8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 1/59
Extreme Networks Configuration Guide
ExtremeXOS™
Universal PortConfiguration Guide
Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved.
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 2/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page
Extreme Networks Configuration Guide
Extreme Networks White PaperExtreme Networks Configuration Guide
Table of Contents
1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Profiles and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Static Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Dynamic Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Profile Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3 Types of Dynamic Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Device Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Link Layer Discovery Protocol (LLDP or 802.1AB) and LLDP-MED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Sample information provided through LLDP about an IP phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How Device Detection Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Network Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
802.1x IEEE Standards-based Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Web-based Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
MAC-based Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How User Profiles Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Trigger Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4 Universal Port Commands and Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Universal Port Command Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Universal Port Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Common Variables for all Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Variables for Device Detect Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Variables for User Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5 Configuration Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configuration for Device Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Configuration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configuration for User Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 3/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page
Extreme Networks Configuration GuideExtreme Networks White PaperExtreme Networks Configuration GuideExtreme Networks Configuration Guide
Configuration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuration for Time-of-day Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6 Universal Port Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Create New Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Test the Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Deploy the Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Track Profile Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Redeploy a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
To Import a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Customize an Existing Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7 Example Universal Port Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Static Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Timer Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Generic VoIP LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Generic VoIP 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Avaya VoIP 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Dynamic Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Video Camera . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 4/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page
Extreme Networks Configuration Guide
1. Overview
The ExtremeXOS™ Universal Port framework enables the
switch to take actions based on events. Leveraging the
ExtremeXOS CLI scripting capability, Universal Port
activates profiles that are created and managed either
manually via the ExtremeXOS CLI or through the
EPICenter® Universal Port Manager.
Universal Port is primarily used for simplifying edge
configuration but can be used for other tasks such as
automating conflict resolution.
The Universal Port framework is embedded in all
Extreme Networks switches that run on the ExtremeXOS
operating system with an Edge License or higher.
The EPICenter Universal Port Manager is a simple-to-use
GUI that supports editing and debugging, mass deployments
and updates, and can also run audits on Universal Port
profiles and modules in the network.
Profiles and Policies
Universal Port has two types of profiles: Static and Dynamic.
Profiles must not be confused with policies. Policies are
special cases for a profile. A policy usually implies a security
rule that takes action on traffic flows. A profile is a variable
command set that can take action based on different types
of events. For example, a profile can automatically provision
a VoIP phone and the attached switch port with appropriate
power and Quality of Service (QoS) settings.
Static ProfilesStatic profiles are port profiles that include port settings,
including Access Control Lists (ACLs), rate limiting, rate
shaping, QoS, VLAN, interface speed, Power over Ethernet
(PoE) budget, etc.
Static profiles are not limited to individual ports but can
include system wide configuration changes.
Static profiles are default settings, and are NOT event
driven. Static profiles are assigned to a port and are not
specific to a device or a user. Static profiles are default
settings or baselines for ports, leveraging ExtremeXOSscripting.
Before ExtremeXOS introduced scripting capabilities, when
an administrator needed to make a network change, the
administrator had two choices.
Open up a Telnet or console session, then issue the1.
commands directly into the CLI ad-hoc.
Use a template and modify the template with required2.
changes, then paste the commands into a Telnet or
Console session.
By using profiles, other options are available. Static profiles
provide the ability to create common templates and deploy
these templates on demand. Because the configuration
changes made from static profiles are saved in the configu-
ration file, changes are permanent and remain after a
reboot. This is sometimes also referred to as CLI Persistent
Mode.
Dynamic ProfilesDynamic profiles are special scripts that incorporate
runtime variables that provide information about trigger
events. Because dynamic profiles are event or action driven
and do not require administrator invocation, network
changes can be automated.
Universal Port currently supports the following trigger
events:
Device discovery•
User or standards-based authentication•
Time of Day•
Dynamic profiles can be activated automatically based on
what is connecting to the network or who is logging onto
the network. The flexibility of Universal Port saves configu-
ration time while protecting the network from configuration
errors.
Before the advent of Universal Port, when devices were
added, moved, or changed, IT personnel had to be available
to place equipment and then configure both the network
port and the new device. These tedious tasks typically took
a long time, did not support mobility and were prone to
human error.
Configuration changes are applied to or removed from a
port based on profiles activated or deactivated by a trigger.
When a trigger event occurs, a profile associated with the
trigger is executed.
Triggers respond to events such as device detection using
LLDP, user authentication onto the network via network
login, or a timer event. Data from these events can be used
to select specific profiles and even make decision points
within profiles. A typical example is the use of a RADIUS
server to specify a particular profile and then applying
port-based policies to that user based on location.
Information passed to Dynamic Profiles can be saved in
variables. When a setting is activated, to roll back to the
previous default setting, some information must be saved,
such as the default VLAN setting or the default setting on a
port. Essentially anything modified from the previous
setting can be preserved for future use.
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 5/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page
Extreme Networks Configuration Guide
Dynamic Profiles are temporary states. When a device appears
at an edge port, a triggering event occurs that applies a profile
to the port and configures appropriately. Examples of configu-
ration parameters include VLAN, QoS, ACL, PoE and IP
Security. When the device is no longer connected, another
triggering event occurs to reverse the configuration parame-
ters applied.
There is no need to save the configuration change caused by
the Dynamic Profile in the switch configuration; after a rebootthe device is detected and the Dynamic Profile triggered again.
This temporary state is critical. Imagine a situation where the
profile for Dynamic Security policies was used. If the informa-
tion granting access to specific resources in the network were
saved in the configuration, and a reboot performed with the
user losing network connectivity, that particular security policy
would be set in stone and anybody else coming onto the
network would have access to these network resources simply
by plugging into that port.
Dynamic Profiles are triggered and applied based on an event.
Another event such as the disappearance of a device, some-body logging out, or a reboot clears the state.
2. Profile Rules
Both static and dynamic Universal Port profiles have the
following restrictions:
Profiles cannot exceed 5000 characters.3.
Only 128 Universal Port profiles are allowed per switch.4.
Profiles are stored as part of the switch configuration file.5.
Typing and cutting-and-pasting are the only methods to6.
transfer profile data using the CLI.
Unless explicitly stated with the command7. congure
cli mode persistent, configurations set by Universal
Port profiles are non-persistent and cannot be saved to the
switch configuration file.
Note: Setting configuration changes invoked by a profile8.
to be non-persistent allows for rollback changes. Rollback
changes enable ports to return to initial states in the case
of a reboot or power cycle.
3. Types of Dynamic Profiles
Dynamic profiles are applied to or removed from a port based
on an activation or deactivation trigger. When a trigger event
occurs, a profile script associated with the trigger is executed.
The following events are trigger events:
Device Detection based on discovery protocols such as•
IEEE 802.1ab LLDP and ANSI/TIA-1057 LLDP-MED for
Voice-over-IP (VoIP) phone extensions
User-based Login defined by standards-based authentica-•
tion such as a Network Login framework with 802.1x
support, web-based login or MAC-based Network LoginTimer events•
A user can assign Dynamic Profiles to a trigger event via the
ExtremeXOS CLI or the EPICenter® Universal Port Manager.
Dynamic Profile supported commands include VLAN port
assignments, QoS settings, rate limiting capabilities of the port,
PoE budget and dynamic ACLs. These parameters are not
saved in the switch configuration.
When using dynamic user-based security policies, implementa-
tion details are stored directly in the switch. There is no
dependency on anything in the critical path. After a RADIUSserver is configured and running, the RADIUS server specifies
the policy to be applied as part of the authentication response
packet via a RADIUS Vendor Specific Attribute (VSA). The
switch takes this information and executes the correct
Dynamic Profile.
Note: The RADIUS server can be in proxy mode with
information stored in a central directory service such
as LDAP or Active Directory.
Note: There is no profile hierarchy, which means users must
verify there are no conflicting rules in static anddynamic profiles. This is a normal requirement for
ACLs, and is standard when using policy files or
dynamic ACLs.
To test a profile or execute a profile, use the following run upm
profile command:
>>run upm prole <prole-name> {event
<event-name>} {variables <variable-string>}
Example:
run upm prole afterhours
If the variables keyword is not present but an event variable is
specified in the profile, the ExtremeXOS operating system
prompts for environmental variables appropriate to the event,
including the VSA string for user authentication.
Note: Variables are not validated for correct syntax.
To view profile history, use the show upm history command.
show upm history <………………>
Example:
show upm history
Device Detection
A variety of different devices can be connected to a port. When
devices connect to the network, the Universal Port helps
provide the right configuration at the port.
Devices are detected and undetected as trigger events. Link
Layer Discovery Protocol (IEEE 802.1AB, LLDP) is one of the
predominant methods that use this trigger.
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 6/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page
Extreme Networks Configuration Guide
E911 Emergency Call Service location is automatically updated
from the phone’s new port.
The lack of location identification information has at times
hindered the adoption of VoIP. LLDP-MED solves this problem
and it is expected to become mandatory in all VoIP
deployments.
The following LLDP-MED extensions provide VoIP-specific
information as well as allow transmission of configuration andlocation information to VoIP phones.
Network Policy (which VLAN tag, .1p, DSCP, for the•
phone to use)
ECS Location ID (for E911 – coordinates or street/ •
building/floor address), compliant with NENA and
TIA-TSB-146 directions, the switch advertises a configu-
rable physical location information to the phone
Extended Power-via-MDI (finer grain PoE budget•
requirement, in Watts)
Inventory information such as firmware version, serial•
number, etc
Note: Avaya and Extreme Networks have developed a series
of extensions for submission to the standards
consortium for inclusion in a later version of the
LLDP-MED standard.
Avaya Power conservation mode•
Avaya file server•
Avaya call server•
There can only be one profile for the device-detect
event trigger per port. This is important because there is no
capability or external entity such as a RADIUS server that
distinguishes the connecting device as part of the event
trigger. Instead, the switch receives this information as part of
the event data itself. Because individual ports can only have
one device-detect profile, if-then-else statements in
profiles along with detailed information provided through
LLDP can be used to distinguish between connecting devices.
