Extreme-Dynamic-Client-Assignments

The Extreme-Dynamic-Client-Assignments Vendor Specific Attribute (VSA) is a RADIUS VSA for dynamic VLAN and Private VLAN (PVLAN) creation. You can also configure VLAN parameters, such as VLAN name, I-SID to VLAN association, and I-SID name.

The Extreme-Dynamic-Client-Assignments VSA supports the following VLAN-based features:

You configure these features through the Extreme-Dynamic-Config RADIUS VSA before you use the VSA Extreme-Dynamic-Client-Assignments.

RADIUS Change of Authorization (CoA) is supported also. With CoA, a RADIUS server can remove a client device from a network and force it to re-authenticate.

Note the following points regarding VLAN creation with the Extreme-Dynamic-Client-Assignments VSA:
Use the information in the following tables and this string format to create a dynamic VLAN—create=vlan|pvlan,pv=Primary VLANID, sv=secondary VLANID, vni=ISID, ev=EGRESS-VLAN-tag, vn=vlan-name, vnin=isid-name.
Note

Note

If ev is missing, it will default to 0. You can also use U or T (case-sensitive). When ev is set to U, it is untagged or 0. When ev is set to T, it takes the value of pv or tagged. If pv is not specified, then an error occurs and the VSA is ignored.
Table 1. String Options for Dynamic VLAN Creation
Option Note
create=vlan | pvlan If create is missing, the assumption is that a manually created VLAN exists.
Note the following two examples:
  • create=vlan—dynamically creates a platform VLAN.
  • create=pvlan—dynamically creates a private VLAN.

This option is ignored on DVR Leafs.

pv=Primary VLANID The platform VLAN that the client is assigned.

This option is valid for any combination of the create command.

sv=Secondary VLANID This option is only valid for a private VLAN and if the create option is also used.
vni=ISID If you did not use create then you can use vni on flex-uni ports with ev to assign a client to a Switched UNI (S-UNI).

The vni command also has the role of mapping the dynamic created VLAN to the VNI.

ev=EGRESS-VLAN-tag Use this option on regular ports to tag or untag the egress for the PV.

Use this option on flex-uni ports as c-vid in S-UNI creation.

vn=Vlan name Valid only if you use create.
vnin=ISID name Valid only if you use create.
Table 2. VSA Equivalency with Radius Attributes
Port Type RADIUS Attribute Extreme-Dynamic-Client-Assignments Radius VSA Comment

Regular port.

Tunnel Private GroupID.

Without create.

pv=Primary VLANID.

This adds the port to the primary VLAN; tag is the port tag.

Egress-VLANID.

Without create.

pv=Primary VLANID.

ev= EGRESS-VLAN-tag.

Untagged: ev = 0.

Tagged: ev = pv.

This adds the port to the primary VLAN; The VLAN egress tag is dictated by the ev.

Egress-VLAN-Name.

Not Supported.

-

Flex-Uni ports.

FA VLAN:ISID.

Without create.

vni=[ISID]

ev= [EGRESS-VLAN-tag].

Untagged: ev = 0.

Tagged: ev != 0.

A S-UNI is created, either MAC-based or regular, depending on MHMV/MHSA setting; uses i-sid (vnid) and c-vid (ev) values.

Egress-VLANID + FA VLAN:I-SID.

Supported by the same combination for FA VLAN:ISID.

-

Egress-VLANID + Tunnel Private GroupID + autoIsidOffset.

Without create.

pv=Primary VLANID.

ev= EGRESS-VLAN-tag.

Untagged: ev = 0.

Tagged: ev != 0.

A S-UNI is created, either MAC-based or regular, depending on MHMV/MHSA setting; uses auto configured i-sid from pv value and c-vid (ev) values.

Egress-VLAN-Name + FA VLAN:I-SID

>

Not supported.

-

Egress-VLAN-Name + Tunnel Private GroupId + autoIsidOffset.

Not supported.

-

The dynamic VLAN is deleted after you disconnect all of the clients across the Extensible Authentication Protocol (EAP) ports. The port is removed when the last client is disconnected and the saved I-SID name is restored.

You cannot delete a static VLAN if EAP ports are assigned to it. But the VLAN can be deleted if you have added EAP FlexUNI ports to it. When you do this action, all MAC addresses are flushed, and any Non-EAP (NEAP) sessions are deleted. The MAC address is re-learned in I-SID and a new RADIUS authentication can now create a dynamic VLAN. For EAP sessions, the session goes to the re-authentication state, and the new RADIUS authentication can create a dynamic VLAN.

In Multiple Host Multiple VLAN (MHMV), all VSAs received from RADIUS are deleted and not processed, except for the last one.