Fabric Engine User Guide

This VSA configures port and VLAN based attributes.

Name: Extreme-Dyn-Config
Value: 252
Type: String
Vendor: Extreme
Extreme Vendor ID is 1916

The following features can be configured using Extreme-Dynamic-Config RADIUS VSA:

VLAN-based features:
- DHCP Snooping
- Dynamic ARP Inspection (DAI)
- IGMP Snooping
Port-based features:
- Custom Auto-Negotiation Advertisements (CANA)
- Bridge Protocol Data Unit (BPDU) Guard
- IP Source Guard (IPSG)
- Port bounce
- Reauthentication
- Simple Loop Prevention Protocol (SLPP) Guard
- Traffic Control (Wake on LAN - WoL)

Note

If you use the Extreme-Dynamic-Config RADIUS VSA, then Dynamic ARP Inspection and DHCP Snooping are only enabled on the default VLAN if IPSG is present in the RADIUS attributes.

AN-ADVERTISMENTS:100Half or AN-ADVERTISMENTS:100H

AN-ADVERTISMENTS:100Half or AN-ADVERTISMENTS:100H settings configure CANA speed and duplex to the following supported values:

10Half
100Full
100Half
100Full
1000Full

BPDU

This attribute enables BPDU Guard on the port where the client resides.

DAI

This attribute enables DAI on the VLAN received from the RADIUS server. For a Flex-UNI port, DAI is enabled on the platform VLAN associated with the I-SID received from the RADIUS server.

DAI is also enabled on the default VLAN of the port to prepare for IPSG, which requires DAI and DHCP Snooping enabled on all VLANs. If the RADIUS server does not return a VLAN of I-SID, DAI is enabled on the default VLAN. For Flex-UNI ports, DAI is enabled on the platform VLAN associated with the untagged I-SID.

Note

If you use the Extreme-Dynamic-Config RADIUS VSA, then DAI is only enabled on the default VLAN if IPSG is present in the RADIUS attributes.

DHCPSNOOP

This attribute enables DHCP Snooping on the VLAN received from the RADIUS server. For a Flex-UNI port, DHCP Snooping is enabled on the platform VLAN associated with the I-SID received from the RADIUS server.

DHCP Snooping is also enabled on the default VLAN of that port to prepare for IPSG, which requires DAI and DHCP Snooping enabled on all VLANs. If the RADIUS server does not return a VLAN of I-SID, DHCP Snooping is enabled on the default VLAN. For Flex-UNI ports, DHCP Snooping is enabled for the platform VLAN associated with the untagged I-SID.

Note

If you use the Extreme-Dynamic-Config RADIUS VSA, then DHCP Snooping is only enabled on the default VLAN if IPSG is present in the RADIUS attributes.

IGMPSNOOP

This attribute enables IGMP Snooping on the VLAN received from the RADIUS server. For a Flex-UNI port, IGMP Snooping is enabled on the platform VLAN associated with the I-SID received from the RADIUS server.

IPSG

This attribute enables IPSG on the port where the client resides.

In order to apply IPSG, DHCP Snooping and DAI must be configured on the RADIUS server. DHCP Snooping and DAI must be enabled on all VLANs.

The following is an example of a log message that displays if a setting is not configured correctly:

GlobalRouter EAP WARNING Cannot apply Radius IP Source Guard attribute on port 1/15 without DHCP Snooping and DAI attributes.

PORTBOUNCE

This attribute runs a port bounce on an EAP port including Power over Ethernet (PoE), if capable. Current EAP sessions are preserved during the port bounce process.

Use this attribute for on-demand re-authentication, for example, to use a power cycle to trigger a port bounce for a PC behind a phone, which is being rebooted, as in the following use cases:

To ensure a PC behind a phone acquires an IP address from the VLAN or I-SID assigned by the RADIUS server, the PC triggers a new DHCP negotiation if it receives the port-bounce attribute in the RADIUS-Accept packet.
To force a client to renew its DHCP IP address by using a RADIUS dynamic Change-of-Authorization (CoA) or Disconnect request.

CLI and EDM output that displays the interface state indicates if a port is down because of a RADIUS VSA port bounce.