For example, Voice-over-IP (VoIP) phones can send and
receive information in addition to normal device identification
information. The information sent through LLDP can be used
to identify the maximum power draw of the device. The switch
can then set the maximum allocated power for that port.
If the switch does not have enough PoE left, the switch can
advise certain handsets to switch to a lower power mode and
try again. The switch can also transmit additional VoIP files and
call server configuration information to the phone so the phone
can register itself and receive necessary software and configu-
ration information.
Link Layer Discovery Protocol (LLDP or802.1AB) and LLDP-MED
Link Layer Discovery Protocol (LLDP or 802.1AB) is an IEEE
standard that allows devices to exchange information about
themselves to connected devices.
Similar to Extreme Networks Discovery Protocol (EDP) or
Cisco Discovery Protocol (CDP), LLDP defines a standard
method for Ethernet network devices such as switches,
routers, wireless LAN APs, IP phones, and any other network
attached device to advertise information about themselves.Information about the device such as device configuration,
capabilities, identification and software version can be
advertised. This information is passed along using Type Length
Value (TLV) fields within LLDP advertisements.
LLDP defines a set of common advertisement messages, a
protocol for transmitting the advertisements and a method for
storing the information contained in received advertisements.
LLDP is an extensible standard, providing a framework for
industry consortiums to define application specific extensions
without causing compatibility issues. The ANSI/TIA-1057
LLDP-Media Endpoint Discovery (LLDP-MED) standard
defines extensions specifically for VoIP.
The switch can advertise VLAN information and Quality of
Service 802.1p marking service to the phone, and it can also
advertise where the phone is actually connected to the wall
jack. That location is called the E911 Emergency Call Service
location, which represents a physical location using IETF
standard formats, NOT just port information. The E911
emergency call service location can be configured on the
switch port and used later to advertise the call location in case
of an emergency call. Should a phone be moved, the phone’s
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 7/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page
Extreme Networks Configuration Guide
Sample information provided through LLDP about an IP phone
LLDP Port 1 detected 1 neighbor
Neighbor: (5.1)192.168.10.168/00:04:0D:E9:AF:6B, age 7 seconds
- Chassis ID type: Network address (5); Address type: IPv4 (1)
Chassis ID : 192.168.10.168
- Port ID type: MAC address (3)
Port ID : 00:04:0D:E9:AF:6B
- Time To Live: 120 seconds - System Name: “AVAE9AF6B”
- System Capabilities : “Bridge, Telephone”
Enabled Capabilities: “Bridge, Telephone”
- Management Address Subtype: IPv4 (1)
Management Address : 192.168.10.168
Interface Number Subtype : System Port Number (3)
Interface Number : 1
Object ID String : “1.3.6.1.4.1.6889.1.69.1.13”
- IEEE802.3 MAC/PHY Conguration/Status
Auto-negotiation : Supported, Enabled (0x03)
Operational MAU Type : 100BaseTXFD (16)
- MED Capabilities: “MED Capabilities, Network Policy, Inventory”
MED Device Type : Endpoint Class III (3)
- MED Network Policy
Application Type : Voice (1)
Policy Flags : Known Policy, Tagged (0x1)
VLAN ID : 0
L2 Priority : 6
DSCP Value : 46
- MED Hardware Revision: “4625D01A”
- MED Firmware Revision: “b25d01a2_7.bin”
- MED Software Revision: “a25d01a2_7.bin”
- MED Serial Number: “061622014487”
- MED Manufacturer Name: “Avaya”
- MED Model Name: “4625”
- Avaya/Extreme Conservation Level Support
Current Conservation Level: 0
Typical Power Value : 7.4 Watts
Maximum Power Value : 9.8 Watts
Conservation Power Level : 1=7.4W
- Avaya/Extreme Call Server(s): 192.168.10.204
- Avaya/Extreme IP Phone Address: 192.168.10.168 255.255.255.0
Default Gateway Address : 192.168.10.254
- Avaya/Extreme CNA Server: 0.0.0.0
- Avaya/Extreme File Server(s): 192.168.10.194
- Avaya/Extreme IEEE 802.1q Framing: Tagged
Note: Because LLDP is tightly integrated with IEEE 802.1x authentication at edge ports, when used together, LLDP informa-
tion from authenticated end point devices is trustable for automated configuration purposes. This tight integration
between 802.1x and LLDP protects the network from automation attacks.
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 8/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page
Extreme Networks Configuration Guide
How Device Detection Works
Figure 1 illustrates how dynamic profiles work with device
detection. There are two aspects shown in the illustration.
Preparation is on the left and typically is only used occasion-
ally, when rolling out a new network or updating profiles. The
right side shows ongoing operations.
Preparation
The administrator pushes out the device profile to the
network; it will be stored on the switch and enabled for
specific ports. A profile can be either downloaded from an
Extreme Networks website, received from another
Extreme Networks user or partner, written by
Extreme Networks professional services, or written by the
end user. A dynamic device profile can also be a customiza-
tion of an existing profile, e.g., Universal Port HandsetProvisioning Module.
Profiles can be written using any editor; they can be
cut-and-pasted or typed into the CLI or they can be created
using a sophisticated GUI such as the EPICenter Universal
Port Manager. The Universal Port Manager provides several
types of templates that can be stored and customized.
Dynamic device profiles can be pushed out onto the
network to entire lists of ports for massive deployments.
When it is time to update or enhance these profiles, the
Universal Port Manager can be used to refresh the same set
of ports quickly.
Operation
During runtime, an end user can walk up and plug in a VoIP
phone. Once the phone is plugged in, the user enters a
personal username and password, which was provided with
the phone. The phone starts 802.1x authentication
supported by the latest firmware releases from vendors
such as Avaya and Mitel.
This authentication step protects the network from
spoofing attacks that can occur if authentication is not
performed before advertising who is there. This method is
much more secure than unauthenticated discovery.
Extreme Networks recommends using 802.1x-authenticat-
ed LLDP; however, because the Universal Port framework
is very flexible and the profiles can be customized, unau-
thenticated LLDP can be used as well, for example, as part
of testing and debugging.
After a successful authentication event, the switch enables
LLDP and starts interpreting the information sent by thephone. The phone specifically advertises its PoE budget
needs, its serial number that can be used for inventory
purposes, and detailed model information. This information
allows the switch to configure the edge port automatically
and appropriately. The switch can now allocate the PoE
budget, move the port into the voice VLAN, and configure
QoS for voice on the port.
In the last step, the switch also begins advertising informa-
tion to the phone. With this additional information, the
phone goes through a boot-strap mechanism to tag traffic
for QoS as well as VLAN, and to find the call server todownload additional configuration information. The phone
now has its physical location based on the E911 emergency
location information advertised by the switch.
User Authentication
User authentication profiles are used for network access
security.
Universal Port integrates with ExtremeXOS Network Login
user authentication to support three authentication methods.
802.1x IEEE standards-based Network Login•
Web-based Network Login•
MAC-based Network Login•
Multiple user profiles can be applied to a port or a group of
ports. This means that a port can have one device profile and
multiple user profiles.
User profiles can be assigned to a port or a port list easily using
the EPICenter Universal Port Manager. User profiles can be
mass deployed out onto the network and be assigned to every
single port in the network if required.
By assigning user profiles to a port list, security policies can
follow the user as he roams around a campus. For example, an
engineer can walk from Building 1 to Building 5, plug his PC
into the network and be authenticated. Based on that, he
automatically receives certain access rights and ACLs.
Note: In most cases, User-based really means user group-
based. Most Security IT managers define groups of
users with the same access rights. This makes
managing network privileges easy. In this case, a user
group has one profile name sent to the switch during
authentication.
Administrator configures
VoIP policies (VoIP VLAN,
Dot1p priority, etc.)
Administrator pushes
policies to switch
After 802.1x authentication,
phone sends LLDP message
with model, PoE, serial
number, etc.
Switch configures VLAN,
Dot1p priority, ACLs and PoE
on the port
Administrator
Preparation Operation
1
3
4
Switch sends VLAN,
Call Server, E911 location,
QoS, etc. to the phone
5
2
`
5119-01
Figure 1: Device Detection
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 9/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page
Extreme Networks Configuration Guide
The implementation of the policy sits in the switch and can
differ based on the location and can be changed based on time.
With this mechanism, security policies can follow the user as
he roams around a campus. For example, an engineer can walk
from Building 1 to Building 5, plug his PC into the network and
authenticate. Based on that, he automatically receives certain
access rights. In most cases, user-based really means user
group-based. Most Security IT managers define groups of users
with the same access rights. This makes management of rights
easy. In our example, a user group would have the same profilename sent to the switch during authentication.
The entire concept of user-based security profiles is integrated
with device-based profiles. When a VoIP phone is connected to
the network, a PC or laptop can connect to the network
through a data port on that VoIP phone. This means the VoIP
phone and the PC must be identified individually and both
must be authenticated separately. This is known as true
Multiple Supplicant support.
Note: Some vendors use the term Multiple Supplicant
without allowing separate authentication. These vendors simply blackhole the traffic of the second
MAC address and do not let the second device pass
authentication. Even worse, other vendors take a
different approach and allow all traffic from any
additional device through after the first device has
been authenticated on a port, leaving the network
wide open.
In addition to separate authentication for the phone and the
user via the PC, ExtremeXOS switches also support multiple
VLAN assignment. Without multiple supplicant support with
multiple VLANs, PCs have weak security in voice VLANs. The
other option is not using the phone dataport.
Note: MAC-based authentication can also be used to identify
devices. For example, an entire MAC address or some
bits of the MAC address can identify a device and
perform switch port auto-configuration similar to the
LLDP-based device detect event. The difference
between this approach and LLDP authentication is
that no information can be transmitted to that device.
When authenticating to the network, user-based login can be
combined with a timer trigger. Combining user authentication
with time triggers puts different user policies in place based onthe time of day. Universal Port triggers are then used to modify
the assignment and implementation of user-based security
policies.
Network Login
Network Login is paramount when implementing dynamic
security policies. ExtremeXOS software supports three
different login methods integrated into the Universal Port:
802.1x IEEE standards-based Login•
Web-based Network Login•
MAC-based Network Login•
Any of these three methods can be enabled individually or
combined to provide the smooth implementation of a
secured network.
