Auto-sense Port States

The system uses a per-interface state to adapt to all Auto-sense events. Each state transition determines background configuration on the port. The system does not display these configurations in the output of the show running-config command or in the saved configuration file but if you disable Auto-sense on the port and use the convert-to-config parameter, the dynamic configuration becomes a manual configuration and is visible in the show running-config output. Use show auto-sense commands to monitor the running states of each port.

For flowcharts that describe the system logic for Auto-sense port state detection, see Auto-sense Logical Flowcharts.

Port Down State

If you run the auto-sense enable command on a port that is disabled or has an inactive link, the port transitions to the Auto-sense Port Down state. This state transitions to the Auto-sense Wait state after the port becomes operational or the link becomes active.

Wait States

In the WAIT state, the port modifies outgoing LLDP packets to represent the enhanced properties of the port and analyzes incoming LLDP packets for possible transitions to advanced states like network-to-network interface (NNI), Fabric Attach (FA), Fabric Extend, or VOICE.

If the port does not receive LLDP packets, the port transitions to the UNI state.

UNI State

This state grants onboarding and data connectivity to the port if you configure the onboarding I-SID, or a data I-SID in the global Auto-sense configuration or at the port level. The system also applies the trusted and untrusted Auto-sense global configuration. As with the Wait state, the port continues to monitor received LLDP packets for transitions to other states.

Network Access Control (NAC) support, through EAP/NEAP, is enabled by default on each Auto-sense port, but disabled globally. If you require EAP/NEAP operation on Auto-sense ports, you must globally enable EAP and configure a RADIUS server.

The system performs the following background configurations on port x:

flex-uni enable
eapol status auto​
eapol multihost radius-non-eap-enable​
eapol multihost eap-oper-mode mhmv​
[qos 802.1p-override enable]
[access-diffserv enable]
on port X interface, if onboarding I-SID Y is configured without data I-SID:
eapol guest i-sid Y
on onboarding I-SID interface, if it is configured without data I-SID:
untagged-traffic port X
on data I-SID interface, if it is configured:
untagged-traffic port X

An Auto-sense port in the UNI state remains in PVLAN isolated mode when an additional untagged I-SID is applied to the port. Auto-sense ports support multiple VLAN/I-SIDs and PVLAN/I-SIDs on the same port concurrently. Typically, this operational mode is required when you configure NAC support with Multiple Host Multiple VLAN (MHMV). The software then assigns clients to their VLAN/I-SIDs based on their NAC authentication results.

NNI States

The NNI states are as follows:

  • NNI

  • NNI onboarding

  • NNI IS-IS

NNI and NNI IS-IS

If, while in the Wait state, the port receives a Fabric Connect LLDP packet, the port transitions to the NNI state and adds the IS-IS SPBM instance on the interface. The system tries to establish an IS-IS adjacency and, if successful, transitions the port to the NNI IS-IS state. The port remains in the NNI IS-IS state until the adjacency fails, at which time it returns to the NNI state.

The system performs the following background configurations on port x:

isis
isis spbm 1
isis enable
[isis hello-auth …] inherited from global configuration

NNI onboarding

If the system cannot establish the adjacency, it transitions the port to the NNI onboarding state. The system creates a Switched UNI (S-UNI) with the onboarding I-SID.

The system performs the following background configurations:

flex-uni enable
isis
isis spbm 1
isis enable
[isis hello-auth …] inherited from global configuration
on onboarding i-sid interface, if it exists:
untagged-traffic port X

Fabric Attach (FA) States

The FA states are as follows:

  • FA - this state is used for FA capable wireless access points, Camera, or OVS devices

  • FA PROXY - this state is used for interaction with ERS and third-party switches, which are capable of FA proxy function and support authentication by default

  • FA PROXY NOAUTH - this state is used for interaction with ERS, EXOS, and Switch Engine switches, which are capable of FA proxy function

  • FA PROXY RING - this state is used for interactions with ISW-Series Managed Industrial Ethernet Switch (ISW-Series) switches with ring topologies, which are capable of FA proxy function and support authentication by default

LLDP uses the FA TLV to detect FA-capable neighbors.

When a port is in the FA state, the system uses the following priority for untagged traffic:

  1. EAP/NEAP assigned I-SID
  2. WAP, camera, or open virtual switch (OVS) I-SID
  3. Onboarding I-SID
  4. Drop

Depending on the device that the Auto-sense port detects, the switch can apply different FA-specific configurations that you define. For more information, see Auto-sense.

