Auto-sense Port States

The system uses a per-interface state to adapt to all Auto-sense events. Each state transition determines background configuration on the port. The system does not display these configurations in the output of the show running-config command or in the saved configuration file but if you disable Auto-sense on the port and use the convert-to-config parameter, the dynamic configuration becomes a manual configuration and is visible in the show running-config output. Use show auto-sense commands to monitor the running states of each port.

For flowcharts that describe the system logic for Auto-sense port state detection, see Auto-sense Logical Flowcharts.

Port Down State

If you run the auto-sense enable command on a port that is disabled or has an inactive link, the port transitions to the Auto-sense Port Down state. This state transitions to the Auto-sense Wait state after the port becomes operational or the link becomes active.

Wait State

The port modifies outgoing LLDP packets to represent the enhanced properties of the port and analyzes incoming LLDP packets for possible transitions to advanced states like network-to-network interface (NNI), Fabric Attach (FA), or VOICE. If the port does not receive LLDP packets, the port transitions to the UNI state.

UNI State

This state grants onboarding and data connectivity to the port if you configure the onboarding I-SID, or a data I-SID in the global Auto-sense configuration or at the port level. The system also applies the trusted and untrusted Auto-sense global configuration. As with the Wait state, the port continues to monitor received LLDP packets for transitions to other states.

Network Access Control (NAC) support, through EAP/NEAP, is enabled by default on each Auto-sense port, but disabled globally. If you require EAP/NEAP operation on Auto-sense ports, you must globally enable EAP and configure a RADIUS server.

The system performs the following background configurations on port x:

flex-uni enable
eapol status auto​
eapol multihost radius-non-eap-enable​
eapol multihost eap-oper-mode mhmv​
[qos 802.1p-override enable]
[access-diffserv enable]
on port X interface, if onboarding I-SID Y is configured without data I-SID:
eapol guest i-sid Y
on onboarding I-SID interface, if it is configured without data I-SID:
untagged-traffic port X
on data I-SID interface, if it is configured:
untagged-traffic port X

An Auto-sense port in the UNI state remains in PVLAN isolated mode when any additional untagged I-SID is applied to the port. Auto-sense ports support multiple VLAN/I-SIDs and PVLAN/I-SIDs on the same port at any time concurrently. Typically, this operational mode is required when you configure NAC support with Multiple Host Multiple VLAN (MHMV). The software then assigns clients to their VLAN/I-SIDs based on their NAC authentication results.

NNI States

The NNI states are as follows:

If, while in the Wait state, the port receives a Fabric Connect LLDP packet, the port transitions to the NNI state and adds the IS-IS SPBM instance on the interface. The system tries to establish an IS-IS adjacency and, if successful, transitions the port to the NNI IS-IS state. The port remains in the NNI IS-IS state until the adjacency fails, at which time it returns to the NNI state.

The system performs the following background configurations on port x:

isis
isis spbm 1
isis enable
[isis hello-auth …] inherited from global configuration

If the system cannot establish the adjacency, it transitions the port to the NNI onboarding state. The system creates a Switched UNI (S-UNI) with the onboarding I-SID.

The system performs the following background configurations:

flex-uni enable
isis
isis spbm 1
isis enable
[isis hello-auth …] inherited from global configuration
on onboarding i-sid interface, if it exists:
untagged-traffic port X

Fabric Attach (FA) States

The FA states are as follows:

LLDP uses the FA TLV to detect FA-capable neighbors.

The port enters the FA state after LLDP detects an access point, an FA client that is not another switch.

The system performs the following background configurations on port x:

flex-uni enable
eapol status auto                                 
eapol multihost radius-non-eap-enable
eapol multihost eap-oper-mode mhmv
eapol guest i-sid X
fa enable
 on onboarding i-sid interface, if it exists:
untagged-traffic port X

If LLDP detects an FA proxy switch such as an ERS, EXOS, or Switch Engine switch that uses FA message authentication, the port transitions to the FA PROXY state.

The system performs the following background configurations on port x:

flex-uni enable
fa enable
fa message-authentication
fa management-isid
Note

Note

By default, the FA PROXY state uses the onboarding I-SID as the management I-SID but you can override this with a specific I-SID and customer VLAN ID combination.

If the FA proxy switch does not use FA message authentication, the port transitions to the FA PROXY NOAUTH state.

The system performs the following background configurations on port x:

flex-uni enable
fa enable
on onboarding i-sid interface, if it exists:
untagged-traffic port X

Depending on the device that the Auto-sense port detects, the switch can apply different FA-specific configurations that you define. For more information, see Auto-sense.

When a port is in the FA state, the system uses the following priority for untagged traffic:

  1. EAP/NEAP assigned I-SID
  2. WAP, camera, or open virtual switch (OVS) I-SID
  3. Onboarding I-SID
  4. Drop

Voice State

If the port detects an LLDP packet from a phone, the port transitions to the VOICE state. A global Auto-sense voice configuration is not required to transition to the VOICE state except a specific voice VLAN shall be signaled to the phone.

For more information on Auto-sense voice, see Auto-sense Voice.