802.1x IEEE Standards-based Login
802.1x IEEE protocol is an edge port authentication
protocol that requires a special client be installed on the
system accessing the network.
802.1x has been designed as a secure protocol that usesseveral different secure authentication techniques.
ExtremeXOS software has been tested against most of
these techniques, including MD5, PEAP, TLS and TTLS,
and support password, as well as certificate-based authenti-
cation. The most popular authentication method is
probably Microsoft PEAP, using encrypted username/
passwords.
Web-based Network Login
Because not all devices use 802.1x, the ExtremeXOS
operating system also supports web-based Network Login.
Web-based login does NOT require any specific client sidesoftware (which 802.1x does). Instead web-based login
uses standard built-in technologies on clients (DHCP and a
web browser). Web-based login is an easy-to-deploy
security mechanism for client devices.
After opening a web browser, a user enters a userID/
password pair for authentication. Extreme Networks
switches redirect traffic to the Network Login welcome
page. The login welcome page is configurable to allow a
custom greeting or guest login information for network
access via a dedicated guest VLAN. This type of login
allows machines that are not under the control of an IT
department to get network access.
Note: Web-based Network Login is an excellent way to
deploy 802.1x client software and certificates in a
secure fashion on a port without opening up the
network. Instead of installing 802.1x client software
before turning on Network Login, users can log into
the network via the web-based login, be redirected
to an IT server to receive instructions on download-
ing and installing an 802.1x client and any additional
software. This process dramatically reduces the
costs and complexity of a user authentication rollout
in an IT network because installation can beoffloaded to the end user.
Note: Beginning with ExtremeXOS Release 12.0, web-
based Network Login welcome and authentication
failure pages are completely user-configurable
including custom graphics and advanced features
such as Javascript code. ExtremeXOS Release 12.0
supports any web technology that a client browser
supports and does not require HTTP server-based
actions.
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 10/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page
Extreme Networks Configuration Guide
MAC-based Network Login
MAC-based Network Login can be used for devices that
have no means of performing manual authentication or
using certificates. Devices such as older VoIP phones,
printers, IP camera or wireless access points can be
authenticated using a MAC address. This allows for
authentication enforcement on all edge ports on the
network.
This method provides more flexibility to the Universal Portnetwork login infrastructure. With MAC-based Network
Login, edge authentication can be turned on at every single
port, no matter what connects to the network.
MAC-based Network Login can help protect ports that
connect devices such as printers or older generation VoIP
phones should someone walk up and unplug the device and
gain access to the network. While not fully secure because
of potential MAC spoofing, with MAC-based Network Login
it becomes more complicated for people to hack into the
network. In most cases this is sufficient when combined
with physical access restrictions.
Authentication Process
A common network authentication architecture has three
components, a supplicant, access device (switch, access
point) and authentication server (RADIUS). This architec-
ture leverages decentralized access devices to provide
scalable, but computationally expensive, encryption to
multiple supplicants while centralizing access control to a
few authentication servers. This latter feature makes
authentication manageable in large installations. Figure 2
shows user authentication in a basic three component
architecture.
When Extensible Authentication Protocol (EAP) is run
over a LAN, EAP packets are encapsulated by EAP over
LAN (EAPOL) messages. (The format of EAPOL packets is
defined in the 802.1x specification.) EAPOL communica-
tion occurs between the end-user station (supplicant) and
the wireless access point (authenticator). The RADIUS
protocol is used for communication between the authenti-
cator and the RADIUS server.
The authentication process begins when the end user tries to
connect to the LAN. The authenticator (Extreme Networks
switch) receives the request and creates a virtual port withthe supplicant. The authenticator acts as a proxy for the
end user passing authentication information to and from
the authentication server on its behalf. The authenticator
limits traffic to authentication data to the server. A
negotiation takes place, which includes the following
activities:
Client sends an EAP-start message•
Access device sends an EAP-request identity message•
Client EAP-response packet with the client’s identity is•
“proxied” to the authentication server by the authenticator
Authentication server challenges the client to prove himself•
and can send its credentials to prove itself to the client (if
using mutual authentication)
Client checks server’s credentials (if using mutual authenti-•
cation) and then sends his credentials to the server to prove
himself
Authentication server accepts or rejects the client’s request•
for connection
If the end user is accepted, the authenticator changes the•
virtual port with the end user to an authorized state
allowing full network access to the end user
At log-off, the client virtual port is changed back to the•
unauthorized state
Multiple Universal Port profiles can be created on a switch,
but only one Universal Port profile per event can be applied
per port. Different profiles on the same port apply to
different events; for example, different authentication
events for different devices or users.
When 802.1x is enabled on the switch port, the following
sequence of events occurs when using an 802.1x and LLDP
capable device:
When a device is plugged in, the switch edge port1.
sends an EAPOL start packet which triggers the device
to start the 802.1x authentication process.
In standard 802.1x terminology, the device is the2.
supplicant, the switch is the authenticator, and
Windows IAS or FreeRADIUS on Linux is the authenti-
cation server. An exchange of keys occurs and device
credentials are checked.
5153-01
RADIUS
Summit Switch
VoIP Phone
Unauthorized
Authorized
EAPOL – Start
EAP – Response/MD5, Challenge
EAP – Request/Identity
EAP – Success/Vendor Attributes
EAP – Request/MD5, Challenge
EAP – Response/Identity
Figure 2: User Authentication Process
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 11/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1
Extreme Networks Configuration Guide
After the device has been authenticated, the RADIUS3.
server tells the switch which Universal Port scripts to
use and the VLAN for the port. This data is passed
using a VSA between the RADIUS server and the
switch.
After the switch recognizes the authentication event4.
and the VSAs from the RADIUS server, the Universal
Port script is triggered and the port is added to the
correct VLAN. After the device has been authenti-
cated, DHCP requests on the device are passed
through the switch to the DHCP server.
When the device has received an IP address, LLDP5.
messages sent by the device are updated and device
provisioning continues via the Universal Port script.
The Universal Port script triggers and the device are6.
configured along with any PoE settings for the port.
A user either logs in or the switch sees a MAC address in
the case of MAC-based Network Login. Then the switch, on
the backend side, sends the RADIUS server identifying
information (either the MAC address, a user name with
password that has been entered in web-based NetworkLogin mode, or the 802.1x credentials that have been
advertised from the client PC).
802.1x uses EAP, an IETF standard. With a simple extrac-
tion from EAP over Ethernet into EAP over RADIUS, the
RADIUS server receives login credential information, looks
up the credentialing information in the database, deter-
mines whether the user or device does or does not have
authorized access to the network, and responds back to the
switch. If authenticated, the RADIUS server requests that
the switch put the port in forwarding mode.
The traffic sent down from the RADIUS server includes
vendor-specific attributes. Most vendors support VLAN ID
as a vendor specific attribute, (standards committees are
currently trying to standardize which attributes to use
instead of vendor-specific attributes). Extreme Networks
goes one step further by providing security policy informa-
tion during authentication, including names of policies and
additional information that can be used within policies to
narrow down network level access rights even further via
ACLs and QoS. This process is accomplished in a single
step without opening up the network, and without any
dependency on an external policy server (that after login
would apply a security policy).
Note: The RADIUS server can be a proxy between RADIUS
on the front end towards the switch and either
LDAP or Active Directory on the backend. All
popular RADIUS servers support this proxy mode.
This is one way to integrate network level enforce-
ment and security policies easily with application
level enforcement such as user logins into business
applications.
How User Profiles Work
In most cases, single users do not have individual user
profiles. User profiles are normally assigned to user groups.
As an example, a company like Extreme Networks may
have security profiles for groups such as software engineer-
ing, hardware engineering, marketing, sales, technical
support, operations and executive. These kinds of catego-
ries make profile management more streamlined and
simple. However, in theory, profiles can be on a per-user
basis.
A user name and password, or credentials used with a
smart card put into a PC with an identifying certificate, are
sent into 802.1 xs. The switch authenticates with a RADIUS
server which acts a centralized repository for security
policies. The RADIUS server can be a proxy going to LDAP
or to Active Directory to obtain credentials and the user
policy assigned.
The switch learns which security policies to assign to a port
via RADIUS attributes in the authentication response. The
RADIUS server embeds Vendor Specific Attributes (VSAs),in the RADIUS packet sent back after a successful authen-
tication. Extreme Networks has vendor specific attributes
that identify the name of the security policy as well as
ExtremeXOS script variables that provide profile
information.
For example, an additional variable can be added to a
generic profile for software engineering for five designated
engineers. The variables give these engineers access to a
specific additional application. This method minimizes the
number of profiles to be maintained and also increases
implementation flexibility.
User profiles can also be used for devices that do not
support LLDP. This method still performs switch port
auto-configuration for voice VLAN, configures QoS, and
provides VoIP auto configuration. However, with this
method, the device does not receive configuration informa-
tion and must rely on other mechanisms, usually DHCP
using option fields, to receive information such as file and
communication server addresses, QoS and VLAN settings.
Figure 3 illustrates how user profiles are managed. There
are two aspects shown in the illustration, the Preparation
phase, which typically happens only occasionally when anew network is rolled out or profiles are updated, and the
Operation phase for ongoing operations.
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 12/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1
Extreme Networks Configuration Guide
Because policy implementation can be change from port to
port, Universal Port allows for location-based policies (for
example, a restricted area). Integration with a timer event
provides time-based policies, such as disabling wireless
access after business hours.
Note: VoIP phones are also capable of being authenticated
before being allowed on the network. The phone
begins 802.1x authentication based on a personal
username and password. This authentication step isavailable and supported by the latest firmware from
vendors such as Avaya and Mitel.
This early authentication step protects the network
from spoofing attacks that can occur if authentica-
tion is not performed before advertising who is
there. This method is much more secure than
unauthenticated CDP. Universal Port uses 802.1x-
authenticated LLDP
Time
Timers implement Time-of-Day profiles that can have various
applications. For example, these profiles can be used to disable
guest VLAN access after business hours, shut down a wireless
service or power down a port. “Access point being powered
down” can apply to a given time of the day or over a time span.
