile.

To trigger a dynamic profile, information for a particular event

must be supplied. To trigger a device profile, information

normally provided via LLDP must be provided. With

ExtremeXOS 12.0, this capability is also available via XML and

is used by the EPICenter Universal Port Manager when

activating a profile from the EPICenter GUI.

Trigger Condition

Device-Detect Specific device detected by the system,

usually receipt of an LLDP packet into

the port. Profile configures the port forthe device.

Device-Undetect Specific device is no longer present or an

LLDP timeout has occurred. Port

properties return to a base state through

a profile.

User-Authenticated Specific user authenticated profile

configures the port for the user.

User-Unauthenticated Specific authenticated user has been

unauthenticated. Port properties return

to a base state through a profile.

Timer-AT Timer schedule to occur AT a specified

time has occurred

Timer-AFTER Timer schedule to occur AFTER a

specified time has occurred. Can be a

one-time occurrence or can be

reoccurring.

User-Request Profile was triggered remotely by the

administrator through the CLI.




4. Universal Port Commands and Variables

Commands

Several commands were added to the ExtremeXOS operating system to expand the scripting capabilities for Universal Port.

Command Modes

CLI commands are set to non-persistent mode by default when executing dynamic profiles.

To configure persistent command execution, enter the following command:

congure cli mode persistent

To configure non-persistent command execution, enter the following command:

congure cli mode non-persistent

Universal Port Command Summary

The following command summary lists Universal Port CLI commands with command syntax. For complete command descriptions,

refer to the ExtremeXOS 12.0 Command Reference Guide.

Note: The CLI uses upm as an abbreviation for Universal Port management to indicate a Universal Port command. Do NOT

confuse this abbreviation with the EPICenter Universal Port Manager.

Command Syntax

configure upm event Congure upm event <upm-event> prole <prole-name ports <port-list>

configure upm timer after congure upm timer <timer-name> after <time-in-secs> {every <seconds>}

configure upm timer at congure upm timer <timer-name> at <month> <day> <year> <hour> <min> <secs>

{every <seconds>}

configure upm timer profile congure upm timer <timerName> prole <proleName>

create upm profile create upm prole <prole-name>

create upm timer create upm timer <timer-name>

delete upm profile delete upm prole <prole-name>

delete upm timer delete upm timer <timer-name>

disable upm profile disable upm prole <prole-name>

edit upm profile edit upm prole <prole-name>

enable upm profile enable upm prole <prole-name>

show upm event show upm event <event-type>

show upm history show upm history {prole <prole-name> | exec-id <number> | event

<upmevent>|status [pass | fail] | timer <timer-name> | detail}

show upm profile show upm prole <name>

show upm timers show upm timers

unconfigure upm event uncongure upm event <upm-event> prole <prole-name> ports <port_list>"

unconfigure upm timer uncongure upm timer <timerName> prole <proleName>




Universal Port Variables

CLI scripting must be enabled before composing or executing a script.

Universal Port uses CLI scripting variables to make system and trigger event information available to profiles. In addition,

user-defined variables can be created, but are limited to the current context unless explicitly saved. Saving variables allows

certain data from one profile to be reused in another profile for a different event, for example, between login and logout events,

the data necessary to perform rollback for a port configuration can be shared.

Common Variables for all Profiles

Variables for Device Detect Profiles

Variables for User Authentication Profiles

$STATUS Status of last command execution

$CLI.USER UserName of user executing this CLI

$CLI.SESSION_ID An identifier for this session. This identifier will be available for the roll-back event when a device

or user times out.

$CLI.SESSION_TYPE Type of user session

$EVENT.NAME Event that triggered this profile

$EVENT.PROFILE Name of the profile currently being run

$EVENT.TIME Time the event occurred, in seconds since epoch

$EVENT.TIMER_TYPE Periodic or Non_periodic

$EVENT.TIMER_DELTA_SECS Time difference between timer firing and time actual shell was run in seconds

$EVENT.DEVICE Device identification string

$EVENT.DEVICE_IP IP address of the device (if available). Blank if not available

$EVENT.DEVICE_MAC MAC address of device (if available). Blank if not available

$EVENT.DEVICE_POWER Device power in milliwatts (if available). Blank if not available.$EVENT.DEVICE_MANUFACTURER_NAME Manufacturer name

$EVENT.DEVICE_MODEL _NAME Device model

$EVENT.USER_PORT Port associated with this event

$EVENT.USERNAME Name of user authenticated. This is a string with the MAC address for MAC-based user login

$EVENT_NUMUSERS Authenticated supplicants on the port after event occurred

$EVENT.USER_MAC MAC address of the user

$EVENT.USER_PORT Port associated with this event

$EVENT.USER_VLAN VLAN associated with this event

$EVENT.USER_IP IP address of the user if applicable, else blank




5. Configuration Process

There are two ways to configure the Universal Port for both static and dynamic profiles.

Command Line Interface (CLI)•

EPICenter Universal Port Manager•

This section discusses the configuration requirements and configuration sequence for device detection, user authentication, and

timer events using the ExtremeXOS CLI. A step-by-step configuration process using the Universal Port Manager follows in

Section 6.

Configuration for Device Detection

Configuration Requirements

Basic configuration requirements for Device Detection via the Universal Port include the following network components.

