Since VSP 8.2 release a new Segmented Management Interface has been introduced which provides a more unambiguous management interface and avoids asymmetric routing problems when OOB and VLAN us used. There are three type of mgmt interface which are OOB, CLIP and VLAN. Existing switches pre 8.2 can be configured to migrate one of their management interface types to a SMI (migrate-to-mgmt command present in 7.1.3, 8.0.1 and 8.1.0).
Be aware that after the upgrade the GRT interface will disappear and if a VLAN IP was used for management on a L3 BEB or L3 router then traffic inbound on a different VLAN will not reach the mgmt VLAN. For this type of switch it is recommended to use a CLIP for management.
The slides below explain the reason for the change and the recommendations to follow when upgrading to 8.2 or higher.
It might be simpler to assign a new CLIP for management purposes and keep existing CLIP used by ISIS Source IP or as Router ID for OSPF and/or BGP. If you do this consider external servers that have discovered the switch using a different IP and also external RADIUS servers which are configured with the previous IP address.
After the upgrade ISIS Source IP is no longer necessary but is recommended if IP shortcuts are used. If the original CLIP is used for management it will disappear and not be available for ISIS Source IP so a new CLIP should be considered.
Decide which VRF to use for management and which type of interface (OOB, CLIP or VLAN) based on L3 BEB, L3 Router, L2 BEB or L2 Switch.
If an End System was not active for the amount (or greater) of days that is defined within the ‘Age ‘End-Systems older than’ variable, the end system is removed from the NAC.
The default value is 90 days. For example, if an end system is not active for >90 days, using this default setting and the default ‘Remote Associated Registration Data’ is checked, the End system is removed completely from the NAC.
The End-Systems table can be filtered to help manage access control.
Filter the State column to show the Rejected devices or Disconnected devices. And then filter again on the Last Seen column to filter by date (before or after) which could be useful to do when purging old entries. The list can be filtered based on Authentication Type ie MAC.
If you want to trigger an email based on a specific event go to Control>Access Control>Configuration>Notifications. You can add a new condition that will generate an email to a helpdesk for example.
Notifications can send an email if triggered, or execute a workflow, syslog event or script.
Cannot edit the default RADIUS attributes in Control but can copy to another name and edit the copy. This is useful when you want to add additional attributes to send to the switch, for example, when need to allow Management CLI login for administration purposes.
The attributes needed by the switches may vary but you can refer to custom values within the policy mappings. For example, ERS BOSS switches use the Service Type attribute to send the value 6 (RWA) which can be set in a custom field ie %CUSTOM1% or under Management and select Access [User Defined] Management Service Type.