Time-of-Day profiles are flexible and are not limited to just
dynamic profile CLI commands. Time-of-Day profiles can use
any command in the ExtremeXOS CLI, as long as it is under-
stood that the change is permanent. This feature allows timed
backups for configurations, policies, statistics, etc. Anything
that needs to happen on a regular basis or at a specific timecan be incorporated into a Time-of-Day profile.
Figure 4 shows a simple example of how to do a periodic
configuration upload once an hour. To execute the upload, a
profile is created that includes a CLI command for uploading to
a specific address with a file name. This profile is attached to a
timer using the command create upm timer. The profile is then
linked to the timer and the timer is configured with the correct
time values and intervals.
Preparation
The administrator pushes out profiles and assigns profiles
to edge ports. Preparation is often performed using theEPICenter Universal Port Manager; however, preparation
can be done manually through the CLI, switch by switch.
Operation
The Operation phase begins when the user logs onto the
network. The switch passes the information up to the
RADIUS server, the RADIUS server sends down the name
of the policy as well as any additional ExtremeXOS variable
settings or information in the user profile. This allows the
switch to move the port into the correct VLAN (for
example an Engineering VLAN), configure ACLs to specific
servers or to specific application types such as enabling
CVS access, or configure port interface speed as well as
QoS for that port.
Network Login enforces authentication before granting
access to the network. All packets sent by a client on the
port do NOT go beyond the port into the network until
authentication using a RADIUS server occurs. In many
cases, the RADIUS server interacts with a central data
repository for user authentication such as Active Directory
or an LDAP directory without putting the burden of the
LDAP protocol into the network infrastructure. As a
fallback for mission critical devices, an authentication
database local to the switch can be used as well.
Dynamic user policies can include rate-limiting, QoS and
dynamic ACLs. These attributes are applied immediately
during the authentication process, with no dependency on
external second-step policy managers, instead using a
central repository (RADIUS or LDAP / Active Directory).
Dynamic security policies are activated and deactivated
based on authentication when users connect or disconnect
from the network.
Administrator configures user group policies
(VLAN, ACLs, por t speed, Dot1p priority, etc.)
then maps policies to user groups
Administrator pushes
policies to switch
User logs on to the network
RADIUS server pushes
user group via Vendor
Specific Attributes (VSA)
Administrator
EPICenter Server
13
4
Switch configures VLAN,
ACLs, port speed, Dot1p
priority . . . on the port
5
2
User
RADIUS Server `
Preparation Operation
5118-01
Figure 3: User-based Login
XXXX-01
Create upm profile <profileName>
Create upm timer <timerName>
Configure upm timer <timerName> profile <profileName>
Configure upm timer <timerName> every 3600
Figure 4: Example of Periodic Configuration
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 13/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1
Extreme Networks Configuration Guide
Trigger Events
There are seven trigger events that activate a Universal Port
profile. Table 1 summarizes these trigger events.
Table 1: Trigger Events
Device-detect and Device-undetect events are triggered by
an LLDP packet when it reaches the port and when periodical-
ly transmitted LLDP packets are no longer received respective-
ly. LLDP age-out occurs when a device has disappeared or
age-out time has been reached.
User-Authenticated and User-Unauthenticated events are
triggered by any Network Login mechanism. Successful login
triggers the User-Authenticated event and either explicit
logout or sessions timing out trigger the User-Unauthenticated
event.
MAC-based authentication requires no interaction from the
user. 802.1x authentication requires 802.1x client software on
the device.
Timer-AT and Timer-AFTER events can be set to a specific
time of the day or a periodic event, for example, one-time after
15 minutes or at 1 hour intervals.
The User-Request trigger is a manual request by an adminis-
trator via CLI command to trigger a static or a dynamic profile.
To trigger a dynamic profile, information for a particular event
must be supplied. To trigger a device profile, information
normally provided via LLDP must be provided. With
ExtremeXOS 12.0, this capability is also available via XML and
is used by the EPICenter Universal Port Manager when
activating a profile from the EPICenter GUI.
Trigger Condition
Device-Detect Specific device detected by the system,
usually receipt of an LLDP packet into
the port. Profile configures the port forthe device.
Device-Undetect Specific device is no longer present or an
LLDP timeout has occurred. Port
properties return to a base state through
a profile.
User-Authenticated Specific user authenticated profile
configures the port for the user.
User-Unauthenticated Specific authenticated user has been
unauthenticated. Port properties return
to a base state through a profile.
Timer-AT Timer schedule to occur AT a specified
time has occurred
Timer-AFTER Timer schedule to occur AFTER a
specified time has occurred. Can be a
one-time occurrence or can be
reoccurring.
User-Request Profile was triggered remotely by the
administrator through the CLI.
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 14/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1
Extreme Networks Configuration Guide
4. Universal Port Commands and Variables
Commands
Several commands were added to the ExtremeXOS operating system to expand the scripting capabilities for Universal Port.
Command Modes
CLI commands are set to non-persistent mode by default when executing dynamic profiles.
To configure persistent command execution, enter the following command:
congure cli mode persistent
To configure non-persistent command execution, enter the following command:
congure cli mode non-persistent
Universal Port Command Summary
The following command summary lists Universal Port CLI commands with command syntax. For complete command descriptions,
refer to the ExtremeXOS 12.0 Command Reference Guide.
Note: The CLI uses upm as an abbreviation for Universal Port management to indicate a Universal Port command. Do NOT
confuse this abbreviation with the EPICenter Universal Port Manager.
Command Syntax
configure upm event Congure upm event <upm-event> prole <prole-name ports <port-list>
configure upm timer after congure upm timer <timer-name> after <time-in-secs> {every <seconds>}
configure upm timer at congure upm timer <timer-name> at <month> <day> <year> <hour> <min> <secs>
{every <seconds>}
configure upm timer profile congure upm timer <timerName> prole <proleName>
create upm profile create upm prole <prole-name>
create upm timer create upm timer <timer-name>
delete upm profile delete upm prole <prole-name>
delete upm timer delete upm timer <timer-name>
disable upm profile disable upm prole <prole-name>
edit upm profile edit upm prole <prole-name>
enable upm profile enable upm prole <prole-name>
show upm event show upm event <event-type>
show upm history show upm history {prole <prole-name> | exec-id <number> | event
<upmevent>|status [pass | fail] | timer <timer-name> | detail}
show upm profile show upm prole <name>
show upm timers show upm timers
unconfigure upm event uncongure upm event <upm-event> prole <prole-name> ports <port_list>"
unconfigure upm timer uncongure upm timer <timerName> prole <proleName>
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 15/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1
Extreme Networks Configuration Guide
Universal Port Variables
CLI scripting must be enabled before composing or executing a script.
Universal Port uses CLI scripting variables to make system and trigger event information available to profiles. In addition,
user-defined variables can be created, but are limited to the current context unless explicitly saved. Saving variables allows
certain data from one profile to be reused in another profile for a different event, for example, between login and logout events,
the data necessary to perform rollback for a port configuration can be shared.
Common Variables for all Profiles
Variables for Device Detect Profiles
Variables for User Authentication Profiles
$STATUS Status of last command execution
$CLI.USER UserName of user executing this CLI
$CLI.SESSION_ID An identifier for this session. This identifier will be available for the roll-back event when a device
or user times out.
$CLI.SESSION_TYPE Type of user session
$EVENT.NAME Event that triggered this profile
$EVENT.PROFILE Name of the profile currently being run
$EVENT.TIME Time the event occurred, in seconds since epoch
$EVENT.TIMER_TYPE Periodic or Non_periodic
$EVENT.TIMER_DELTA_SECS Time difference between timer firing and time actual shell was run in seconds
$EVENT.DEVICE Device identification string
$EVENT.DEVICE_IP IP address of the device (if available). Blank if not available
$EVENT.DEVICE_MAC MAC address of device (if available). Blank if not available
$EVENT.DEVICE_POWER Device power in milliwatts (if available). Blank if not available.$EVENT.DEVICE_MANUFACTURER_NAME Manufacturer name
$EVENT.DEVICE_MODEL _NAME Device model
$EVENT.USER_PORT Port associated with this event
$EVENT.USERNAME Name of user authenticated. This is a string with the MAC address for MAC-based user login
$EVENT_NUMUSERS Authenticated supplicants on the port after event occurred
$EVENT.USER_MAC MAC address of the user
$EVENT.USER_PORT Port associated with this event
$EVENT.USER_VLAN VLAN associated with this event
$EVENT.USER_IP IP address of the user if applicable, else blank
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 16/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1
Extreme Networks Configuration Guide
5. Configuration Process
There are two ways to configure the Universal Port for both static and dynamic profiles.
Command Line Interface (CLI)•
EPICenter Universal Port Manager•
This section discusses the configuration requirements and configuration sequence for device detection, user authentication, and
timer events using the ExtremeXOS CLI. A step-by-step configuration process using the Universal Port Manager follows in
Section 6.
Configuration for Device Detection
Configuration Requirements
Basic configuration requirements for Device Detection via the Universal Port include the following network components.
ExtremeXOS 11.6 or later (if using the EPICenter Management Platform, ExtremeXOS 12.0 is required)•
Appropriate firmware for devices•
PoE switches for PoE devices•
DHCP server•
Configuration Sequence
The sequence of events used to configure the Universal Port for device detection is listed below.
Create the VLAN for the VoIP network.1.
Create the Universal Port profile for Device-Detect on the switch.2.
Create the Universal Port profile for Device-Undetect on the switch.3.
Assign the Device-Detect profile to the edge ports.4.
Assign the Device-Undetect profile to the edge ports.5.
Verify that correct profiles are assigned to correct ports.6.
Enable LLDP message advertisements on the ports assigned to Universal Ports.7.
Verify configuration.8.
Example
1: Configure VLAN
SummitX450-48p # create vlan voice
SummitX450-48p # congure voice ipaddress 192.168.0.1/24
2: Create Universal Port profile to be triggered by a Device-Detect Event
X450e-24p.2 # create upm prole detect-voip
Start typing the profile and end with a . as the first and the only character on a line.