ExtremeXOS 11.6 or later (if using the EPICenter Management Platform, ExtremeXOS 12.0 is required)•

Appropriate firmware for devices•

PoE switches for PoE devices•

DHCP server•

Configuration Sequence

The sequence of events used to configure the Universal Port for device detection is listed below.

Create the VLAN for the VoIP network.1.

Create the Universal Port profile for Device-Detect on the switch.2.

Create the Universal Port profile for Device-Undetect on the switch.3.

Assign the Device-Detect profile to the edge ports.4.

Assign the Device-Undetect profile to the edge ports.5.

Verify that correct profiles are assigned to correct ports.6.

Enable LLDP message advertisements on the ports assigned to Universal Ports.7.

Verify configuration.8.

Example

1: Configure VLAN

SummitX450-48p # create vlan voice

SummitX450-48p # congure voice ipaddress 192.168.0.1/24

2: Create Universal Port profile to be triggered by a Device-Detect Event

X450e-24p.2 # create upm prole detect-voip

Start typing the profile and end with a . as the first and the only character on a line.

Use - edit upm prole <name> - for block mode capability

create log entry Starting_Script_DETECT-voip

set var callServer 192.168.10.204

set var leServer 192.168.10.194

set var voiceVlan Voice

set var CleanupProle CleanPort

set var sendTraps false

#

create log entry Starting_DETECT-VOIP_Port_$EVENT.USER_PORT




#**********************************************************

# adds the detected port to the device “unauthenticated” prole port list

#**********************************************************

create log entry

Updating_UnDetect_Port_List_Port_$EVENT.USER_PORT

congure upm event Device-UnDetect prole CleanupProle ports $EVENT.USER_PORT

#**********************************************************

# adds the detected port to the proper VoIP vlan

#**********************************************************congure $voiceVlan add port $EVENT.USER_PORT tag

#**********************************************************

# Congure the LLDP options that the phone needs

#**********************************************************

congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme call-server

$callServer

congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme le-server $leServer

congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme dot1q-framing tagged

congure lldp port $EVENT.USER_PORT advertise vendor-specic med capabilities

#congure lldp port $EVENT.USER_PORT advertise vendor-specic med policy application voice vlan

$voiceVlan dscp 46

#**********************************************************

# Congure the POE limits for the port based on the phone requirement

#**********************************************************

# If port is PoE capable, uncomment the following lines

congure lldp port $EVENT.USER_PORT advertise vendor-specic med power-via-mdi

congure inline-power operator-limit $EVENT.DEVICE_POWER ports $EVENT.USER_PORT

create log entry Script_DETECT-

phone_Finished_Port_$EVENT.USER_PORT

X450e-24p.3 #

3: Create the Device-UnDetect Universal Port profile

* X450e-24p.3 # create upm prole clearports



create log entry

STARTING_UPM_Script_CLEARPORT_on_$EVENT.USER_PORT

#congure $voiceVlan delete port $EVENT.USER_PORT

uncongure lldp port $EVENT.USER_PORT

create log entry LLDP_Info_Cleared_on_$EVENT.USER_PORT

#uncongure upm event device-undetect prole avaya-remove ports $EVENT.USER_PORT

uncongure inline-power operator-limit ports

$EVENT.USER_PORT

create log entry POE_Settings_Cleared_on_$EVENT.USER_PORT

create log entry

FINISHED_UPM_Script_CLEARPORT_on_$EVENT.USER_PORT

.

* X450e-24p.4 #




4: Assign the device-detect profile to the desired edge ports

* X450e-24p.8 # cong upm event device-detect prole detect-voip ports 1-10

5: Assign the device-undetect profile to the desired edge ports

X450e-24p.9 # cong upm event device-undetect prole clearports ports 1-10

* X450e-24p.10 #

6: Check that the Universal Port profiles are assigned correctly

* X450e-24p.10 # show upm prole

=============================================================

UPM Prole Events Flags Ports

=============================================================

clearports Device-Undetect e 1-10

detect-voip Device-Detect e 1-10

===========================================================

Number of UPM Proles: 2

Flags: d - disabled, e - enabled

* X450e-24p.11 #

7: Enable LLDP on the ports

* X450e-24p.11 # enable lldp ports 1-10

8: Verify configuration

Plug the device in the port and test. The following commands can be used to help ensure that everything works correctly.

show lldp

show lldp neighbors

show upm history

show upm history detail

show log match upm

Configuration for User Login


Basic configuration requirements for User login and authentication include the following network components:


RADIUS server for user authentication and VSA transmission•

Appropriate firmware for devices•

PoE switches for PoE devices•

DHCP server•

TFTP server (for VoIP applications)•

Call Server (for VoIP applications)•


The sequence of events used to configure the Universal Port for user authentication is listed below.

Configure RADIUS server for userID and password pair.1.

Define the Extreme custom VSAs on RADIUS.2.

Add the switch as an authorized RADIUS client.3.




Create the Universal Port profile for User-Authenticate on the switch.4.

Create the Universal Port profile for User-Unauthenticate on the switch.5.

Configure RADIUS on the edge switch.6.

Configure Network Login on the edge switch.7.

Assign the create user-authenticate profile to the desired edge port.8.

