Auto-sense Port States
The system uses a per-interface state to adapt to all Auto-sense events. Each state transition determines background configuration on the port. The system does not display these configurations in the output of the show running-config command or in the saved configuration file but if you disable Auto-sense on the port and use the convert-to-config parameter, the dynamic configuration becomes a manual configuration and is visible in the show running-config output. Use show auto-sense commands to monitor the running states of each port.
For flowcharts that describe the system logic for Auto-sense port state detection, see Auto-sense Logical Flowcharts.
Port Down State
If you run the auto-sense enable command on a port that is disabled or has an inactive link, the port transitions to the Auto-sense Port Down state. This state transitions to the Auto-sense Wait state after the port becomes operational or the link becomes active.
Wait States
In the WAIT state, the port modifies outgoing LLDP packets to represent the enhanced properties of the port and analyzes incoming LLDP packets for possible transitions to advanced states like network-to-network interface (NNI), Fabric Attach (FA), Fabric Extend, or VOICE.
If the port does not receive LLDP packets, the port transitions to the UNI state.
UNI State
This state grants onboarding and data connectivity to the port if you configure the onboarding I-SID, or a data I-SID in the global Auto-sense configuration or at the port level. The system also applies the trusted and untrusted Auto-sense global configuration. As with the Wait state, the port continues to monitor received LLDP packets for transitions to other states.
Network Access Control (NAC) support, through EAP/NEAP, is enabled by default on each Auto-sense port, but disabled globally. If you require EAP/NEAP operation on Auto-sense ports, you must globally enable EAP and configure a RADIUS server.
The system performs the following background configurations on port x:
flex-uni enable eapol status auto eapol multihost radius-non-eap-enable eapol multihost eap-oper-mode mhmv [qos 802.1p-override enable] [access-diffserv enable] on port X interface, if onboarding I-SID Y is configured without data I-SID: eapol guest i-sid Y on onboarding I-SID interface, if it is configured without data I-SID: untagged-traffic port X on data I-SID interface, if it is configured: untagged-traffic port X
An Auto-sense port in the UNI state remains in PVLAN isolated mode when an additional untagged I-SID is applied to the port. Auto-sense ports support multiple VLAN/I-SIDs and PVLAN/I-SIDs on the same port concurrently. Typically, this operational mode is required when you configure NAC support with Multiple Host Multiple VLAN (MHMV). The software then assigns clients to their VLAN/I-SIDs based on their NAC authentication results.
NNI States
The NNI states are as follows:
-
NNI
-
NNI onboarding
-
NNI IS-IS
NNI and NNI IS-IS
If, while in the Wait state, the port receives a Fabric Connect LLDP packet, the port transitions to the NNI state and adds the IS-IS SPBM instance on the interface. The system tries to establish an IS-IS adjacency and, if successful, transitions the port to the NNI IS-IS state. The port remains in the NNI IS-IS state until the adjacency fails, at which time it returns to the NNI state.
The system performs the following background configurations on port x:
isis isis spbm 1 isis enable [isis hello-auth …] inherited from global configuration
NNI onboarding
If the system cannot establish the adjacency, it transitions the port to the NNI onboarding state. The system creates a Switched UNI (S-UNI) with the onboarding I-SID.
The system performs the following background configurations:
flex-uni enable isis isis spbm 1 isis enable [isis hello-auth …] inherited from global configuration on onboarding i-sid interface, if it exists: untagged-traffic port X
Fabric Attach (FA) States
The FA states are as follows:
-
FA - this state is used for FA capable wireless access points, Camera, or OVS devices
-
FA PROXY - this state is used for interaction with ERS and third-party switches, which are capable of FA proxy function and support authentication by default
-
FA PROXY NOAUTH - this state is used for interaction with ERS, EXOS, and Switch Engine switches, which are capable of FA proxy function
-
FA PROXY RING - this state is used for interactions with ISW-Series Managed Industrial Ethernet Switch (ISW-Series) switches with ring topologies, which are capable of FA proxy function and support authentication by default
LLDP uses the FA TLV to detect FA-capable neighbors.
When a port is in the FA state, the system uses the following priority for untagged traffic:
- EAP/NEAP assigned I-SID
- WAP, camera, or open virtual switch (OVS) I-SID
- Onboarding I-SID
- Drop
Depending on the device that the Auto-sense port detects, the switch can apply different FA-specific configurations that you define. For more information, see Auto-sense.