Use - edit upm prole <name> - for block mode capability
create log entry Starting_Script_DETECT-voip
set var callServer 192.168.10.204
set var leServer 192.168.10.194
set var voiceVlan Voice
set var CleanupProle CleanPort
set var sendTraps false
#
create log entry Starting_DETECT-VOIP_Port_$EVENT.USER_PORT
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 17/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1
Extreme Networks Configuration Guide
#**********************************************************
# adds the detected port to the device “unauthenticated” prole port list
#**********************************************************
create log entry
Updating_UnDetect_Port_List_Port_$EVENT.USER_PORT
congure upm event Device-UnDetect prole CleanupProle ports $EVENT.USER_PORT
#**********************************************************
# adds the detected port to the proper VoIP vlan
#**********************************************************congure $voiceVlan add port $EVENT.USER_PORT tag
#**********************************************************
# Congure the LLDP options that the phone needs
#**********************************************************
congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme call-server
$callServer
congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme le-server $leServer
congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme dot1q-framing tagged
congure lldp port $EVENT.USER_PORT advertise vendor-specic med capabilities
#congure lldp port $EVENT.USER_PORT advertise vendor-specic med policy application voice vlan
$voiceVlan dscp 46
#**********************************************************
# Congure the POE limits for the port based on the phone requirement
#**********************************************************
# If port is PoE capable, uncomment the following lines
congure lldp port $EVENT.USER_PORT advertise vendor-specic med power-via-mdi
congure inline-power operator-limit $EVENT.DEVICE_POWER ports $EVENT.USER_PORT
create log entry Script_DETECT-
phone_Finished_Port_$EVENT.USER_PORT
X450e-24p.3 #
3: Create the Device-UnDetect Universal Port profile
* X450e-24p.3 # create upm prole clearports
Start typing the profile and end with a . as the first and the only character on a line.
Use - edit upm prole <name> - for block mode capability
create log entry
STARTING_UPM_Script_CLEARPORT_on_$EVENT.USER_PORT
#congure $voiceVlan delete port $EVENT.USER_PORT
uncongure lldp port $EVENT.USER_PORT
create log entry LLDP_Info_Cleared_on_$EVENT.USER_PORT
#uncongure upm event device-undetect prole avaya-remove ports $EVENT.USER_PORT
uncongure inline-power operator-limit ports
$EVENT.USER_PORT
create log entry POE_Settings_Cleared_on_$EVENT.USER_PORT
create log entry
FINISHED_UPM_Script_CLEARPORT_on_$EVENT.USER_PORT
.
* X450e-24p.4 #
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 18/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1
Extreme Networks Configuration Guide
4: Assign the device-detect profile to the desired edge ports
* X450e-24p.8 # cong upm event device-detect prole detect-voip ports 1-10
5: Assign the device-undetect profile to the desired edge ports
X450e-24p.9 # cong upm event device-undetect prole clearports ports 1-10
* X450e-24p.10 #
6: Check that the Universal Port profiles are assigned correctly
* X450e-24p.10 # show upm prole
=============================================================
UPM Prole Events Flags Ports
=============================================================
clearports Device-Undetect e 1-10
detect-voip Device-Detect e 1-10
===========================================================
Number of UPM Proles: 2
Flags: d - disabled, e - enabled
* X450e-24p.11 #
7: Enable LLDP on the ports
* X450e-24p.11 # enable lldp ports 1-10
8: Verify configuration
Plug the device in the port and test. The following commands can be used to help ensure that everything works correctly.
show lldp
show lldp neighbors
show upm history
show upm history detail
show log match upm
Configuration for User Login
Configuration Requirements
Basic configuration requirements for User login and authentication include the following network components:
ExtremeXOS 11.6 or later (if using the EPICenter Management Platform, ExtremeXOS 12.0 is required)•
RADIUS server for user authentication and VSA transmission•
Appropriate firmware for devices•
PoE switches for PoE devices•
DHCP server•
TFTP server (for VoIP applications)•
Call Server (for VoIP applications)•
Configuration Sequence
The sequence of events used to configure the Universal Port for user authentication is listed below.
Configure RADIUS server for userID and password pair.1.
Define the Extreme custom VSAs on RADIUS.2.
Add the switch as an authorized RADIUS client.3.
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 19/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1
Extreme Networks Configuration Guide
Create the Universal Port profile for User-Authenticate on the switch.4.
Create the Universal Port profile for User-Unauthenticate on the switch.5.
Configure RADIUS on the edge switch.6.
Configure Network Login on the edge switch.7.
Assign the create user-authenticate profile to the desired edge port.8.
Assign the create user-unauthenticate profile to the desired edge port.9.
Check that the correct profiles are assigned to the correct ports.10.
Enable LLDP message advertisements on the ports.11.
Test the setup.12.
Example
1: Configure the RADIUS server for the userID and password pair
For FreeRADIUS, edit the users file located at /etc/raddb/users
#Sample entry of using an individual MAC addresses
00040D50CCC3 Auth-Type := EAP, User-Password == “00040D50CCC3”
Extreme-Security-Prole = “phone LOGOFF-PROFILE=clearport;”,
Extreme-Netlogin-VLAN = Voice
#Sample entry of using wildcard MAC addresses (OUI Method)
00040D000000 Auth-Type := EAP, User-Password == “1234”
Extreme-Security-Prole = “phone LOGOFF-PROFILE=clearport;”,
Extreme-Netlogin-VLAN = Voice
#Sample entry of using numeric UserID and password
10284 Auth-Type := EAP, User-Password == “1234”
Extreme-Security-Prole = “voip LOGOFF-PROFILE=voip”,
Extreme-Netlogin-Vlan = Voice
#Sample entry of using a text UserID and password
Sales Auth-Type := EAP, User-Password == “Money”
Extreme-Security-Prole = “Sales-qos LOGOFF-PROFILE=Sales-qos”,
Extreme-Netlogin-Vlan = v-sales
2: Define the Extreme custom VSAs on RADIUS
For FreeRADIUS, edit the dictionary file located at //etc/raddb/dictionary to include the following details:
VENDOR Extreme 1916
ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme
ATTRIBUTE Extreme-Shell-Command 202 string Extreme
ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme
ATTRIBUTE Extreme-Netlogin-Url 204 string Extreme
ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme
ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme
ATTRIBUTE Extreme-User-Location 208 string Extreme
ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme
ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme
ATTRIBUTE Extreme-Security-Prole 212 string Extreme
VALUE Extreme-CLI-Authorization Disabled 0
VALUE Extreme-CLI-Authorization Enabled 1
VALUE Extreme-Netlogin-Only Disabled 0
VALUE Extreme-Netlogin-Only Enabled 1# End of Dictionary
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 20/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1
Extreme Networks Configuration Guide
3: Add the switch as an authorized client of the RADIUS server
For FreeRADIUS, edit the clients.conf file located at //etc/raddb/clients.conf to include the switches as details:
client 192.168.10.4 {
secret = purple
shortname = x450e-24p
# End of clients.conf
4: Create the Universal Port profile for User-Authenticate
* X450e-24p.1 # create upm prole phone
Start typing the profile and end with a . as the first and the only character on a line.
Use - edit upm prole <name> - for block mode capability
create log entry Starting_Script_Phone
set var callServer 192.168.10.204
set var leServer 192.168.10.194
set var voiceVlan Voice
set var CleanupProle clearport
set var sendTraps false
#
create log entry Starting_AUTH-VOIP_Port_$EVENT.USER_PORT
#******************************************************
# Congure the LLDP options that the phone needs
#******************************************************
congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme call-server $callServer
congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme le-server $leServer
congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme dot1q-framing tagged
congure lldp port $EVENT.USER_PORT advertise vendor-specic med capabilities
create log entry UPM_Script_A-Phone_Finished_Port_$EVENT.USER_PORT
.
X450e-24p.2 #
5: Create the Universal Port profile for User-Unauthenticate on the switch
* X450e-24p.1 # create upm prole clearport
Start typing the profile and end with a . as the first and the only character on a line.
Use - edit upm prole <name> - for block mode capability
create log entry STARTING_Script_CLEARPORT_on_$EVENT.USER_PORT
uncongure lldp port $EVENT.USER_PORT
create log entry LLDP_Info_Cleared_on_$EVENT.USER_PORT
uncongure inline-power operator-limit ports $EVENT.USER_PORT
create log entry POE_Settings_Cleared_on_$EVENT.USER_PORT
create log entry FINISHED_Script_CLEARPORT_on_$EVENT.USER_PORT
.
* X450e-24p.2 #
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 21/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2
Extreme Networks Configuration Guide
6: Configure RADIUS on the edge switch
* X450e-24p.4 # cong radius primary server 192.168.11.144 client-ip 192.168.10.4 vr VR-Default
* X450e-24p.5 # cong radius primary shared-secret purple
7: Configure Network Login on the edge switch (802.1x)
* X450e-24p.7 # create vlan nvlan
* X450e-24p.8 # cong netlogin vlan nvlan
* X450e-24p.9 # enable netlogin dot1x* X450e-24p.10 # enable netlogin ports 11-20 dot1x
* X450e-24p.11 # cong netlogin ports 11-20 mode mac-based-vlans
* X450e-24p.12 # enable radius netlogin
OR
Configure Network Login on the edge switch (MAC-based or OUI method)
* X450e-24p.7 # create vlan nvlan
* X450e-24p.8 # cong netlogin vlan nvlan
* X450e-24p.9 # enable netlogin mac
* X450e-24p.10 # cong netlogin add mac-list 00:04:0D:00:00:00 24 1234* X450e-24p.11 # enable radius netlogin
8: Assign the create user-authenticate profile to the edge port
* X450e-24p.6 # congure upm event user-authenticate prole “phone” ports 11-20
* X450e-24p.7 #
9: Assign the create User-unauthenticate profile to the edge port
* X450e-24p.7 # congure upm event user-unauthenticated prole “clearport” ports 11-20
* X450e-24p.8 #
10: Check that correct profiles are assigned to correct ports
* X450e-24p.8 # show upm prole
===========================================================
UPM Prole Events Flags Ports
===========================================================
phone User-Authenticated e 11-20
clearport User-Unauthenticated e 11-20
===========================================================
Number of UPM Proles: 5
Flags: d - disabled, e - enabled
* X450e-24p.9 #
11: Enable LLDP message advertisements on the ports
* X450e-24p.9 # enable lldp ports 11-20
12: Test the setup
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 22/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2
Extreme Networks Configuration Guide
Configuration for Time-of-day Profiles
Configuration Requirements
Basic configuration requirements for time profiles include
ExtremeXOS 11.6 or later (if using the EPICenter Management Platform, ExtremeXOS 12.0 is required)•
Configuration Sequence
The sequence of events used to configure the Universal Port for Time-of-Day profiles is listed below.