Assign the create user-unauthenticate profile to the desired edge port.9.

Check that the correct profiles are assigned to the correct ports.10.

Enable LLDP message advertisements on the ports.11.

Test the setup.12.

Example

1: Configure the RADIUS server for the userID and password pair

For FreeRADIUS, edit the users file located at /etc/raddb/users

#Sample entry of using an individual MAC addresses

00040D50CCC3 Auth-Type := EAP, User-Password == “00040D50CCC3”

Extreme-Security-Prole = “phone LOGOFF-PROFILE=clearport;”,

Extreme-Netlogin-VLAN = Voice

#Sample entry of using wildcard MAC addresses (OUI Method)

00040D000000 Auth-Type := EAP, User-Password == “1234”

Extreme-Security-Prole = “phone LOGOFF-PROFILE=clearport;”,

Extreme-Netlogin-VLAN = Voice

#Sample entry of using numeric UserID and password

10284 Auth-Type := EAP, User-Password == “1234”

Extreme-Security-Prole = “voip LOGOFF-PROFILE=voip”,

Extreme-Netlogin-Vlan = Voice

#Sample entry of using a text UserID and password

Sales Auth-Type := EAP, User-Password == “Money”

Extreme-Security-Prole = “Sales-qos LOGOFF-PROFILE=Sales-qos”,

Extreme-Netlogin-Vlan = v-sales

2: Define the Extreme custom VSAs on RADIUS

For FreeRADIUS, edit the dictionary file located at //etc/raddb/dictionary to include the following details:

VENDOR Extreme 1916

ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme

ATTRIBUTE Extreme-Shell-Command 202 string Extreme

ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme

ATTRIBUTE Extreme-Netlogin-Url 204 string Extreme

ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme

ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme

ATTRIBUTE Extreme-User-Location 208 string Extreme

ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme

ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme

ATTRIBUTE Extreme-Security-Prole 212 string Extreme

VALUE Extreme-CLI-Authorization Disabled 0

VALUE Extreme-CLI-Authorization Enabled 1

VALUE Extreme-Netlogin-Only Disabled 0

VALUE Extreme-Netlogin-Only Enabled 1# End of Dictionary




3: Add the switch as an authorized client of the RADIUS server

For FreeRADIUS, edit the clients.conf file located at //etc/raddb/clients.conf to include the switches as details:

client 192.168.10.4 {

secret = purple

shortname = x450e-24p

# End of clients.conf

4: Create the Universal Port profile for User-Authenticate

* X450e-24p.1 # create upm prole phone



create log entry Starting_Script_Phone

set var callServer 192.168.10.204

set var leServer 192.168.10.194

set var voiceVlan Voice

set var CleanupProle clearport


#

create log entry Starting_AUTH-VOIP_Port_$EVENT.USER_PORT

#******************************************************

# Congure the LLDP options that the phone needs

#******************************************************

congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme call-server $callServer

congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme le-server $leServer

congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme dot1q-framing tagged


create log entry UPM_Script_A-Phone_Finished_Port_$EVENT.USER_PORT

.

X450e-24p.2 #

5: Create the Universal Port profile for User-Unauthenticate on the switch

* X450e-24p.1 # create upm prole clearport



create log entry STARTING_Script_CLEARPORT_on_$EVENT.USER_PORT

uncongure lldp port $EVENT.USER_PORT

create log entry LLDP_Info_Cleared_on_$EVENT.USER_PORT

uncongure inline-power operator-limit ports $EVENT.USER_PORT

create log entry POE_Settings_Cleared_on_$EVENT.USER_PORT

create log entry FINISHED_Script_CLEARPORT_on_$EVENT.USER_PORT

.

* X450e-24p.2 #




6: Configure RADIUS on the edge switch

* X450e-24p.4 # cong radius primary server 192.168.11.144 client-ip 192.168.10.4 vr VR-Default

* X450e-24p.5 # cong radius primary shared-secret purple

7: Configure Network Login on the edge switch (802.1x)

* X450e-24p.7 # create vlan nvlan

* X450e-24p.8 # cong netlogin vlan nvlan

* X450e-24p.9 # enable netlogin dot1x* X450e-24p.10 # enable netlogin ports 11-20 dot1x

* X450e-24p.11 # cong netlogin ports 11-20 mode mac-based-vlans

* X450e-24p.12 # enable radius netlogin

OR

Configure Network Login on the edge switch (MAC-based or OUI method)

* X450e-24p.7 # create vlan nvlan

* X450e-24p.8 # cong netlogin vlan nvlan

* X450e-24p.9 # enable netlogin mac

* X450e-24p.10 # cong netlogin add mac-list 00:04:0D:00:00:00 24 1234* X450e-24p.11 # enable radius netlogin

8: Assign the create user-authenticate profile to the edge port

* X450e-24p.6 # congure upm event user-authenticate prole “phone” ports 11-20

* X450e-24p.7 #

9: Assign the create User-unauthenticate profile to the edge port

* X450e-24p.7 # congure upm event user-unauthenticated prole “clearport” ports 11-20

* X450e-24p.8 #

10: Check that correct profiles are assigned to correct ports

* X450e-24p.8 # show upm prole

===========================================================

UPM Prole Events Flags Ports

===========================================================

phone User-Authenticated e 11-20

clearport User-Unauthenticated e 11-20

===========================================================

Number of UPM Proles: 5

Flags: d - disabled, e - enabled

* X450e-24p.9 #

11: Enable LLDP message advertisements on the ports

* X450e-24p.9 # enable lldp ports 11-20

12: Test the setup




Configuration for Time-of-day Profiles


Basic configuration requirements for time profiles include



The sequence of events used to configure the Universal Port for Time-of-Day profiles is listed below.

