Auto-sense Global Configuration using EDM

Perform the procedures in this section to configure Auto-sense globally using Enterprise Device Manager (EDM).

Enable LLDP Authentication of IP Phones

Before you begin

You must enable EAPoL globally.

About this task

Perform this procedure to enable Link Layer Discovery Protocol (LLDP) authentication of IP phones. The switch authenticates the phone after it receives LLDP packets from the phone.

Auto-sense LLDP authentication applies to Auto-sense ports in the VOICE state. Auto-sense LLDP authentication does not require a global Auto-sense voice configuration.

The system removes the LLDP session for the following reasons:
  • You disable EAPoL globally.
  • You disable Auto-sense on the port.
  • The LLDP neighbor is removed.
If the LLDP authentication configuration exists and one of the following situations occur, the LLDP session is recreated:
  • You renable EAPoL globally.
  • You renable Auto-sense on the port.
  • The LLDP neighbor is recreated.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. Select EapolVoiceLldpAuthEnable, to enable the EAPoL LLDP authorization for voice Auto-sense ports.
  5. Select Apply.

Configure Auto-sense Voice Information for IP Phones

The switch applies the Auto-sense voice configuration on specific port(s), after it discovers IP phones on the port through LLDP packets.

Before you begin

If you boot the switch with a configuration file, and not through Zero Touch Fabric Configuration, you must manually enable Auto-sense on specific port(s).

About this task

Perform this procedure to configure Auto-sense voice information for IP phones. A global Auto-sense voice configuration does not require LAuto-senseLDP authentication.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. For VoiceIsid, type the I-SID value.
  5. For VoiceCvid, type the CVID value associated with the voice I-SID.
  6. Select Apply.

Disable Auto-sense DHCP Server Detection

About this task

Perform this procedure to disable DHCP server detection in Auto-sense mode.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. Select DhcpDetection to disable DHCP detection.
  5. Select Apply.

Configure Auto-sense Onboarding I-SID Globally

About this task

Perform this procedure to configure the onboarding I-SID for ports that are operating in Auto-sense mode.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. For OnboardingIsid, type I-SID value for the Auto-sense ports.
  5. Select Apply.

Configure Auto-sense Data I-SID Globally

Before you begin

  • Enable Auto-sense on the port.

  • Associate a VLAN with the I-SID before you configure it as the global data I-SID.

About this task

Perform this task to configure Auto-sense data traffic information for ports that are operating in Auto-sense mode.

Note

Note

This option applies to the Auto-sense UNI and voice states only; it replaces the onboarding I-SID and places an (untagged) client device into a pre-defined global data I-SID.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. For DataIsid, type the data I-SID value used by the Auto-sense ports.
  5. Select Apply.

Configure Layer 2 Trusted Auto-sense Ports

About this task

Perform this procedure to override incoming 802.1p bits on ports that operate in Auto-sense mode.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. Select Qos8021pOverrideEnable to override incoming 802.1p bits on ports that operate in Auto-sense mode.
  5. Select Apply.

Configure Auto-sense IS-IS Authentication

About this task

Perform this procedure to configure a global IS-IS authentication key for ports that are operating in Auto-sense mode.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. For IsisHelloAuthType, select a type of IS-IS hello authentication.
  5. For IsisHelloAuthKeyId, type the key ID for IS-IS authentication for the Auto-sense ports.
  6. For IsisHelloAuthKey, type the key for IS-IS authentication for the Auto-sense ports.
  7. Select Apply.

Configure Auto-sense Access Ports

About this task

Perform this procedure to configure ports operating in Auto-sense mode to determine the Layer 3 QoS actions the switch performs. The Auto-sense access ports override the Differentiated Services Code Point (DSCP) markings.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. Select AccessDiffservEnable to enable differentiated serve type as access for Auto-sense ports.
  5. Select Apply.