1. Create the Universal Port profile
2. Create the timer trigger
3. Assign the timer to the profile
4. Configure the timer
Example
1: Create the Universal Port profile
For FreeRADIUS, edit the users file located at /etc/raddb/users
* X450e-24p.1 # create upm prole eveningpoe
Start typing the profile and end with a . as the first and the only character on a line.
Use - edit upm prole <name> - for block mode capability
create log entry Starting_Evening
disable inline-power ports 1-20
.
*X450e-24p.2
2: Create the Universal Port timer
*X450e-24p.3 # create upm timer night
3: Assign the timer to the profile
*X450e-24p.4 # cong upm timer night prole nightpoe
4: Configure the Timer
*X450e-24p.5 # cong upm timer night at 7 7 2007 19 00 00 every 86400
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 23/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2
Extreme Networks Configuration Guide
6. Universal Port Manager
The Universal Port Manager is a component available with the Advanced Upgrade of the EPICenter management platform
designed to manage the Universal Port feature across the entire network.
To open the Universal Port Manager component of EPICenter, click on the Profiles button on the left side of the EPICenter GUI.
See Figure 5.
The Universal Port Manager screen is organized into three functional areas, each accessed by a tab. See Figure 6.
Network Profiles
Used to view, enable-disable, edit, run and delete profiles.•
Used to change profile trigger events or port configurations on switches.•
Managed Profiles
Used to import-export, create, view, edit, save, delete, test and deploy profiles.•
Audit Log
Used to examine profile actions on network devices and redeploy profiles.•
Figure 5: EPICenter GUI
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 24/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2
Extreme Networks Configuration Guide
Note: The EPICenter Inventory Manager can be used to create and manage large device groups to facilitate profile manage-
ment for large networks. Port groups, created by the EPICenter Grouping Manager, can also be managed by the
EPICenter Inventory Manager.
Configuration
Configuration Requirements
ExtremeXOS 12.0 or later•
HTTP or HTTPS must be enabled on the device•
Enable web http
Configuration Sequence
The sequence of events to create and deploy a Universal Port profile is listed below.
Create a new profile or customize an existing profile.1.
Save the profile in EPICenter.2.
Test the profile on a device.3.
Deploy and enable the profile on the devices, device group or port group. (The profile is now saved on the switch.)4.
Track profile status.5.
Modify network or redeploy profiles as required.6.
Note: Extreme Networks provides pre-packaged Universal Port Modules which incorporate specialized scripts to configure
edge ports with automatic discovery, configuration and provisioning. For example, the Handset Provisioning Module
provides specialized scripts for multi-vendor IP Telephony devices. Refer to section on modifying templates.
Figure 6: Universal Port Manager Screen
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 25/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2
Extreme Networks Configuration Guide
Create New Profile
Use the following procedure to create a new profile.
1. Access the Managed Profiles view and click the New button. See Figure 7.
Figure 7: Select New Profile
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 26/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2
Extreme Networks Configuration Guide
2. The New Profile window appears. See Figure 8. This window has two tabs, Overview and Script View. Select the Script
View tab.
Figure 8: New Profile Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 27/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2
Extreme Networks Configuration Guide
3. The ScriptView tab is where the profile is edited or created. The Profile editor contains three lines of metadata.
Enter a description for the profile after # @ScriptDescription. Then enter variable description field using
# @VariableFieldLabel and variable definitions using set var. All of this should be done before
# @MetaDataEnd. See Figure 9 for an example populated with variables.
Figure 9: Script Tab View of Profile Editor
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 28/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2
Extreme Networks Configuration Guide
4. Select the Overview tab to verify description and variables. The Overview tab can be accessed anytime during profile
scripting to check accuracy of variables. See Figure 10.
Figure 10: Overview Tab
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 29/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2
Extreme Networks Configuration Guide
5. Return to the Script View tab and enter the body of the script. Figure 11 shows an example block of script to add an
action to the profile.
6. Click the Save Changes button at the bottom of the screen.
Figure 11: Example Script
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 30/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2
Extreme Networks Configuration Guide
7. The Save Profile As … window appears. See Figure 12. Enter a profile name and version, then click the Save button.
Figure 12: Save Profile As... Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 31/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3
Extreme Networks Configuration Guide
Test the Profile
8. The Script View tab reappears. To test the profile, click the Test button at the bottom of the screen. See Figure 13.
Figure 13: Test Button
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 32/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3
Extreme Networks Configuration Guide
9. A window appears to select trigger events. At the Run profile at: area, select Other trigger events. Then select the
appropriate trigger and click the Next button. See Figure 14.
Figure 14: Select Trigger Events Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 33/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3
Extreme Networks Configuration Guide
10. A window appears to select the method for a device search (switches), individually or as a group. See Figure 15. Select
search method and click Next.
Figure 15: Select Type of Device Search Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 34/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3
Extreme Networks Configuration Guide
11. A window appears with a list of available devices or device groups on which to test the profile. A device list appears if
specified in the preceding window or a list of device groups if specified. See Figure 15. In the security_video example,
Devices (individual devices) was selected so Figure 16 shows a list of devices on which to test the profile script.
Select the devices or device groups for the test and click Next.
Note: Extreme Networks recommends using one device (switch) for profile testing.
Figure 16: Select Device Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 35/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3
Extreme Networks Configuration Guide
12. A window appears to select ports on which to test the profile. See Figure 17. Select ports and click Next.
Note: Extreme Networks recommends testing on a single port.
Figure 17: Select Ports Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 36/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3
Extreme Networks Configuration Guide
13. A window appears to verify the testing configuration. Check switch and port numbers. If correct, click the Validate
button. See Figure 18. If not correct, click the Back button to change selections.
Figure 18: Profile Test Validation Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 37/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3
Extreme Networks Configuration Guide
14. A similar window appears indicating whether the profile validation was successful. See Figure 19. Click Next to test
profile on the switch.
If profile was not validated, access the Script View tab and debug
Figure 19: Validation Results Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 38/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3
Extreme Networks Configuration Guide
15. A window appears indicating that profile has been deployed for testing. See Figure 20. Select the Trigger Event from the
pull-down menu. Click the Save and Run button.
Figure 20: Test Deployment Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 39/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3
Extreme Networks Configuration Guide
16. A rotating set of small blue squares appears in the Test Results panel during testing. After testing is complete, a success
or failure message appears. See Figure 21. If the profile has been successfully deployed and tested on the switch, click the
Close button.
Figure 21: Test Results Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 40/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3
Extreme Networks Configuration Guide
Deploy the Profile
17. The profile is now on the Managed Profiles tab. See Figure 22. Select the script profile (highlighted when selected) to
deploy the profile to the network. Click the Deploy button on the top right of the window.
Figure 22: Profile Test Validation Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 41/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 4
Extreme Networks Configuration Guide
18. The window to select trigger events appears. See Figure 23. Select the appropriate trigger event and click Next.
Figure 23: Select Trigger Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 42/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 4
Extreme Networks Configuration Guide
19. The window to select devices (switches) appears. Select appropriate devices and click Next.
Figure 24: Select Device Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 43/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 4
Extreme Networks Configuration Guide
20. The window to select ports appears. Select appropriate ports and click Next
Figure 25: Select Ports Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 44/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 4
Extreme Networks Configuration Guide
21. The window appears with a summary of the ports selected. Verify for accuracy and click Validate.
22. The window showing validation results appears. See Figure 26. Note that the profile is disabled by default. If successful,
select Enable profile on all devices and click the Deploy button.
Figure 26: Profile Validation Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 45/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 4
Extreme Networks Configuration Guide
23. A window appears with deployment results. See Figure 27. Verify and click Finish.
Figure 27: Deployment Results Window
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 46/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 4
Extreme Networks Configuration Guide
Track Profile Status
24. Select the profile from the Filtered Profiles area. Access the Audit Log tab. See Figure 28.
Figure 28: Audit Log
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 47/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 4
Extreme Networks Configuration Guide
25. The window changes to show information about the selected profile. See Figure 29. From the Pre-defined filters
pull-down menu, select 1 hour.
Note: The next step is creating an Un-authenticate profile for this action.
Figure 29: Profile Tracking View
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 48/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 4
Extreme Networks Configuration Guide
Redeploy a Profile
26. In case of a network change, to redeploy the profile, access the Managed Profiles tab.
27. Select the profile from the list and click the Deploy button.
28. When validating the profile, a warning message appears. See Figure 30. Check the Replace Existing Profile checkbox,
and select Enable profile on all devices. Click Deploy .
Figure 30: Validation When Redeploying
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 49/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 4
Extreme Networks Configuration Guide
To Import a Profile
29. To import a profile that is not currently managed by EPICenter software, access the Network Profiles tab which shows
all profiles on the network whether managed or not by EPICenter software. See Figure 31.
30. Highlight the profile, then click the disk icon at the top of the screen to bring up the Save Profiles as… window.
31. Click on the Save in: EPICenter button, enter a profile name and version. Then click Save.
Figure 31: Network Profiles Tab
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 50/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 4
Extreme Networks Configuration Guide
Customize an Existing Profile
Use the following procedure to customize an existing profile. Profile can be from an EPICenter template, Universal Port Module or
imported script. The scripts referenced in this document are examples and may need to be customized to work in your environment.