FA

The port enters the FA state after LLDP detects an access point, an FA client that is not another switch.

The system performs the following background configurations on port x:

flex-uni enable
eapol status auto                                 
eapol multihost radius-non-eap-enable
eapol multihost eap-oper-mode mhmv
eapol guest i-sid X
fa enable
 on onboarding i-sid interface, if it exists:
untagged-traffic port X

FA PROXY

If LLDP detects an FA proxy switch such as an ERS, EXOS, or Switch Engine switch that uses FA message authentication, the port transitions to the FA PROXY state.

The system performs the following background configurations on port x:

flex-uni enable
fa enable
fa message-authentication
fa management-isid
Note

Note

By default, the FA PROXY state uses the onboarding I-SID as the management I-SID but you can override this with a specific I-SID and customer VLAN ID combination.

FA PROXY NOAUTH

If the FA proxy switch does not use FA message authentication, the port transitions to the FA PROXY NOAUTH state.

The system performs the following background configurations on port x:

flex-uni enable
fa enable
on onboarding i-sid interface, if it exists:
untagged-traffic port X

FA PROXY RING

If LLDP detects an (ISW-Series) switch with ring topologies that uses FA message authentication, the port transitions to the FA PROXY RING state. As a result, FA and FA Topology Change Notification (TCN) can process TCN BPDUs received from the ISW switch. By default, the FA PROXY RING state uses the onboarding I-SID as the management I-SID but you can override this with a specific I-SID and customer VLAN ID combination.

The system performs the following background configurations on port x:

flex-uni enable
fa enable
fa authentication-key
fa message-authentication
fa management-isid x c-vid y

Fabric Extend (FE) States

When Auto-sense is enabled, LLDP uses the FE TLV to create Fabric Extend tunnels between two Fabric switches that connect over the Internet through the SD-WAN Appliance. This functionality is supported on a single port of the switch. For more information, see SD-WAN.

The FE states are as follows:

  • SD-WAN

  • SD-WAN-PENDING

SD-WAN

After the first Auto-sense port receives an FE-TLV, the port transitions to the SD-WAN state. All other Auto-sense ports transition to SD-WAN-PENDING state and remain unconfigured. When the first port transitions to the SD-WAN state, the switch verifies that VLAN 4047, VRF, and IS-IS logical interface configurations do not exist, and dynamically configures the following connectivity parameters:

  • SD-WAN as the VLAN name associated with VLAN 4047 with origin ZTF

  • sd-wan as the VRF name associated with the IP tunnel with origin DYNAMIC

  • SD-WAN-<ifidx> as the tunnel name

  • SD-WAN Tunnel SrcIP as the name associated with the Fabric Extend underlay IP

  • IPv4 address for VLAN 4047

  • default route (0.0.0.0/0) with origin ZTF

  • Fabric Extend tunnels with origin ZTF for IS-IS logical interfaces

  • VLAN 4047 port membership

  • Link Debounce timer of 8000 milliseconds on the switch port that connects to SD-WAN Appliance, if a timer configuration does not already exist
  • Mgmt-sdwan interface created and enabled on VLAN 4047, with the subnet route to the SD-WAN Appliance installed for the interface

The management interface uses the same IP address that is assigned to VLAN 4047. To confirm the management IP address of the connected SD-WAN Appliance, use the show lldp neighbor command. Management applications, such as the SSH client, can use this interface to reach the SD-WAN Appliance. The switch deletes this management interface and removes the IP address after any of the following occur:

  • Disable the port either administratively or operationally.
  • Disable Auto-sense.
  • LLDP timeout.

SD-WAN-PENDING

In the following cases, the port transitions to the SD-WAN-PENDING state:

  • A secondary Auto-sense port receives an FE-TLV.
  • The switch configuration includes the dynamic connectivity parameters, such as VLAN 4047, VRF, and IS-IS logical interfaces with the specified source IP address regardless of origin.

Voice State

If the port detects an LLDP packet from a phone, the port transitions to the VOICE state. A global Auto-sense voice configuration is not required to transition to the VOICE state except a specific voice VLAN shall be signaled to the phone.

For more information on Auto-sense voice, see Auto-sense Voice.