Configure Auto-sense for Fabric Attach

Perform this procedure for the following purposes:

  • Configure Fabric Attach (FA) authentication for ports that are operating in Auto-sense mode.

  • For Zero Touch Deployment and assignments of dedicated I-SIDs for FA capable cameras, Wireless Access Points, FA proxy switches and Open Virtual Switches (OVS), you can configure a specific I-SID to use instead of the onboarding I-SID when a port is in an Auto-sense Fabric Attach (FA) state and detects an FA client.

  • Configure a specific I-SID and customer VLAN ID to use as the management I-SID when a port is in the Auto-sense FA PROXY state.

Before you begin

  • Create the I-SID.

  • Associate the I-SID with either a platform or private VLAN; this association is not required on a DvR Leaf.

About this task

You can create only one I-SID of each type.

The FA I-SID can be the same as the voice I-SID because they are used by different Auto-sense port states.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. Configure Fabric Attach authentication:
    1. Select FaMsgAuthEnable, to enable FA message authentication.
    2. For FaAuthenticationKey, type the key for FA authentication for the Auto-sense ports.
  5. Configure a specific I-SID to use instead of the onboarding I-SID:
    1. For auto-sensed cameras, type the I-SID in FaCameraIsid.
    2. For auto-sensed FA client switches that do not use FA message authentication, like EXOS or Switch Engine, type the I-SID in FaProxyNoAuthIsid.
    3. For auto-sensed virtual switches, type the I-SID in FaVirtualSwitchIsid.
    4. For auto-sensed wireless access points (WAP), type the I-SID in FaWapType1Isid.
  6. Configure a specific I-SID and customer VLAN ID to use as the management I-SID:
    1. In FaProxyMgmtIsid, type the I-SID.
    2. In FaProxyMgmtCvid, type the customer VLAN ID.
  7. Select Apply.

Configure Maximum MAC Clients on Auto-sense Ports using EDM

About this task

Use this procedure to configure the maximum EAP and NEAP MAC clients supported on Auto-sense enabled ports.

Note

Note

If you manually configure values on a specific port(s), then these values will take precedence over the Auto-sense global values.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. Select Eapol multihost mac-max to configure the maximum EAP and NEAP MAC clients for Auto-sense enabled ports.
  5. Select Apply.

Configure Maximum EAP Clients on Auto-sense Ports using EDM

About this task

Use this procedure to configure the maximum EAP clients allowed on Auto-sense enabled ports.

Note

Note

If you manually configure values on a specific port(s), then these values will take precedence over the Auto-sense global values.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. Select Eapol multihost eap-mac-max to configure the maximum EAP clients for Auto-sense enabled ports.
    Note

    Note

    Eapol multihost eap-mac-max also provides the EAP and NEAP separation functionality. By default, the system enables EAP clients on each port with a maximum limit of 2 EAP clients. If you configure the maximum limit to 0 then the system disables the EAP client authentication.

  5. Select Apply.

Configure Maximum NEAP Clients on Auto-sense Ports using EDM

About this task

Use this procedure to configure the maximum NEAP clients allowed on Auto-sense enabled ports.

Note

Note

If you manually configure values on a specific port(s), then these values will take precedence over the Auto-sense global values.

Procedure

  1. In the navigation pane, expand Configuration > Fabric.
  2. Select AutoSense.
  3. Select the Globals tab.
  4. Select Eapol multihost non-eap-mac-max to configure the maximum EAP and NEAP MAC clients for Auto-sense enabled ports.
    Note

    Note

    Eapol multihost non-eap-mac-max also provides the EAP and NEAP separation functionality. By default, the system enables NEAP clients on each port with a maximum limit of 2 NEAP clients. If you configure the maximum limit to 0 then the system disables the NEAP client authentication.

  5. Select Apply.

Globals Field Descriptions

Use the data in the following table to use the Globals tab.
Name Description

AccessDiffservEnable

Enables or disables the differentiated service type as access for Auto-sense ports. The default is enabled.

