Change Default SNMP v2c Community in VOSS

For security hardening change the default SNMP v2c communities of public (read only) and private (read write).

Under global configuration mode:

no snmp-server community public

no snmp-server community private

snmp-server community NewRead group readgrp index first secname readview

snmp-server community NewWrite group v1v2grp index second secname initialview

Type show snmp-server community and see the list of indexes in the Community Table (first, second etc…) as there may be others as well created for VRFs.

VSP Premier License

Generate a license .XML file on the support portal using a valid voucher ID and match against the switch base MAC address and serial number (type show sys-info command).

Copy .XML file to /intflash and then type load-license command from configuration mode. This will install the premier license. Type show license command to confirm license is in place and type save config.

On the portal the license files can be seen against the customer and switch type under assets. In the event of a replacement switch the license file can be edited with a new base MAC and serial number.

Spreadsheet Comparison

Compare two Excel files using the Microsoft Spreadsheet Comparison application.

On the Start screen, click Spreadsheet Compare.

Click Home > Compare Files.

Click the blue folder icon next to the Compare box to browse to the location of the earlier version of your workbook.

Click the green folder icon next to the To box to browse to the location of the workbook that you want to compare to the earlier version, and then click OK.

In the left pane, choose the options you want to see in the results of the workbook comparison by checking or unchecking the options, such as FormulasMacros, or Cell Format. Or, just Select All.

Click OK to run the comparison.

Differences are highlighted with a cell fill color or text font color, depending on the type of difference. For example, cells with “entered values” (non-formula cells) are formatted with a green fill color in the side-by-side grid, and with a green font in the pane results list. The lower-left pane is a legend that shows what the colors mean.

Note: If the files are .CSV files then open in Excel and save them as Excel Workbook (*.xlsx) files so they can be opened by the tool.

VSP Segmented Management Interface Explained

Since VSP 8.2 release a new Segmented Management Interface has been introduced which provides a more unambiguous management interface and avoids asymmetric routing problems when OOB and VLAN us used. There are three type of mgmt interface which are OOB, CLIP and VLAN. Existing switches pre 8.2 can be configured to migrate one of their management interface types to a SMI (migrate-to-mgmt command present in 7.1.3, 8.0.1 and 8.1.0).

Be aware that after the upgrade the GRT interface will disappear and if a VLAN IP was used for management on a L3 BEB or L3 router then traffic inbound on a different VLAN will not reach the mgmt VLAN. For this type of switch it is recommended to use a CLIP for management.

The slides below explain the reason for the change and the recommendations to follow when upgrading to 8.2 or higher.

It might be simpler to assign a new CLIP for management purposes and keep existing CLIP used by ISIS Source IP or as Router ID for OSPF and/or BGP. If you do this consider external servers that have discovered the switch using a different IP and also external RADIUS servers which are configured with the previous IP address.

After the upgrade ISIS Source IP is no longer necessary but is recommended if IP shortcuts are used. If the original CLIP is used for management it will disappear and not be available for ISIS Source IP so a new CLIP should be considered.

Decide which VRF to use for management and which type of interface (OOB, CLIP or VLAN) based on L3 BEB, L3 Router, L2 BEB or L2 Switch.

Access Control Daily Persistence Check

If an End System was not active for the amount (or greater) of days that is defined within the ‘Age ‘End-Systems older than’ variable, the end system is removed from the NAC.

The default value is 90 days.   For example, if an end system is not active for >90 days, using this default setting and the default ‘Remote Associated Registration Data’ is checked, the End system is removed completely from the NAC.

Daily Persistence

Access Control End-Systems Filtering

The End-Systems table can be filtered to help manage access control.

Filter the State column to show the Rejected devices or Disconnected devices. And then filter again on the Last Seen column to filter by date (before or after) which could be useful to do when purging old entries. The list can be filtered based on Authentication Type ie MAC.


If you want to trigger an email based on a specific event go to Control>Access Control>Configuration>Notifications. You can add a new condition that will generate an email to a helpdesk for example.

Notifications can send an email if triggered, or execute a workflow, syslog event or script.

Adding additional RADIUS Attributes in Control

Cannot edit the default RADIUS attributes in Control but can copy to another name and edit the copy. This is useful when you want to add additional attributes to send to the switch, for example, when need to allow Management CLI login for administration purposes.

The attributes needed by the switches may vary but you can refer to custom values within the policy mappings. For example, ERS BOSS switches use the Service Type attribute to send the value 6 (RWA) which can be set in a custom field ie %CUSTOM1% or under Management and select Access [User Defined] Management Service Type.