Dynamic VLAN assignment with AOS 6
Manually assigning ports to VLANs can be a time consuming and error prone process. Depending on the size of the network, there is a point where it doesn’t make sense to do this manually. Especially in SMB networks, VLANs are assigned manually, because the effort of automating the VLAN assignment exceeds the effort for manually assigning VLANs. Those environments are often very static. I know many SMB networks where VLAN have not been addressed for a long time. With declining costs for Layer 3 switches, the separation of workloads in VLANs for SMB customers became affordable. Server virtualization was another mainspring for VLANs and inter-VLAN routing. To be honest: I’m talking about SMB customers, not enterprise customers or enterprise-grade SMB customers (latter is my special term for SMB customers with enormous IT budgets…). But the main driver for VLANs was Voice over IP (VoIP). With the increasing proliferation of VoIP, even the smallest SMB customer were forced to use VLANs. But this led to situations, where customers had to change the switch config every time a new client or IP phone was added to the network. Common workarounds:
- pre-configuring switches, eg. port 1 to 12 for clients and 13 to 24 for IP phones
- connecting clients behind IP phones and pre-configuring all switch ports (untagged client and tagged VoIP VLAN)
Suitable for small environments, but difficult to handle if environments grow over time. And I’m not a friend of connecting clients behind IP phones… Enterprise, or enterprise-grade SMB customers tend to implement 802.1x to manage access to their network. With 802.1x it’s possible to assign ports to VLANs depending on the user identity. But 802.1x is complex. If you have the the knowhow, the time and the budget, please do 802.1x! But you should take the complexity into account. Today I want to show options, offisde of 802.1x, to dynamically assign ports to VLANs with Alcatel-Lucent Enterprise OmniSwitches.
First of all: We have to differ between AOS 6, AOS 7 and AOS 8. Alcatel-Lucent Enterprise (ALE) currently uses three different software releases, depending on the switch platform.
Switch model | AOS release |
---|---|
OmniSwitch 6250 | AOS 6 |
OmniSwitch 6350 | AOS 6 |
OmniSwitch 6450 | AOS 6 |
OmniSwitch 6850E | AOS 6 |
OmniSwitch 6855 | AOS 6 |
OmniSwitch 6860(E) | AOS 8 |
OmniSwitch 6900 | AOS 7 |
OmniSwitch 9000(E) | AOS 6 |
OmniSwitch 9900 | AOS 6 |
OmniSwitch 10K | AOS 7 |
Depending on the specific AOS release, there are various ways to enable dynamic VLAN assignment. The main reason for the different AOS releases is, that ALE shifts its networking core platform from Windriver VxWorks (AOS 6) to Linux (AOS 7 and AOS 8) (source #1, source #2).
This blog post will focus on
- OmniSwitch 6250/ 6350/ 6450 running AOS 6.7.1
I plan to publish similar blog posts for
- OmniSwitch 6900/ 10k running AOS 7.3.4
- OmniSwitch 6860/ 6860E running AOS 8.2.1
Dynamic VLAN assignment with AOS 6
In general, there are three different ways to dynamically assign ports to VLANs with AOS 6:
- VLAN mobility
- User Network Profiles (UNP)
- LLDP Media Endpoint Detection (LLDP-MED)
Let’s take a look at VLAN mobility. VLAN mobility is used to dynamically assign one or more VLANs to a port, based on traffic characteristics that were received on that port. The following information can be used to classify traffic:
- 802.1Q VLAN ID tag
- DHCP MAC address
- DHCP MAC range
- DHCP port
- DHCP generic
- MAC address
- MAC address range
- Network address
- Protocol
- Port
You can’t use VLAN mobility on ports that
- is an 802.1Q tagged port
- belongs to a Link Aggregation Group (LAG)
- has Spanning Tree enabled and the BPDU ignore status is disabled
- is used to mirror traffic
To allow the switch to dynamically assign ports to VLANs, VLAN mobility has to be enabled. By default, all ports are non-mobile ports. A non-mobile port is statically assigned to a specific VLAN.
To enable VLAN mobility for a port:
vlan port mobile 1/1
You can also use a port range.
vlan port mobile 1/1-22 2/1-22
To disable VLAN mobility use the “no” form of the command.
vlan no port mobile 1/1-22 2/1-22
If a device sends ethernet frames with a 802.1Q VLAN ID tag, you can use the VLAN ID tag to dynamically assign a port to a VLAN. With VLAN mobility enabled, you only have to enable the “mobile-tag” option for the desired VLAN.
vlan 199 mobile-tag enable
As soon as the switch receives a frame with a 802.1Q VLAN ID tag for VLAN 199, the port that received this frame is dynamically assigned to VLAN 199. That’s VLAN mobility based on 802.1Q VLAN ID tags. But you can also use VLAN rules. VLAN rules are created per VLAN. You can have one or more rules per VLAN. You can use the
- Source MAC address
- Source MAC address ranges
- Switch ports, or
- the DHCP request itself
to dynamically assign a port to a VLAN. This rule matches to DHCP requests from a single MAC address.
vlan 199 dhcp mac 68:F7:28:FA:A0:D5
If a DHCP request with the specified MAC address is received, the port is dynamically assigned to VLAN 199. Because managing MAC addresses is not very handy, you can use MAC address ranges:
vlan 199 dhcp mac 68:F7:28:FA:00:00 68:F7:28:FA:FF:FF
To use all DHCP requests on a specific port, use the DHCP port rule:
vlan 199 dhcp port 1/1-22 2/1-22
To use all received DHCP requests, use the DHCP generic rule:
vlan 199 dhcp generic
To remove a rule, use the “no” form of the command.
vlan 199 no dhcp ...