1. Create the Universal Port profile

2. Create the timer trigger

3. Assign the timer to the profile

4. Configure the timer

Example

1: Create the Universal Port profile

For FreeRADIUS, edit the users file located at /etc/raddb/users

* X450e-24p.1 # create upm prole eveningpoe



create log entry Starting_Evening

disable inline-power ports 1-20

.

*X450e-24p.2

2: Create the Universal Port timer

*X450e-24p.3 # create upm timer night

3: Assign the timer to the profile

*X450e-24p.4 # cong upm timer night prole nightpoe

4: Configure the Timer

*X450e-24p.5 # cong upm timer night at 7 7 2007 19 00 00 every 86400




6. Universal Port Manager

The Universal Port Manager is a component available with the Advanced Upgrade of the EPICenter management platform

designed to manage the Universal Port feature across the entire network.

To open the Universal Port Manager component of EPICenter, click on the Profiles button on the left side of the EPICenter GUI.

See Figure 5.

The Universal Port Manager screen is organized into three functional areas, each accessed by a tab. See Figure 6.

Network Profiles

Used to view, enable-disable, edit, run and delete profiles.•

Used to change profile trigger events or port configurations on switches.•

Managed Profiles

Used to import-export, create, view, edit, save, delete, test and deploy profiles.•

Audit Log

Used to examine profile actions on network devices and redeploy profiles.•

Figure 5: EPICenter GUI




Note: The EPICenter Inventory Manager can be used to create and manage large device groups to facilitate profile manage-

ment for large networks. Port groups, created by the EPICenter Grouping Manager, can also be managed by the

EPICenter Inventory Manager.

Configuration


ExtremeXOS 12.0 or later•

HTTP or HTTPS must be enabled on the device•

Enable web http


The sequence of events to create and deploy a Universal Port profile is listed below.

Create a new profile or customize an existing profile.1.

Save the profile in EPICenter.2.

Test the profile on a device.3.

Deploy and enable the profile on the devices, device group or port group. (The profile is now saved on the switch.)4.

Track profile status.5.

Modify network or redeploy profiles as required.6.

Note: Extreme Networks provides pre-packaged Universal Port Modules which incorporate specialized scripts to configure

edge ports with automatic discovery, configuration and provisioning. For example, the Handset Provisioning Module

provides specialized scripts for multi-vendor IP Telephony devices. Refer to section on modifying templates.

Figure 6: Universal Port Manager Screen




Create New Profile

Use the following procedure to create a new profile.

1. Access the Managed Profiles view and click the New button. See Figure 7.

Figure 7: Select New Profile




2. The New Profile window appears. See Figure 8. This window has two tabs, Overview and Script View. Select the Script

View tab.

Figure 8: New Profile Window




3. The ScriptView tab is where the profile is edited or created. The Profile editor contains three lines of metadata.

Enter a description for the profile after # @ScriptDescription. Then enter variable description field using

# @VariableFieldLabel and variable definitions using set var. All of this should be done before

# @MetaDataEnd. See Figure 9 for an example populated with variables.

Figure 9: Script Tab View of Profile Editor




4. Select the Overview tab to verify description and variables. The Overview tab can be accessed anytime during profile

scripting to check accuracy of variables. See Figure 10.

Figure 10: Overview Tab




5. Return to the Script View tab and enter the body of the script. Figure 11 shows an example block of script to add an

action to the profile.

6. Click the Save Changes button at the bottom of the screen.

Figure 11: Example Script




7. The Save Profile As … window appears. See Figure 12. Enter a profile name and version, then click the Save button.

Figure 12: Save Profile As... Window




Test the Profile

8. The Script View tab reappears. To test the profile, click the Test button at the bottom of the screen. See Figure 13.

Figure 13: Test Button




9. A window appears to select trigger events. At the Run profile at: area, select Other trigger events. Then select the

appropriate trigger and click the Next button. See Figure 14.

Figure 14: Select Trigger Events Window




10. A window appears to select the method for a device search (switches), individually or as a group. See Figure 15. Select

search method and click Next.

Figure 15: Select Type of Device Search Window




11. A window appears with a list of available devices or device groups on which to test the profile. A device list appears if

specified in the preceding window or a list of device groups if specified. See Figure 15. In the security_video example,

Devices (individual devices) was selected so Figure 16 shows a list of devices on which to test the profile script.

Select the devices or device groups for the test and click Next.

Note: Extreme Networks recommends using one device (switch) for profile testing.

Figure 16: Select Device Window




12. A window appears to select ports on which to test the profile. See Figure 17. Select ports and click Next.

Note: Extreme Networks recommends testing on a single port.

Figure 17: Select Ports Window




13. A window appears to verify the testing configuration. Check switch and port numbers. If correct, click the Validate

button. See Figure 18. If not correct, click the Back button to change selections.

