The system uses a per-interface state to adapt to all Auto-sense events. Each state transition determines background configuration on the port. The system does not display these configurations in the output of the show running-config command or in the saved configuration file but if you disable Auto-sense on the port and use the convert-to-config parameter, the dynamic configuration becomes a manual configuration and is visible in the show running-config output. Use show auto-sense commands to monitor the running states of each port.
For flowcharts that describe the system logic for Auto-sense port state detection, see Auto-sense Logical Flowcharts.
If you run the auto-sense enable command on a port that is disabled or has an inactive link, the port transitions to the Auto-sense Port Down state. This state transitions to the Auto-sense Wait state after the port becomes operational or the link becomes active.
The port modifies outgoing LLDP packets to represent the enhanced properties of the port and analyzes incoming LLDP packets for possible transitions to advanced states like network-to-network interface (NNI), Fabric Attach (FA), Fabric Extend, or VOICE. If the port does not receive LLDP packets, the port transitions to the UNI state.
This state grants onboarding and data connectivity to the port if you configure the onboarding I-SID, or a data I-SID in the global Auto-sense configuration or at the port level. The system also applies the trusted and untrusted Auto-sense global configuration. As with the Wait state, the port continues to monitor received LLDP packets for transitions to other states.
Network Access Control (NAC) support, through EAP/NEAP, is enabled by default on each Auto-sense port, but disabled globally. If you require EAP/NEAP operation on Auto-sense ports, you must globally enable EAP and configure a RADIUS server.
The system performs the following background configurations on port x:
flex-uni enable eapol status auto eapol multihost radius-non-eap-enable eapol multihost eap-oper-mode mhmv [qos 802.1p-override enable] [access-diffserv enable] on port X interface, if onboarding I-SID Y is configured without data I-SID: eapol guest i-sid Y on onboarding I-SID interface, if it is configured without data I-SID: untagged-traffic port X on data I-SID interface, if it is configured: untagged-traffic port X
An Auto-sense port in the UNI state remains in PVLAN isolated mode when any additional untagged I-SID is applied to the port. Auto-sense ports support multiple VLAN/I-SIDs and PVLAN/I-SIDs on the same port at any time concurrently. Typically, this operational mode is required when you configure NAC support with Multiple Host Multiple VLAN (MHMV). The software then assigns clients to their VLAN/I-SIDs based on their NAC authentication results.
The NNI states are as follows:
NNI
NNI onboarding
NNI IS-IS
If, while in the Wait state, the port receives a Fabric Connect LLDP packet, the port transitions to the NNI state and adds the IS-IS SPBM instance on the interface. The system tries to establish an IS-IS adjacency and, if successful, transitions the port to the NNI IS-IS state. The port remains in the NNI IS-IS state until the adjacency fails, at which time it returns to the NNI state.
The system performs the following background configurations on port x:
isis isis spbm 1 isis enable [isis hello-auth …] inherited from global configuration
If the system cannot establish the adjacency, it transitions the port to the NNI onboarding state. The system creates a Switched UNI (S-UNI) with the onboarding I-SID.
The system performs the following background configurations:
flex-uni enable isis isis spbm 1 isis enable [isis hello-auth …] inherited from global configuration on onboarding i-sid interface, if it exists: untagged-traffic port X
The FA states are as follows:
FA - this state is used for FA capable wireless access points, Camera, or OVS devices
FA PROXY - this state is used for interaction with ERS and third-party switches, which are capable of FA proxy function and support authentication by default
FA PROXY NOAUTH - this state is used for interaction with ERS, EXOS, and Switch Engine switches, which are capable of FA proxy function
FA PROXY RING - this state is used for interactions with ISW-Series Managed Industrial Ethernet Switch (ISW-Series) switches with ring topologies, which are capable of FA proxy function and support authentication by default
LLDP uses the FA TLV to detect FA-capable neighbors.
The port enters the FA state after LLDP detects an access point, an FA client that is not another switch.
The system performs the following background configurations on port x:
flex-uni enable eapol status auto eapol multihost radius-non-eap-enable eapol multihost eap-oper-mode mhmv eapol guest i-sid X fa enable on onboarding i-sid interface, if it exists: untagged-traffic port X
If LLDP detects an FA proxy switch such as an ERS, EXOS, or Switch Engine switch that uses FA message authentication, the port transitions to the FA PROXY state.
The system performs the following background configurations on port x:
flex-uni enable fa enable fa message-authentication fa management-isid
Note
By default, the FA PROXY state uses the onboarding I-SID as the management I-SID but you can override this with a specific I-SID and customer VLAN ID combination.
If the FA proxy switch does not use FA message authentication, the port transitions to the FA PROXY NOAUTH state.
The system performs the following background configurations on port x:
flex-uni enable fa enable on onboarding i-sid interface, if it exists: untagged-traffic port X
If LLDP detects an (ISW-Series) switch with ring topologies that uses FA message authentication, the port transitions to the FA PROXY RING state. As a result, FA and FA Topology Change Notification (TCN) can process TCN BPDUs received from the ISW switch. By default, the FA PROXY RING state uses the onboarding I-SID as the management I-SID but you can override this with a specific I-SID and customer VLAN ID combination.
The system performs the following background configurations on port x:
flex-uni enable fa enable fa authentication-key fa message-authentication fa management-isid x c-vid y
When a port is in the FA state, the system uses the following priority for untagged traffic:
Depending on the device that the Auto-sense port detects, the switch can apply different FA-specific configurations that you define. For more information, see Auto-sense.
When Auto-sense is enabled, LLDP uses the FE TLV to create Fabric Extend tunnels between two Fabric switches that connect over the Internet through the SD-WAN Appliance. This functionality is supported on a single port of the switch. For more information, see SD-WAN.
The FE states are as follows:
SD-WAN
SD-WAN-PENDING
After the first Auto-sense port receives an FE-TLV, the port transitions to the SD-WAN state. All other Auto-sense ports transition to SD-WAN-PENDING state and remain unconfigured. When the first port transitions to the SD-WAN state, the switch verifies that VLAN 4047, VRF, and IS-IS logical interface configurations do not exist, and dynamically configures the following connectivity parameters:
SD-WAN
as the
VLAN name associated with VLAN 4047 with origin ZTF
sd-wan
as the VRF name associated with the IP tunnel with
origin DYNAMIC
SD-WAN-<ifidx>
as the tunnel name
SD-WAN Tunnel SrcIP
as the name associated with the Fabric Extend
underlay IP
IPv4 address for VLAN 4047
default route (0.0.0.0/0) with origin ZTF
Fabric Extend tunnels with origin ZTF for IS-IS logical interfaces
VLAN 4047 port membership
In the following cases, the port transitions to the SD-WAN-PENDING state:
If the port detects an LLDP packet from a phone, the port transitions to the VOICE state. A global Auto-sense voice configuration is not required to transition to the VOICE state except a specific voice VLAN shall be signaled to the phone.
For more information on Auto-sense voice, see Auto-sense Voice.