Extreme-Dynamic-Client-Assignments

The Extreme-Dynamic-Client-Assignments Vendor Specific Attribute (VSA) is a RADIUS VSA for dynamic VLAN and Private VLAN (PVLAN) creation. You can also configure VLAN parameters, such as VLAN name, I-SID to VLAN association, I-SID name, and I-SID to dynamic VRF association.

Name: Extreme-Dynamic-Client-Assignments
Value: 253
Type: String
Vendor: Extreme Networks
Extreme Networks Vendor ID is 1916

The Extreme-Dynamic-Client-Assignments VSA supports the following VLAN-based features:

IGMP Snooping
DHCP Snooping
Dynamic ARP Inspection (DAI)

Note

You can use Extreme-Dynamic-Config RADIUS VSA to configure the VLAN-based features.

Note the following points regarding VLAN creation with the Extreme-Dynamic-Client-Assignments VSA:

Platform VLAN manual configuration—This maps the Extreme-Dynamic-Client-Assignments Radius VSA without create. Only the options used to define the existing functionality of mapping clients to VLAN on regular ports or vlan:isid on flex-uni ports are used—Primary VLAN (PV), Virtual Network Identifier (VNI), and Egress VLAN (EV). The Secondary VLAN (SV), VLAN Name (VN), and VNIN attributes for dynamic VLAN are ignored.
Regular VLAN configuration—This maps the VSA with the option create=vlan. The Multiple Spanning Tree Protocol (MSTP) instance is 0. When platform VLAN is dynamically created, all VLAN parameters are also dynamically applied; a static VLAN setting is not allowed. Dynamic platform VLANs and dynamic I-SIDs names exist as long as EAP clients reference them. If clients do not use them, then they are deleted and are not saved in the configuration file.
PVLAN configuration—This maps with the usage of Extreme-Dynamic-Client-Assignments Radius VSA with the create=pvlan option. The EAP and Private VLANs on regular ports are not supported. But they are supported on flex-uni ports. The MSTP instance is 0. When you dynamically create a private VLAN, all VLAN parameters are also dynamically created; a static VLAN setting is not allowed. Dynamic PVLANs and dynamic I-SIDs names exist as long as EAP clients reference them. If clients do not use them, then they are deleted and are not saved in the configuration file.

Use the information in the following tables and this string format to create a dynamic VLAN:

create=vlan|pvlan,pv=Primary VLANID, sv=secondary VLANID, vni=ISID, ev=EGRESS-VLAN-tag, vn=vlan-name, vnin=isid-name, mvni=ISID

Note

If ev is missing, it will default to 0. You can also use U or T (case-sensitive). When ev is set to U, it is untagged or 0. When ev is set to T, it takes the value of pv or tagged. If pv is not specified, then an error occurs and the VSA is ignored.

Table 1. String Options for Dynamic VLAN Creation
Option	Description
`create=vlan \| pvlan`	If `create` is missing, the assumption is that a manually created VLAN exists. Note the following two examples: `create=vlan`—dynamically creates a platform VLAN. `create=pvlan`—dynamically creates a private VLAN. This option is ignored on DvR Leafs.
`pv=Primary VLANID`	The platform VLAN that the client is assigned. This option is valid for any combination of the `create` command.
`sv=Secondary VLANID`	This option is only valid for a private VLAN and if the `create` option is used.
`vni=ISID`	If you did not use `create` then you can use `vni` on flex-uni ports with `ev` to assign a client to a Switched UNI (S-UNI). The `vni` command also has the role of mapping the dynamic created VLAN to the VNI.
`ev=EGRESS-VLAN-tag`	Use this option on regular ports to tag or untag the egress for the PV. Use this option on flex-uni ports as `c-vid` in S-UNI creation.
`vn=Vlan name`	Valid only if you use `create`.
`vnin=ISID name`	Valid only if you use `create`.
`mvni=ISID`	Use this option to configure IP Multicast config-lite for Fabric Connect functionality. This option configures the I-SID value for the Layer 3 VSN VLAN and enables SPB Multicast on the VLAN. You can associate `mvni=ISID` to a dynamic or a static VLAN. For information about IP Multicast config-lite for Fabric Connect, see IP Multicast config-lite for Fabric Connect.

Table 2. **VSA Equivalency with Radius Attributes**
Port Type	RADIUS Attribute	Extreme-Dynamic-Client-Assignments Radius VSA	Comment
Regular port	Tunnel Private GroupID	Without `create`. `pv=Primary VLANID`	This adds the port to the primary VLAN; tag is the port tag.
	`Egress-VLANID`	Without `create`. `pv=Primary VLANID`. `ev= EGRESS-VLAN-tag`	Untagged: `ev = 0`. Tagged: `ev = pv`. This adds the port to the primary VLAN; The VLAN egress tag is dictated by the `ev`.
	`Egress-VLAN-Name`	Not Supported
Flex-Uni ports	`FA VLAN:ISID`	Without `create`. `vni=[ISID]` `ev= [EGRESS-VLAN-tag]`	Untagged: `ev = 0`. Tagged: `ev != 0`. A S-UNI is created, either MAC-based or regular, depending on MHMV/MHSA setting; uses `i-sid` (vnid) and `c-vid` (ev) values.
	`Egress-VLANID + FA VLAN:I-SID`	Supported by the same combination for FA VLAN:ISID
	`Egress-VLANID + Tunnel Private GroupID + autoIsidOffset`	Without `create`. `pv=Primary VLANID`. `ev= EGRESS-VLAN-tag`	Untagged: `ev = 0`. Tagged: `ev != 0`. A S-UNI is created, either MAC-based or regular, depending on MHMV/MHSA setting; uses auto configured `i-sid` from pv value and `c-vid` (ev) values.
	`Egress-VLAN-Name + FA VLAN:I-SID` >	Not supported
	`Egress-VLAN-Name + Tunnel Private GroupId + autoIsidOffset`	Not supported

The dynamic VLAN is deleted after you disconnect all of the clients across the Extensible Authentication Protocol (EAP) ports. The port is removed when the last client is disconnected and the saved I-SID name is restored.

You cannot delete a static VLAN if EAP ports are assigned to it. However, you can delete the VLAN if you have added EAP FlexUNI ports to it. This flushes all MAC addresses and deletes any Non-EAP (NEAP) sessions. The MAC address is re-learned in I-SID and a new RADIUS authentication can now create a dynamic VLAN. For EAP sessions, the session moves to the re-authentication state, and the new RADIUS authentication can create a dynamic VLAN.

In Multiple Host Multiple VLAN (MHMV), if there are multiple assignments received for one session, the rule is to process only the last one and ignore the rest.