DataIsid

Specifies the data I-SID used by the Auto-sense ports.

EapolVoiceLldpAuthEnable

Enables the EAPoL LLDP authentication for Auto-sense voice ports. The default is disabled.

FaMsgAuthEnable

Enables or disables the FA message authentication for Auto-sense ports. The default is enabled.

FaAuthenticationKey

Specifies the FA authentication key for Auto-sense ports.

IsisHelloAuthType

Specifies the authentication type for IS-IS hello packets on Auto-sense ports:

  • None
  • simple - simple password authentication uses a text password in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet.
  • hmac-md5 - MD5 authentication creates an encoded checksum in the transmitted packet. The receiving router uses an authentication key (password) to verify the MD5 checksum of the packet.
  • hmac-sha256 - with SHA-256 authentication, the switch adds an hmac-sha–256 digest to each Hello packet. The switch that receives the Hello packet computes the digest of the packet and compares it with the received digest.
Note: Secure Hashing Algorithm 256 bits (SHA-256) is a cipher and a cryptographic hash function of SHA2 authentication. You can use SHA-256 to authenticate ISIS Hello messages. This authentication method uses the SHA-256 hash function and a secret key to establish a secure connection between switches that share the same key. This feature is in full compliance with RFC 5310.

The default authentication type is none.

IsisHelloAuthKeyId

Specifies the IS-IS hello authentication number key id for the Auto-sense ports.

IsisHelloAuthKey

Specifies the IS-IS hello authentication number key for the Auto-sense ports. You must configure the IS-IS hello authentication key along with the IS-IS hello authentication type.

OnboardingIsid

Specifies the onboarding I-SID used by the Auto-sense ports.

Qos8021pOverrideEnable

Overrides the incoming 802.1p bits on ports that operate in Auto-sense mode. The default is enabled.

VoiceIsid

Specifies the voice I-SID used by Auto-sense ports.

VoiceCvid

Specifies the customer VLAN ID associated with the voice I-SID used by Auto-sense ports. Voice C-Vid is configured for tagged voice traffic only. You must configure the Auto-sense voice customer VLAN ID along with the auto-sense voice I-SID.

DhcpDetection

Enables or disables the DHCP detection in Auto-sense mode. The default is enabled.

FaCameraIsid

Specifies the FA camera I-SID used by auto-sense ports.

FaProxyMgmtIsid

Specifies the FA proxy management I-SID used by auto-sense ports.

FaProxyMgmtCvid

Specifies the FA proxy management Client-VLAN ID (c-vid) used by auto-sense ports.

FaProxyNoAuthIsid

Specifies the FA proxy no-auth I-SID used by auto-sense ports.

FaVirtualSwitchIsid

Specifies the FA virtual-switch I-SID used by auto-sense ports.

FaWapType1Isid

Specifies the FA WAP type-1 I-SID used by auto-sense ports.

FaCameraEapolStatus

Specifies the FA EAPoL status for Camera I-SID used by auto-sense ports.

FaEapolOVSStatus

Specifies the FA EAPoL status for OVS (Open-Virtual-Switch) I-SID used by auto-sense ports.

FaEapolWap1Status

Specifies the FA EAPoL status for Wap-type-1 I-SID used by auto-sense ports.

WaitInterval

Specifies the wait interval in seconds for the 'WAIT' state of auto-sense's finite state machine.

Eapol multihost mac-max

Specifies the maximum number of EAPoL and non-EAPoL authentication MAC addresses allowed on this port. The default value is 2.

Eapol multihost eap-mac-max

Specifies the maximum number of EAPoL authentication MAC addresses allowed on this port. Zero indicates that non-EAPoL authentication is disabled for this port. The default value is 2.

Eapol multihost non-eap-mac-max

Specifies the maximum number of non-EAPoL authentication MAC addresses allowed on this port. Zero indicates that non-EAPoL authentication is disabled for this port. The default value is 2.