Figure 18: Profile Test Validation Window




14. A similar window appears indicating whether the profile validation was successful. See Figure 19. Click Next to test

profile on the switch.

If profile was not validated, access the Script View tab and debug

Figure 19: Validation Results Window




15. A window appears indicating that profile has been deployed for testing. See Figure 20. Select the Trigger Event from the

pull-down menu. Click the Save and Run button.

Figure 20: Test Deployment Window




16. A rotating set of small blue squares appears in the Test Results panel during testing. After testing is complete, a success

or failure message appears. See Figure 21. If the profile has been successfully deployed and tested on the switch, click the

Close button.

Figure 21: Test Results Window




Deploy the Profile

17. The profile is now on the Managed Profiles tab. See Figure 22. Select the script profile (highlighted when selected) to

deploy the profile to the network. Click the Deploy button on the top right of the window.

Figure 22: Profile Test Validation Window




18. The window to select trigger events appears. See Figure 23. Select the appropriate trigger event and click Next.

Figure 23: Select Trigger Window




19. The window to select devices (switches) appears. Select appropriate devices and click Next.

Figure 24: Select Device Window




20. The window to select ports appears. Select appropriate ports and click Next

Figure 25: Select Ports Window




21. The window appears with a summary of the ports selected. Verify for accuracy and click Validate.

22. The window showing validation results appears. See Figure 26. Note that the profile is disabled by default. If successful,

select Enable profile on all devices and click the Deploy button.

Figure 26: Profile Validation Window




23. A window appears with deployment results. See Figure 27. Verify and click Finish.

Figure 27: Deployment Results Window




Track Profile Status

24. Select the profile from the Filtered Profiles area. Access the Audit Log tab. See Figure 28.

Figure 28: Audit Log




25. The window changes to show information about the selected profile. See Figure 29. From the Pre-defined filters

pull-down menu, select 1 hour.

Note: The next step is creating an Un-authenticate profile for this action.

Figure 29: Profile Tracking View




Redeploy a Profile

26. In case of a network change, to redeploy the profile, access the Managed Profiles tab.

27. Select the profile from the list and click the Deploy button.

28. When validating the profile, a warning message appears. See Figure 30. Check the Replace Existing Profile checkbox,

and select Enable profile on all devices. Click Deploy .

Figure 30: Validation When Redeploying




To Import a Profile

29. To import a profile that is not currently managed by EPICenter software, access the Network Profiles tab which shows

all profiles on the network whether managed or not by EPICenter software. See Figure 31.

30. Highlight the profile, then click the disk icon at the top of the screen to bring up the Save Profiles as… window.

31. Click on the Save in: EPICenter button, enter a profile name and version. Then click Save.

Figure 31: Network Profiles Tab




Customize an Existing Profile

Use the following procedure to customize an existing profile. Profile can be from an EPICenter template, Universal Port Module or

imported script. The scripts referenced in this document are examples and may need to be customized to work in your environment.

Please be sure to check the Extreme Networks eSupport site for the latest versions of the scripts referenced in this document.

EPICenter platform provides several pre-defined templates.

1. Access the Managed Profiles tab. Pre-defined templates are at the top of the Filtered Profiles table by default.

2. Double-click on the voip_script_detect profile template.

3. The Overview tab window appears for the voip_script_detect profile. See Figure 32. Modify the values for the variables to

create a new profile. Click Save As button.

4. The Save Profile As … window appears. Enter profile name and version. Then click Save.

5. The Overview tab shows new variable values. Verify and click Close.

6. The new profile is added to the Filtered Profiles list. Click Deploy and follow procedure for selecting trigger events,

devices and ports.

Figure 32: Overview Tab




7. Example Universal Port Profiles

Static Profile

This template configures an edge switch using EPICenter Universal Port Manager. The profile is triggered as user-requested. The

profile sets up the following on the switch: create and configure EAPS on the edge switch for connection into the aggregation

switch, create specific VLANs and assign tags, configure network login, configure RADIUS on the switch.

#***********************************************

# Last Updated: May 11, 2007

# Tested Devices: X450e EXOS 12.0

# Description: This prole congures the switch with an EAPs ring, creates specied

# vlans, congure network login, RADIUS.

#***********************************************

# @MetaDataStart

# @ScriptDescription “This is a template for conguring network parameters for edge Summit

devices. The prole will congure the listed features: EAPs ring, Network login, 802.1x,

vlans, and default routes.”