FA
The port enters the FA state after LLDP detects an access point, an FA client that is not another switch.
The system performs the following background configurations on port x:
flex-uni enable eapol status auto eapol multihost radius-non-eap-enable eapol multihost eap-oper-mode mhmv eapol guest i-sid X fa enable on onboarding i-sid interface, if it exists: untagged-traffic port X
FA PROXY
If LLDP detects an FA proxy switch such as an ERS, EXOS, or Switch Engine switch that uses FA message authentication, the port transitions to the FA PROXY state.
The system performs the following background configurations on port x:
flex-uni enable fa enable fa message-authentication fa management-isid
Note
By default, the FA PROXY state uses the onboarding I-SID as the management I-SID but you can override this with a specific I-SID and customer VLAN ID combination.
FA PROXY NOAUTH
If the FA proxy switch does not use FA message authentication, the port transitions to the FA PROXY NOAUTH state.
The system performs the following background configurations on port x:
flex-uni enable fa enable on onboarding i-sid interface, if it exists: untagged-traffic port X
FA PROXY RING
If LLDP detects an (ISW-Series) switch with ring topologies that uses FA message authentication, the port transitions to the FA PROXY RING state. As a result, FA and FA Topology Change Notification (TCN) can process TCN BPDUs received from the ISW switch. By default, the FA PROXY RING state uses the onboarding I-SID as the management I-SID but you can override this with a specific I-SID and customer VLAN ID combination.
The system performs the following background configurations on port x:
flex-uni enable fa enable fa authentication-key fa message-authentication fa management-isid x c-vid y
Fabric Extend (FE) States
When Auto-sense is enabled, LLDP uses the FE TLV to create Fabric Extend tunnels between two Fabric switches that connect over the Internet through the SD-WAN Appliance. This functionality is supported on a single port of the switch. For more information, see SD-WAN.
The FE states are as follows:
-
SD-WAN
-
SD-WAN-PENDING
SD-WAN
After the first Auto-sense port receives an FE-TLV, the port transitions to the SD-WAN state. All other Auto-sense ports transition to SD-WAN-PENDING state and remain unconfigured. When the first port transitions to the SD-WAN state, the switch verifies that VLAN 4047, VRF, and IS-IS logical interface configurations do not exist, and dynamically configures the following connectivity parameters:
-
SD-WAN
as the VLAN name associated with VLAN 4047 with origin ZTF -
sd-wan
as the VRF name associated with the IP tunnel with origin DYNAMICNote
On switch models that support a single active VRF, Auto-sense cannot create the dynamic SD-WAN VRF if an IP configuration already exists but you can manually specify the VRF name that Auto-sense uses for the SD-WAN configuration on these models. For more information, see SD-WAN.
-
SD-WAN-<ifidx>
as the tunnel name -
SD-WAN Tunnel SrcIP
as the name associated with the Fabric Extend underlay IP -
IPv4 address for VLAN 4047
-
default route (0.0.0.0/0) with origin ZTF
-
Fabric Extend tunnels with origin ZTF for IS-IS logical interfaces
-
VLAN 4047 port membership
- Link Debounce timer of 8000 milliseconds on the switch port that connects to SD-WAN Appliance, if a timer configuration does not already exist
Mgmt-sdwan
interface created and enabled on VLAN 4047, with the subnet route to the SD-WAN Appliance installed for the interface
The management interface uses the same IP address that is assigned to VLAN 4047. To confirm the management IP address of the connected SD-WAN Appliance, use the show lldp neighbor command. Management applications, such as the SSH client, can use this interface to reach the SD-WAN Appliance. The switch deletes this management interface and removes the IP address after any of the following occur:
- Disable the port either administratively or operationally.
- Disable Auto-sense.
- LLDP timeout.
SD-WAN-PENDING
In the following cases, the port transitions to the SD-WAN-PENDING state:
- A secondary Auto-sense port receives an FE-TLV.
- The switch configuration includes the dynamic connectivity parameters, such as VLAN 4047, VRF, and IS-IS logical interfaces with the specified source IP address regardless of origin.
Voice State
If the port detects an LLDP packet from a phone, the port transitions to the VOICE state. A global Auto-sense voice configuration is not required to transition to the VOICE state except a specific voice VLAN shall be signaled to the phone.
For more information on Auto-sense voice, see Auto-sense Voice.