Please be sure to check the Extreme Networks eSupport site for the latest versions of the scripts referenced in this document.
EPICenter platform provides several pre-defined templates.
1. Access the Managed Profiles tab. Pre-defined templates are at the top of the Filtered Profiles table by default.
2. Double-click on the voip_script_detect profile template.
3. The Overview tab window appears for the voip_script_detect profile. See Figure 32. Modify the values for the variables to
create a new profile. Click Save As button.
4. The Save Profile As … window appears. Enter profile name and version. Then click Save.
5. The Overview tab shows new variable values. Verify and click Close.
6. The new profile is added to the Filtered Profiles list. Click Deploy and follow procedure for selecting trigger events,
devices and ports.
Figure 32: Overview Tab
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 51/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 5
Extreme Networks Configuration Guide
7. Example Universal Port Profiles
Static Profile
This template configures an edge switch using EPICenter Universal Port Manager. The profile is triggered as user-requested. The
profile sets up the following on the switch: create and configure EAPS on the edge switch for connection into the aggregation
switch, create specific VLANs and assign tags, configure network login, configure RADIUS on the switch.
#***********************************************
# Last Updated: May 11, 2007
# Tested Devices: X450e EXOS 12.0
# Description: This prole congures the switch with an EAPs ring, creates specied
# vlans, congure network login, RADIUS.
#***********************************************
# @MetaDataStart
# @ScriptDescription “This is a template for conguring network parameters for edge Summit
devices. The prole will congure the listed features: EAPs ring, Network login, 802.1x,
vlans, and default routes.”
# @VariableFieldLabel “Create EAPs ring? (yes or no)”
set var yneaps yes
# @VariableFieldLabel “Name of EAPs domain”
set var eapsdomain upm-domain# @VariableFieldLabel “Primary port number”
set var eapsprimary 23
# @VariableFieldLabel “Secondary port number”
set var eapssecondary 24
# @VariableFieldLabel “Name of EAPs control VLAN”
set var eapsctrl upm_ctrl
# @VariableFieldLabel “Tag for EAPs control VLAN”
set var eapsctrltag 4000
# @VariableFieldLabel “Create standard VLANs? (yes or no)”
set var ynvlan yes
# @VariableFieldLabel “Name of Voice vlan”
set var vvoice voice# @VariableFieldLabel “Voice VLAN tag”
set var vvoicetag 10
# @VariableFieldLabel “Voice VLAN virtual router”
set var vvoicevr vr-default
# @VariableFieldLabel “Name of Security Video”
set var vidsec vidcam
# @VariableFieldLabel “Security Video VLAN tag”
set var vidsectag 40
# @VariableFieldLabel “Security Video VLAN virtual router”
set var vidsecvr vr-default
# @VariableFieldLabel “Name of Data vlan”
set var vdata datatrafc
# @VariableFieldLabel “Data VLAN tag”
set var vdatatag 11
# @VariableFieldLabel “Data VLAN virtual router”
set var vdatavr vr-default
# @VariableFieldLabel “Enable Network Login? (yes or no)”
set var ynnetlogin yes
# @VariableFieldLabel “RADIUS Server IP Address”
set var radserver 192.168.11.144
# @VariableFieldLabel “RADIUS Client IP Address”
set var radclient 192.168.11.221
# @VariableFieldLabel “RADIUS Server Shared Secret”
set var radsecret goextreme
# @VariableFieldLabel “Network Login port list”
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 52/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 5
Extreme Networks Configuration Guide
set var netloginports 1-20
# @MetaDataEnd
##################################
# Start of EAPs Conguration block
##################################
if (!$match($yneaps,yes)) then
create log entry Cong_EAPs
cong eaps cong-warnings off
create eaps $eapsdomain
cong eaps $eapsdomain mode transit cong eaps $eapsdomain primary port $eapsprimary
cong eaps $eapsdomain secondary port $eapssecondary
create vlan $eapsctrl
cong $eapsctrl tag $eapsctrltag
cong $eapsctrl qosprole qp8
cong $eapsctrl add port $eapsprimary tagged
cong $eapsctrl add port $eapssecondary tagged
cong eaps $eapsdomain add control vlan $eapsctrl
enable eaps
enable eaps $eapsdomain
else
create log entry EAPs_Not_Congured
endif
############
#VLAN Cong
############
if (!$match($ynvlan,yes)) then
create log entry CreateStandardVLANs
create vlan $vvoice vr $vvoicevr
cong vlan $vvoice tag $vvoicetag
cong vlan $vvoice add port $eapsprimary tagged
cong vlan $vvoice add port $eapssecondary tagged
cong eaps $eapsdomain add protected $vvoice
enable lldp ports $netloginports
create qosprole qp5
cong vlan $vvoice ipa 192.168.10.221
#
create vlan $vidsec vr $vidsecvr
cong vlan $vidsec tag $vidsectag
cong vlan $vidsec add port $eapsprimary tagged
cong vlan $vidsec add port $eapssecondary tagged
cong eaps $eapsdomain add protected $vidsec
cong vlan $vidsec ipa 192.168.40.221
#
create vlan $vdata vr $vdatavr
cong vlan $vdata tag $vdatatag
cong vlan $vdata add port $eapsprimary tagged cong vlan $vdata add port $eapssecondary tagged
cong eaps $eapsdomain add protected $vdata
cong vlan $vdata ipa 192.168.11.221
# cong ipr add default 192.168.11.254 vr vr-default
else
create log entry NoVLANsCreated
endif
############
#RADIUS & Netlogin
############
if (!$match($ynnetlogin,yes)) then
create log entry CongNetlogin
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 53/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 5
Extreme Networks Configuration Guide
#congure $vdata ipaddress 192.168.11.221
create vlan nvlan
cong netlogin vlan nvlan
cong default del po $netloginports
enable netlogin dot1x
enable netlogin mac
enable netlogin ports $netloginports dot1x mac
cong netlogin ports $netloginports mode mac-based-vlans
cong radius netlogin primary server $radserver client-ip $radclient vr VR-Default
cong radius netlogin primary shared-secret $radsecret enable radius netlogin
cong netlogin add mac-list 00:19:5B:D3:e8:DD
else
create log entry NoNetlogin
endif
Timer Upload
This template is used for a periodic configuration upload.
Upload configuration <ipaddress> <fileName>
#***********************************************
# Last Updated: May 11, 2007# Tested Devices: X450e EXOS 12.0
# Description: This prole congures the switch with an EAPs ring, creates specied
# vlans, congure network login, RADIUS.
#***********************************************
# @MetaDataStart
# @ScriptDescription “”This is a template for conguring network parameters for edge Summit
devices. The prole will congure the listed features: EAPs ring, Network login, 802.1x, vlans,
and default routes. “
# @VariableFieldLabel “IP Address to Upload to”
set var address xxx.xxx.xxx.xxx
# @VariableFieldLabel “File name”
set var lename congle.txt# @MetaDataEnd
##################################
# Start of Upload prole
##################################
Upload cong $address $lename
Generic VoIP LLDP
#********************************
# Last Updated: March 20, 2007
# Tested Phones: Avaya 4610, 4620, 4625
# Requirements: LLDP capable devices
#********************************# @META_DATA_START
# @FileDescription “This is a template for conguring network parameters for VoIP phones support
LLDP but without 802.1x authentication. The module is triggered through the detection of an LLDP
packet on the port. The following network side conguration is done: enable SNMP traps, QOS
assignment, adjust POE reservation values based on device requirements, add the voiceVlan to the
port as tagged.”
# @Description “Voice VLAN name”
set var voicevlan voice
# @Description “Send trap when LLDP event happens (true or false)”
set var sendTraps false
# @Description “Set QoS Prole (true or false)”
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 54/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 5
Extreme Networks Configuration Guide
set var setQuality false
# @META_DATA_END
#
if (!$match($EVENT.NAME,DEVICE-DETECT)) then
create log entry Starting_LLDP_Generic_Module_Cong
# VoiceVLAN conguration
congure vlan $voicevlan add port $EVENT.USER_PORT tagged
#SNMP Trap
if (!$match($sendTraps,true)) then
create log entry Cong_SNMP_Traps enable snmp traps lldp ports $EVENT.USER_PORT
enable snmp traps lldp-med ports $EVENT.USER_PORT
else
disable snmp traps lldp ports $EVENT.USER_PORT
disable snmp traps lldp-med ports $EVENT.USER_PORT
endif
#Link Layer Discovery Protocol-Media Endpoint Discover
create log entry Cong_LLDP
congure lldp port $EVENT.USER_PORT advertise vendor-specic med capabilities
congure lldp port $EVENT.USER_PORT advertise vendor-specic dot1 vlan-name vlan $voicevlan
congure lldp port $EVENT.USER_PORT advertise vendor-specic med policy application voice vlan
$voicevlan dscp 46
congure lldp port $EVENT.USER_PORT advertise vendor-specic med power-via-mdi
#Congure POE settings per device requirements
create log entry Cong_POE
congure inline-power operator-limit $EVENT.DEVICE_POWER ports $EVENT.USER_PORT
#QoS Prole
if (!$match($setQuality,true)) then
create log entry Cong_QOS
congure port $EVENT.USER_PORT qosprole qp7
endif
endif
if (!$match($EVENT.NAME,DEVICE-UNDETECT) && $match($EVENT.DEVICE_IP,0.0.0.0)) then
create log entry Starting_LLDP_Generic_UNATUH_Module_Cong
if (!$match($sendTraps,true)) then
create log entry UNCong_SNMP_Traps
disable snmp traps lldp ports $EVENT.USER_PORT
disable snmp traps lldp-med ports $EVENT.USER_PORT
endif
create log entry UNCong_LLDP
uncong lldp port $EVENT.USER_PORT
if (!$match($setQuality,true)) then
create log entry UNCong_QOS
uncong qosprole ports $EVENT.USER_PORT
endif
uncong inline-power operator-limit ports $EVENT.USER_PORTendif
if (!$match($EVENT.NAME,DEVICE-UNDETECT) && !$match($EVENT.DEVICE_IP,0.0.0.0)) then
create log entry DoNothing_0.0.0.0
create log entry $EVENT.TIME
endif
create log entry End_LLDP_Generic_Module_Cong
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 55/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 5
Extreme Networks Configuration Guide
Generic VoIP 802.1x
#***********************************************
# Last Updated: April 6, 2007
# Tested Phones: Avaya 4610, 4620, 4625
# Requirements: 802.1x capable devices, netlogin congured and enabled on deployment ports
#***********************************************
# @META_DATA_START
# @FileDescription “This is a template for conguring network parameters for 802.1x authenticated
devices. The module is triggered through successful authentication of the device. The followingnetwork side conguration is done: QOS assignment and enables DOS protection. When used with IP
phones, phone provisioning is done through DHCP options.”