# @VariableFieldLabel “Create EAPs ring? (yes or no)”

set var yneaps yes

# @VariableFieldLabel “Name of EAPs domain”

set var eapsdomain upm-domain# @VariableFieldLabel “Primary port number”

set var eapsprimary 23

# @VariableFieldLabel “Secondary port number”

set var eapssecondary 24

# @VariableFieldLabel “Name of EAPs control VLAN”

set var eapsctrl upm_ctrl

# @VariableFieldLabel “Tag for EAPs control VLAN”

set var eapsctrltag 4000

# @VariableFieldLabel “Create standard VLANs? (yes or no)”

set var ynvlan yes

# @VariableFieldLabel “Name of Voice vlan”

set var vvoice voice# @VariableFieldLabel “Voice VLAN tag”

set var vvoicetag 10

# @VariableFieldLabel “Voice VLAN virtual router”

set var vvoicevr vr-default

# @VariableFieldLabel “Name of Security Video”

set var vidsec vidcam

# @VariableFieldLabel “Security Video VLAN tag”

set var vidsectag 40

# @VariableFieldLabel “Security Video VLAN virtual router”

set var vidsecvr vr-default

# @VariableFieldLabel “Name of Data vlan”

set var vdata datatrafc

# @VariableFieldLabel “Data VLAN tag”

set var vdatatag 11

# @VariableFieldLabel “Data VLAN virtual router”

set var vdatavr vr-default

# @VariableFieldLabel “Enable Network Login? (yes or no)”

set var ynnetlogin yes

# @VariableFieldLabel “RADIUS Server IP Address”

set var radserver 192.168.11.144

# @VariableFieldLabel “RADIUS Client IP Address”

set var radclient 192.168.11.221

# @VariableFieldLabel “RADIUS Server Shared Secret”

set var radsecret goextreme

# @VariableFieldLabel “Network Login port list”




set var netloginports 1-20

# @MetaDataEnd

##################################

# Start of EAPs Conguration block

##################################

if (!$match($yneaps,yes)) then

create log entry Cong_EAPs

cong eaps cong-warnings off

create eaps $eapsdomain

cong eaps $eapsdomain mode transit cong eaps $eapsdomain primary port $eapsprimary

cong eaps $eapsdomain secondary port $eapssecondary

create vlan $eapsctrl

cong $eapsctrl tag $eapsctrltag

cong $eapsctrl qosprole qp8

cong $eapsctrl add port $eapsprimary tagged

cong $eapsctrl add port $eapssecondary tagged

cong eaps $eapsdomain add control vlan $eapsctrl

enable eaps

enable eaps $eapsdomain

else

create log entry EAPs_Not_Congured

endif

############

#VLAN Cong

############

if (!$match($ynvlan,yes)) then

create log entry CreateStandardVLANs

create vlan $vvoice vr $vvoicevr

cong vlan $vvoice tag $vvoicetag

cong vlan $vvoice add port $eapsprimary tagged

cong vlan $vvoice add port $eapssecondary tagged

cong eaps $eapsdomain add protected $vvoice

enable lldp ports $netloginports

create qosprole qp5

cong vlan $vvoice ipa 192.168.10.221

#

create vlan $vidsec vr $vidsecvr

cong vlan $vidsec tag $vidsectag

cong vlan $vidsec add port $eapsprimary tagged

cong vlan $vidsec add port $eapssecondary tagged

cong eaps $eapsdomain add protected $vidsec

cong vlan $vidsec ipa 192.168.40.221

#

create vlan $vdata vr $vdatavr

cong vlan $vdata tag $vdatatag

cong vlan $vdata add port $eapsprimary tagged cong vlan $vdata add port $eapssecondary tagged

cong eaps $eapsdomain add protected $vdata

cong vlan $vdata ipa 192.168.11.221

# cong ipr add default 192.168.11.254 vr vr-default

else

create log entry NoVLANsCreated

endif

############

#RADIUS & Netlogin

############

if (!$match($ynnetlogin,yes)) then

create log entry CongNetlogin




#congure $vdata ipaddress 192.168.11.221

create vlan nvlan

cong netlogin vlan nvlan

cong default del po $netloginports

enable netlogin dot1x

enable netlogin mac

enable netlogin ports $netloginports dot1x mac

cong netlogin ports $netloginports mode mac-based-vlans

cong radius netlogin primary server $radserver client-ip $radclient vr VR-Default

cong radius netlogin primary shared-secret $radsecret enable radius netlogin

cong netlogin add mac-list 00:19:5B:D3:e8:DD

else

create log entry NoNetlogin

endif

Timer Upload

This template is used for a periodic configuration upload.

Upload configuration <ipaddress> <fileName>

#***********************************************

# Last Updated: May 11, 2007# Tested Devices: X450e EXOS 12.0

# Description: This prole congures the switch with an EAPs ring, creates specied

# vlans, congure network login, RADIUS.

#***********************************************

# @MetaDataStart

# @ScriptDescription “”This is a template for conguring network parameters for edge Summit

devices. The prole will congure the listed features: EAPs ring, Network login, 802.1x, vlans,

and default routes. “

# @VariableFieldLabel “IP Address to Upload to”

set var address xxx.xxx.xxx.xxx

# @VariableFieldLabel “File name”

set var lename congle.txt# @MetaDataEnd

##################################

# Start of Upload prole

##################################

Upload cong $address $lename

Generic VoIP LLDP

#********************************

# Last Updated: March 20, 2007

# Tested Phones: Avaya 4610, 4620, 4625

# Requirements: LLDP capable devices

#********************************# @META_DATA_START

# @FileDescription “This is a template for conguring network parameters for VoIP phones support

LLDP but without 802.1x authentication. The module is triggered through the detection of an LLDP

packet on the port. The following network side conguration is done: enable SNMP traps, QOS

assignment, adjust POE reservation values based on device requirements, add the voiceVlan to the

port as tagged.”

