VSP Segmented Management Interface Explained

Since VSP 8.2 release a new Segmented Management Interface has been introduced which provides a more unambiguous management interface and avoids asymmetric routing problems when OOB and VLAN us used. There are three type of mgmt interface which are OOB, CLIP and VLAN. Existing switches pre 8.2 can be configured to migrate one of their management interface types to a SMI (migrate-to-mgmt command present in 7.1.3, 8.0.1 and 8.1.0).

Be aware that after the upgrade the GRT interface will disappear and if a VLAN IP was used for management on a L3 BEB or L3 router then traffic inbound on a different VLAN will not reach the mgmt VLAN. For this type of switch it is recommended to use a CLIP for management.

The slides below explain the reason for the change and the recommendations to follow when upgrading to 8.2 or higher.

It might be simpler to assign a new CLIP for management purposes and keep existing CLIP used by ISIS Source IP or as Router ID for OSPF and/or BGP. If you do this consider external servers that have discovered the switch using a different IP and also external RADIUS servers which are configured with the previous IP address.

After the upgrade ISIS Source IP is no longer necessary but is recommended if IP shortcuts are used. If the original CLIP is used for management it will disappear and not be available for ISIS Source IP so a new CLIP should be considered.

Decide which VRF to use for management and which type of interface (OOB, CLIP or VLAN) based on L3 BEB, L3 Router, L2 BEB or L2 Switch.

https://community.extremenetworks.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=c247b77e-8e47-fb70-c9c8-76384b0d1cb3&forceDialog=0

Access Control Daily Persistence Check

If an End System was not active for the amount (or greater) of days that is defined within the ‘Age ‘End-Systems older than’ variable, the end system is removed from the NAC.

The default value is 90 days.   For example, if an end system is not active for >90 days, using this default setting and the default ‘Remote Associated Registration Data’ is checked, the End system is removed completely from the NAC.

Daily Persistence

Access Control End-Systems Filtering

The End-Systems table can be filtered to help manage access control.

Filter the State column to show the Rejected devices or Disconnected devices. And then filter again on the Last Seen column to filter by date (before or after) which could be useful to do when purging old entries. The list can be filtered based on Authentication Type ie MAC.

End-System-State

If you want to trigger an email based on a specific event go to Control>Access Control>Configuration>Notifications. You can add a new condition that will generate an email to a helpdesk for example.

Notifications can send an email if triggered, or execute a workflow, syslog event or script.

Adding additional RADIUS Attributes in Control

Cannot edit the default RADIUS attributes in Control but can copy to another name and edit the copy. This is useful when you want to add additional attributes to send to the switch, for example, when need to allow Management CLI login for administration purposes.

The attributes needed by the switches may vary but you can refer to custom values within the policy mappings. For example, ERS BOSS switches use the Service Type attribute to send the value 6 (RWA) which can be set in a custom field ie %CUSTOM1% or under Management and select Access [User Defined] Management Service Type.

https://extremeportal.force.com/ExtrArticleDetail?an=000099846

https://community.extremenetworks.com/communities/community-home/digestviewer/view-question?ContributedContentKey=35862325-50c4-4843-9182-a62026349e12&CommunityKey=d4b57428-7c7e-4bce-886a-356352ffa2c0&tab=digestviewer

Workflows and Email

Import Workflows from Extreme Networks github site and can send email reports with some of them.

https://github.com/extremenetworks/ExtremeScripting/blob/master/XMC_XIQ-SE/oneview_workflows/README.md

For example, there is a Workflow which provides a report via email of the Pilot and Navigator licenses for all devices in XIQ-SE.

There is a Workflow which can login to ERS switches and capture the serial number and email a CSV file.

You need to configure an SMTP email server and edit the NSJBoss.properties configuration file with some mail properties and then restart Netsight.

https://extremeportal.force.com/ExtrArticleDetail?an=000092528

https://extremeportal.force.com/ExtrArticleDetail?an=000081485

For TLS or STARTTLS…

mail.smtp.port=587
mail.smtp.auth=true
mail.smtp.starttls.enable=true

I used Google’s SMTP Proxy to email to outside email addresses (smtp.gmail.com). I had to turn on “Allow Less Secure Apps” which is not ideal and might be disabled by Google soon.

Configure SMTP Server and login account under Administration>Options>SMTP Email.