Once the device has received an IP address from the DHCP server, the VLAN port assignment is dropped! Because of this, you can combine DHCP and network address rules. A network address rule dynamically assigns the VLAN depending on the IP subnet.
vlan 199 ip 192.168.20.0 255.255.255.0
This rule assigns VLAN 199 to a port, that receives traffic from a client in the subnet 192.168.20.0/24. If the DHCP server in VLAN 199 assigns IP addresses from this subnet, you can easily combine the DHCP and network address rule.
A MAC address rule assigns the VLAN depending on a single MAC address
vlan 199 mac range 68:F7:28:FA:A0:D5
or on a range of MAC addresses.
vlan 199 mac range 68:F7:28:FA:00:00 68:F7:28:FA:FF:FF
Less frequently used are port and protocol rules. A port rule doesn’t require incoming traffic to trigger dynamic VLAN assignment. The specified mobile port is immediately assigned to the specified VLAN. Port rules only apply to outgoing broadcast traffic. You still need rules for the incoming traffic. To create a VLAN port rule:
vlan 199 port 1/1
A protocol rule uses the protocol type in an ethernet frame to assign VLANs to ports. Valid values for the port type are:
- IP Ethernet-II
- IP SNAP
- Ethernet II
- DECNet
- AppleTalk
- Ethertype
- DSAP/SSAP
- SNAP
A protocol rule is created by issuing
vlan 199 protocol ip-snap
As always, the “no” form of the command removes the rule.
vlan no 199 protocol ip-snap
or
vlan no 199 mac range 68:F7:28:FA:00:00 68:F7:28:FA:FF:FF
User Network Profiles (UNP) is a feature of Access Guardian. Access Guardian refers to security functions, like
- Authentication and Classification
- Host Integrity Check (HIC)
- User Network Profiles (UNP), and
- Virtual Network Profile (VPN)
UNP are available in AOS 6, AOS 7 and AOS 8. In AOS 6 we need a
- policy condition
- policy action
- policy rule, and a
- policy list
These four characteristics belong to the QoS feature of AOS. But a UNP needs a policy list, more specific the policy rules that are part of the policy list, to classify traffic and devices. The policy condition is necessary to identifiy a devices on which this policy should match.
policy condition ip_phones source mac 68:F7:28:00:00:00 mask 00:00:00:FF:FF:FF
Beside the MAC address, you can use source and destionation IP addresses, switch ports, source and destination TCP/ UDP ports, VLANs and many more. To use one or more IP addresses, simple use a network group.
policy network group sales 192.168.20.0 mask 255.255.255.0 192.168.30.0 mask 255.255.255.0
The group “sales” consists of two subnets. To remove a subnet, use the “no” form of the command.
policy network group sales no 192.168.20.0 mask 255.255.255.0
The policy action is used to determine, what should happen with the traffic. In this case: Priorize the traffic.
policy action high_prio priority 7 802.1p 7
The rule binds condition and action.
policy rule rule_voip condition ip_phones action high_prio log no default-list
A policy list is used to group one or more policy rules.
policy list qos_list_voip rules rule_voip
A UNP binds a name, a VLAN and a policy list together.
aaa user-network-profile name voip vlan 199 policy-list-name qos\_list\_voip
A third way to dynamically assign ports to VLANs is LLDP Media Endpoint Detection (LLDP-MED). LLDP Media Endpoint Detection was developed to increase the interoperability of VoIP devices with other devices on the network (eg. PC, switches etc). AOS uses LLDP-MED network policies to advertise information to devices. A network policy contains information about VLAN ID and L2/ L3 priorities. First, we have to enable network policy support, either for a port or for the chassis.
lldp 1/1 tlv med network-policy enable
To enable network policies for the chassis use the keyword “chassis” instead of a port.
lldp chassis tlv med network-policy enable
To create a network policy enter:
lldp network-policy 1 application voice vlan 100 l2-priority 5 dscp 46
The created policy (ID 1) will advertise the VLAN 100, L2 priority 5 and DSCP 46 to voice devices. The next step is to bind the policy to a port or the chassis.
lldp chassis med network-policy 1
Or for a specific port.
lldp 1/1 med network-policy 1
Furthermore, you need to enable VLAN mobility on the ports. If the IP phones sends tagged VLAN frames, you also have to enable the “mobile tag” feature for the VLAN.
vlan 100 mobile-tag enable
The IP phone receives the configuration information over of the network policy. VLAN mobility and “mobile tag” will make sure, that the VoIP phone is pushed to the correct VLAN.
Summary
Manually assigning VLANs can be a time consuming and error prone process. AOS 6 offers
- VLAN mobility
- User Network Profiles, and
- LLDP-MED
to dynamically assign ports to VLANs. Each of the options has its pros and cons. Especially the combination of VLAN mobility and LLDP-MED is really easy to implement. I will publish more blog posts about the same topic, but with AOS 7 and AOS 8.