# @Description “Voice VLAN name”

set var voicevlan voice

# @Description “Send trap when LLDP event happens (true or false)”


# @Description “Set QoS Prole (true or false)”




set var setQuality false

# @META_DATA_END

#

if (!$match($EVENT.NAME,DEVICE-DETECT)) then

create log entry Starting_LLDP_Generic_Module_Cong

# VoiceVLAN conguration

congure vlan $voicevlan add port $EVENT.USER_PORT tagged

#SNMP Trap

if (!$match($sendTraps,true)) then

create log entry Cong_SNMP_Traps enable snmp traps lldp ports $EVENT.USER_PORT

enable snmp traps lldp-med ports $EVENT.USER_PORT

else

disable snmp traps lldp ports $EVENT.USER_PORT

disable snmp traps lldp-med ports $EVENT.USER_PORT

endif

#Link Layer Discovery Protocol-Media Endpoint Discover

create log entry Cong_LLDP


congure lldp port $EVENT.USER_PORT advertise vendor-specic dot1 vlan-name vlan $voicevlan

congure lldp port $EVENT.USER_PORT advertise vendor-specic med policy application voice vlan

$voicevlan dscp 46

congure lldp port $EVENT.USER_PORT advertise vendor-specic med power-via-mdi

#Congure POE settings per device requirements

create log entry Cong_POE

congure inline-power operator-limit $EVENT.DEVICE_POWER ports $EVENT.USER_PORT

#QoS Prole

if (!$match($setQuality,true)) then

create log entry Cong_QOS

congure port $EVENT.USER_PORT qosprole qp7

endif

endif

if (!$match($EVENT.NAME,DEVICE-UNDETECT) && $match($EVENT.DEVICE_IP,0.0.0.0)) then

create log entry Starting_LLDP_Generic_UNATUH_Module_Cong


create log entry UNCong_SNMP_Traps



endif

create log entry UNCong_LLDP

uncong lldp port $EVENT.USER_PORT


create log entry UNCong_QOS

uncong qosprole ports $EVENT.USER_PORT

endif

uncong inline-power operator-limit ports $EVENT.USER_PORTendif

if (!$match($EVENT.NAME,DEVICE-UNDETECT) && !$match($EVENT.DEVICE_IP,0.0.0.0)) then

create log entry DoNothing_0.0.0.0

create log entry $EVENT.TIME

endif

create log entry End_LLDP_Generic_Module_Cong




Generic VoIP 802.1x

#***********************************************

# Last Updated: April 6, 2007

# Tested Phones: Avaya 4610, 4620, 4625

# Requirements: 802.1x capable devices, netlogin congured and enabled on deployment ports

#***********************************************

# @META_DATA_START

# @FileDescription “This is a template for conguring network parameters for 802.1x authenticated

devices. The module is triggered through successful authentication of the device. The followingnetwork side conguration is done: QOS assignment and enables DOS protection. When used with IP

phones, phone provisioning is done through DHCP options.”

# @Description “VLAN name to add to port”

set var vlan1 voice

# @Description “Set QoS Prole (yes or no)”

set var setQuality yes

# @Description “QoS Prole (0-100)”

set var lowbw 50

# @Description “QoS MAX Bandwidth (0-100)”

set var highbw 100

# @Description “Enable Denial of Service Protection (yes or no)”

set var dosprotection yes

# @META_DATA_END

##################################

# Start of USER-AUTHENTICATE block

##################################

if (!$match($EVENT.NAME,USER-AUTHENTICATED)) then

############

#QoS Prole

############

# Adds a QOS prole to the port

if (!$match($setQuality,yes)) then

create log entry Cong_QOS

congure port $EVENT.USER_PORT qosprole qp7 congure qosprole qp7 minbw $lowbw maxbw $highbw ports $EVENT.USER_PORT

endif

#

########################

#Security Congurations

########################

create log entry Applying_Security_Limits

# enables Denial of Service Protection for the port

if (!$match($dosprotection,yes)) then

enable dos-protect

create log entry DOS_enabled

endif

#

endif

################################

# End of USER-AUTHENTICATE block




Avaya VoIP 802.1x

#********************************


# Tested Phones: SW4610, SW4620

# Requirements: 802.1x authentication server, VSA 203 and VSA 212 from authentiication server.

QP7 dened on the switch#

********************************

# @META_DATA_START

# @FileDescription “This is a template for conguring LLDP capable Avaya phones using the authen-tication trigger. This module will provision the phone with the following parameters: call

server, le server, dot1q, dscp, power. Additionally the following network side conguration is

done: enable SNMP traps and QOS assignment.”