# @Description “VLAN name to add to port”
set var vlan1 voice
# @Description “Set QoS Prole (yes or no)”
set var setQuality yes
# @Description “QoS Prole (0-100)”
set var lowbw 50
# @Description “QoS MAX Bandwidth (0-100)”
set var highbw 100
# @Description “Enable Denial of Service Protection (yes or no)”
set var dosprotection yes
# @META_DATA_END
##################################
# Start of USER-AUTHENTICATE block
##################################
if (!$match($EVENT.NAME,USER-AUTHENTICATED)) then
############
#QoS Prole
############
# Adds a QOS prole to the port
if (!$match($setQuality,yes)) then
create log entry Cong_QOS
congure port $EVENT.USER_PORT qosprole qp7 congure qosprole qp7 minbw $lowbw maxbw $highbw ports $EVENT.USER_PORT
endif
#
########################
#Security Congurations
########################
create log entry Applying_Security_Limits
# enables Denial of Service Protection for the port
if (!$match($dosprotection,yes)) then
enable dos-protect
create log entry DOS_enabled
endif
#
endif
################################
# End of USER-AUTHENTICATE block
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 56/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 5
Extreme Networks Configuration Guide
Avaya VoIP 802.1x
#********************************
# Last Updated: March 20, 2007
# Tested Phones: SW4610, SW4620
# Requirements: 802.1x authentication server, VSA 203 and VSA 212 from authentiication server.
QP7 dened on the switch#
********************************
# @META_DATA_START
# @FileDescription “This is a template for conguring LLDP capable Avaya phones using the authen-tication trigger. This module will provision the phone with the following parameters: call
server, le server, dot1q, dscp, power. Additionally the following network side conguration is
done: enable SNMP traps and QOS assignment.”
# @Description “Avaya phone call server IP address”
set var callserver 192.45.95.100
# @Description “Avaya phone le server IP address”
set var leserver 192.45.10.250
# @Description “Send trap when LLDP event happens (true or false)”
set var sendTraps true
# @Description “Set QoS Prole (true or false)”
set var setQuality true
# @META_DATA_END
#
if (!$match($EVENT.NAME,USER-AUTHENTICATED)) then
create log entry Starting_Avaya_VOIP_802.1x_AUTH_Module_Cong
if (!$match($sendTraps,true)) then
enable snmp traps lldp ports $EVENT.USER_PORT
enable snmp traps lldp-med ports $EVENT.USER_PORT
else
disable snmp traps lldp ports $EVENT.USER_PORT
disable snmp traps lldp-med ports $EVENT.USER_PORT
endif
enable lldp port $EVENT.USER_PORT
congure lldp port $EVENT.USER_PORT advertise vendor-specic dot1 vlan-name congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme call-server
$callserver
congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme le-server
$leserver
congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme dot1q-framing tag
if (!$match($setQuality,true)) then
congure port $EVENT.USER_PORT qosprole qp7
endif
endif
#
if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then
create log entry Starting_Avaya_VOIP_802.1x_UNATUH_Module_Cong
if (!$match($sendTraps,true)) then
enable snmp traps lldp ports $EVENT.USER_PORT
enable snmp traps lldp-med ports $EVENT.USER_PORT
else
disable snmp traps lldp ports $EVENT.USER_PORT
disable snmp traps lldp-med ports $EVENT.USER_PORT
endif
disable lldp port $EVENT.USER_PORT
if (!$match($setQuality,true)) then
uncong qosprole ports $EVENT.USER_PORT
endif
endif
create log entry End_Avaya_VOIP_802.1x_Module_Cong
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 57/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 5
Extreme Networks Configuration Guide
Dynamic Security Policy
if (!$match($CLI_EVENT,USER-AUTHENTICATED) ) then
create access-list $(DEVICE_MAC)_192_168_1_0 “ethernet-source-address $DEVICE_MAC ;
destination-address 192.168.1.0/24 “ “permit “
create access-list $(DEVICE_MAC)_192_168_2_0 “ethernet-source-address $DEVICE_MAC ;
destination-address 192.168.2.0/24 “ “permit “
create access-list $(DEVICE_MAC)_192_168_3_0 “ethernet-source-address $DEVICE_MAC ;
destination-address 192.168.3.0/24 “ “permit “
create access-list $(DEVICE_MAC)_smtp “ethernet-source-address $DEVICE_MAC ;destination-address 192.168.100.125/32 ; protocol tcp ; destination-port 25” “permit “
create access-list $(DEVICE_MAC)_http “ethernet-source-address $DEVICE_MAC ; protocol tcp ;
destination-port 80” “permit “
create access-list $(DEVICE_MAC)_https “ethernet-source-address $DEVICE_MAC ; protocol tcp ;
destination-port 443” “permit “
create access-list $(DEVICE_MAC)_dhcp “protocol udp; destination-port 67” “permit”
create access-list $(DEVICE_MAC)_deny “destination-address 0.0.0.0/0” “deny “
congure access-list add $(DEVICE_MAC)_192_168_1_0 rst port $USER_PORT
congure access-list add $(DEVICE_MAC)_192_168_2_0 rst port $USER_PORT
congure access-list add $(DEVICE_MAC)_192_168_3_0 rst port $USER_PORT
congure access-list add $(DEVICE_MAC)_smtp rst port $USER_PORT
congure access-list add $(DEVICE_MAC)_http last port $USER_PORT
congure access-list add $(DEVICE_MAC)_https last port $USER_PORT
congure access-list add $(DEVICE_MAC)_dhcp rst port $USER_PORT
congure access-list add $(DEVICE_MAC)_deny last port $USER_PORT
endif
if (!$match($CLI_EVENT,USER-UNAUTHENTICATED) ) then
# Clean up
congure access-list delete $(DEVICE_MAC)_192_168_1_0 ports $USER_PORT
congure access-list delete $(DEVICE_MAC)_192_168_2_0 ports $USER_PORT
congure access-list delete $(DEVICE_MAC)_192_168_3_0 ports $USER_PORT
congure access-list delete $(DEVICE_MAC)_smtp ports $USER_PORT
congure access-list delete $(DEVICE_MAC)_http ports $USER_PORT
congure access-list delete $(DEVICE_MAC)_https ports $USER_PORT
congure access-list delete $(DEVICE_MAC)_dhcp ports $USER_PORT congure access-list delete $(DEVICE_MAC)_deny ports $USER_PORT
delete access-list $(DEVICE_MAC)_192_168_1_0
delete access-list $(DEVICE_MAC)_192_168_2_0
delete access-list $(DEVICE_MAC)_192_168_3_0
delete access-list $(DEVICE_MAC)_smtp
delete access-list $(DEVICE_MAC)_http
delete access-list $(DEVICE_MAC)_https
delete access-list $(DEVICE_MAC)_dhcp
delete access-list $(DEVICE_MAC)_deny
endif
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 58/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 5
Extreme Networks Configuration Guide
Video Camera
This template adds an ACL to an edge port when a video camera connects. The profile configures and applies an ACL onto a
switch port when a user authenticates. This ACL blocks a particular IP address from accessing the video camera and assigns the
user to QoS profile 7.
#***********************************************
# Last Updated: March 9, 2007
# Tested Devices: Dlink DCS 1110
# Requirements: 802.1x capable devices, netlogin congured and enabled on deployment ports#***********************************************
# @MetaDataStart
# @ScriptDescription “This is a template for conguring the switch for the right environment for
this webcam. It creates a dynamic access-list to restrict access”
# @Description “VLAN name to add to port”
# set var vlan1 voiceavaya
# @VariableFieldLabel “Set QoS Prole (yes or no)”
# set var setQuality yes
# @Description “QoS Prole (0-100)”
# set var lowbw 50
# @VariableFieldLabel “QoS MAX Bandwidth (0-100)”
# set var highbw 100
# @MetaDataEnd
##################################
# Start of USER-AUTHENTICATE block
##################################
if (!$match($EVENT.NAME,USER-AUTHENTICATED)) then
############
#QoS Prole
############
# Adds a QOS prole to the port
# if (!$match($setQuality,yes)) then
# create log entry Cong_QOS
# congure port $EVENT.USER_PORT qosprole qp7
# congure qosprole qp7 minbw $lowbw maxbw $highbw ports $EVENT.USER_PORT# endif
#
############
#ACL Section
############
# Adds an ACL to stop trafc to a particular address
create log entry Cong_ACL
create access-list webcamblock “destination-address 192.168.10.220/32” “deny”
congure access-list add webcamblock rst port $EVENT.USER_PORT
#endif
#
endif
################################
# End of USER-AUTHENTICATE block
################################
#
#
8/21/2019 EXOS Universal Port 1371
http://slidepdf.com/reader/full/exos-universal-port-1371 59/59
Extreme Networks Configuration Guide
####################################
# Start of USER-UNAUTHENTICATE block
####################################
if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then
# create log entry Starting_8021x_Generic_UNATUH_Module_Cong
# if (!$match($setQuality,yes)) then
# create log entry UNCong_QOS
# uncong qosprole ports $EVENT.USER_PORT
# endif
# uncongure inline-power operator-limit ports $EVENT.USER_PORT#### remove acl
congure access-list delete webcamblock port $EVENT.USER_PORT
delete access-list webcamblock
endif
##################################
# End of USER-UNAUTHENTICATE block
##################################
create log entry End_802_1x_Generic_Module_Cong