REAUTH or REAUTH:100

This attribute enables EAPOL reauthentication on a port either manually using CLI or dynamically through RADIUS. The origin identifies how reauthentication was configured, either CONFIG or RADIUS.

SLPPGUARD

This attribute enables SLPP Guard on the port where the client resides.

WOL

This attribute enables EAP traffic-control (Wake On LAN) on the port where the client resides.

Session Timeout and Reauthentication VSA Behavior


Session	REAUTH status	Cause
EAP Session	Without REAUTH VSA	On MAC ageout. Note: Session timeouts if the client is not connected.
EAP Session	With REAUTH VSA	On periodically timer and MAC ageout.
NEAP Session	Without REAUTH VSA	On MAC Ageout.
NEAP Session	With REAUTH VSA	Useful for silent devices, session stays active despite MAC ageout. Session is removed only by manual intervention or RADIUS reject/timeout. Note: The same command activates both EAP and NEAP reauthentication. If reauthentication is needed for EAP, NEAP reauthentication for silent devices is automatically activated.


Command	Level	Processing	Configuration	Prerequisites
Session-timeout	per session basis.	Changes the reauth interval for a particular session.	none.	Enable port level reauthentication.
VSA (REAUTH:300 or REAUTH)	per port basis.	Changes the port configuration.	Enable reauthentication and configure interval.	none.

Expected Behavior for DHCP Snooping and DAI Vendor Specific Attributes

The following table shows the behavior for Dynamic Host Configuration Protocol Snooping (DHCP Snooping) and Dynamic ARP Inspection (DAI) Vendor Specific Attributes (VSA) for each authentication scenario, depending on Extensible Authentication Protocol (EAP) Operational mode, Flex-UNI mode, and IP Source Guard (IPSG) VSA or RADIUS VLAN/ISID.

Table 1. Expected Behavior for DHCP Snooping and DAI VSAs
EAP Operational Mode	IPSG VSA received	Flexi-UNI	RADIUS VLAN/I-SID	DHCPSNOOP and DAI VSA received
Mutiple Host Single Authentication (MHSA)	Yes	Yes	Yes	DHCP, DAI, and IPSG enabled on all associated Platform VLANs.
MHSA	Yes	Yes	No	DHCP, DAI, and IPSG enabled on all associated Platform VLANs.
MHSA	Yes	No	Yes	DHCP, DAI, and IPSG enabled on all associated Platform VLANs.
MHSA	Yes	No	No	DHCP, DAI, and IPSG enabled on all associated Platform VLANs.
MHSA	No	Yes	Yes	DHCP and DAI enabled on Platform VLAN associated with RADIUS I-SIDs.
MHSA	No	Yes	No	DHCP and DAI enabled on all static Platform VLANs.
MHSA	No	No	Yes	DHCP and DAI enabled on received RADIUS VLAN.
MHSA	No	No	No	DHCP and DAI enabled on default VLAN.
Mutiple Host Multiple VLAN (MHMV)	Yes	Yes	Yes	DHCP, DAI, and IPSG enabled on Platform VLAN associated with RADIUS I-SID and Platform VLAN associated with untagged I-SID.
MHMV	Yes	Yes	No	DHCP, DAI, and IPSG enabled on Platform VLAN associated with untagged I-SID.
MHMV	Yes	No	Yes	DHCP, DAI, and IPSG enabled on RADIUS VLAN and default VLAN.
MHMV	Yes	No	No	DHCP, DAI, and IPSG enabled on default VLAN.
MHMV	No	Yes	Yes	DHCP and DAI enabled on Platform VLAN associated with RADIUS I-SID.
MHMV	No	Yes	No	DHCP and DAI enabled on Platform VLAN associated with untagged I-SID.
MHMV	No	No	Yes	DHCP and DAI enabled on received RADIUS VLAN.
MHMV	No	No	No	DHCP and DAI enabled on default VLAN.
Note: If no RADIUS VLAN or Platform VLAN is associated with RADIUS I-SID, DHCP Snooping and DAI are enabled on the default VLAN or Platform VLAN associated with static untagged I-SID.