# @Description “Avaya phone call server IP address”

set var callserver 192.45.95.100

# @Description “Avaya phone le server IP address”

set var leserver 192.45.10.250

# @Description “Send trap when LLDP event happens (true or false)”

set var sendTraps true

# @Description “Set QoS Prole (true or false)”

set var setQuality true

# @META_DATA_END

#


create log entry Starting_Avaya_VOIP_802.1x_AUTH_Module_Cong


enable snmp traps lldp ports $EVENT.USER_PORT


else



endif

enable lldp port $EVENT.USER_PORT

congure lldp port $EVENT.USER_PORT advertise vendor-specic dot1 vlan-name congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme call-server

$callserver

congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme le-server

$leserver

congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme dot1q-framing tag


congure port $EVENT.USER_PORT qosprole qp7

endif

endif

#

if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then

create log entry Starting_Avaya_VOIP_802.1x_UNATUH_Module_Cong


enable snmp traps lldp ports $EVENT.USER_PORT


else



endif

disable lldp port $EVENT.USER_PORT


uncong qosprole ports $EVENT.USER_PORT

endif

endif

create log entry End_Avaya_VOIP_802.1x_Module_Cong




Dynamic Security Policy

if (!$match($CLI_EVENT,USER-AUTHENTICATED) ) then

create access-list $(DEVICE_MAC)_192_168_1_0 “ethernet-source-address $DEVICE_MAC ;

destination-address 192.168.1.0/24 “ “permit “





create access-list $(DEVICE_MAC)_smtp “ethernet-source-address $DEVICE_MAC ;destination-address 192.168.100.125/32 ; protocol tcp ; destination-port 25” “permit “

create access-list $(DEVICE_MAC)_http “ethernet-source-address $DEVICE_MAC ; protocol tcp ;

destination-port 80” “permit “

create access-list $(DEVICE_MAC)_https “ethernet-source-address $DEVICE_MAC ; protocol tcp ;

destination-port 443” “permit “

create access-list $(DEVICE_MAC)_dhcp “protocol udp; destination-port 67” “permit”

create access-list $(DEVICE_MAC)_deny “destination-address 0.0.0.0/0” “deny “

congure access-list add $(DEVICE_MAC)_192_168_1_0 rst port $USER_PORT



congure access-list add $(DEVICE_MAC)_smtp rst port $USER_PORT

congure access-list add $(DEVICE_MAC)_http last port $USER_PORT

congure access-list add $(DEVICE_MAC)_https last port $USER_PORT

congure access-list add $(DEVICE_MAC)_dhcp rst port $USER_PORT

congure access-list add $(DEVICE_MAC)_deny last port $USER_PORT

endif

if (!$match($CLI_EVENT,USER-UNAUTHENTICATED) ) then

# Clean up

congure access-list delete $(DEVICE_MAC)_192_168_1_0 ports $USER_PORT



congure access-list delete $(DEVICE_MAC)_smtp ports $USER_PORT

congure access-list delete $(DEVICE_MAC)_http ports $USER_PORT

congure access-list delete $(DEVICE_MAC)_https ports $USER_PORT

congure access-list delete $(DEVICE_MAC)_dhcp ports $USER_PORT congure access-list delete $(DEVICE_MAC)_deny ports $USER_PORT

delete access-list $(DEVICE_MAC)_192_168_1_0



delete access-list $(DEVICE_MAC)_smtp

delete access-list $(DEVICE_MAC)_http

delete access-list $(DEVICE_MAC)_https

delete access-list $(DEVICE_MAC)_dhcp

delete access-list $(DEVICE_MAC)_deny

endif




Video Camera

This template adds an ACL to an edge port when a video camera connects. The profile configures and applies an ACL onto a

switch port when a user authenticates. This ACL blocks a particular IP address from accessing the video camera and assigns the

user to QoS profile 7.

#***********************************************


# Tested Devices: Dlink DCS 1110

# Requirements: 802.1x capable devices, netlogin congured and enabled on deployment ports#***********************************************

# @MetaDataStart

# @ScriptDescription “This is a template for conguring the switch for the right environment for

this webcam. It creates a dynamic access-list to restrict access”

# @Description “VLAN name to add to port”

# set var vlan1 voiceavaya

# @VariableFieldLabel “Set QoS Prole (yes or no)”

# set var setQuality yes

# @Description “QoS Prole (0-100)”

# set var lowbw 50

# @VariableFieldLabel “QoS MAX Bandwidth (0-100)”

# set var highbw 100

# @MetaDataEnd

##################################

# Start of USER-AUTHENTICATE block

##################################


############

#QoS Prole

############

# Adds a QOS prole to the port

# if (!$match($setQuality,yes)) then

# create log entry Cong_QOS

# congure port $EVENT.USER_PORT qosprole qp7

# congure qosprole qp7 minbw $lowbw maxbw $highbw ports $EVENT.USER_PORT# endif

#

############

#ACL Section

############

# Adds an ACL to stop trafc to a particular address

create log entry Cong_ACL

create access-list webcamblock “destination-address 192.168.10.220/32” “deny”

congure access-list add webcamblock rst port $EVENT.USER_PORT

#endif

#

endif

################################

# End of USER-AUTHENTICATE block

################################

#

#


http://slidepdf.com/reader/full/exos-universal-port-1371 59/59


####################################

# Start of USER-UNAUTHENTICATE block

####################################

if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then

# create log entry Starting_8021x_Generic_UNATUH_Module_Cong

# if (!$match($setQuality,yes)) then

# create log entry UNCong_QOS

# uncong qosprole ports $EVENT.USER_PORT

# endif

# uncongure inline-power operator-limit ports $EVENT.USER_PORT#### remove acl

congure access-list delete webcamblock port $EVENT.USER_PORT

delete access-list webcamblock

endif

##################################

# End of USER-UNAUTHENTICATE block

##################################

create log entry End_802_1x_Generic_Module_Cong

Download - EXOS Universal Port 1371

Top Related