Feature |
Product |
Release introduced |
---|---|---|
Endpoint Tracking |
5320 Series |
Not Supported |
5420 Series |
Not Supported |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4450 Series |
Not Supported |
|
VSP 4900 Series |
VOSS 8.7 |
|
VSP 7200 Series |
VOSS 8.1.1 |
|
VSP 7400 Series |
VOSS 8.1.1 |
|
VSP 8200 Series |
VOSS 8.1.1 |
|
VSP 8400 Series |
VOSS 8.1.1 |
|
VSP 8600 Series |
Not Supported |
|
XA1400 Series |
Not Supported |
Endpoint Tracking provides dynamic assignment of virtual machines (VMs) to IP subnets as they attach to a Shortest Path Bridging (SPB) cloud. Deployment scenarios include VMs connecting to DvR Leaf nodes, or regular SPBM deployments.
ExtremeCloud IQ - Site Engine is integral to the Endpoint Tracking solution. ExtremeCloud IQ - Site Engine delivers automation; there is no need to manually configure server VLANs on data center access switches. Additionally, ExtremeCloud IQ - Site Engine) provides the ability to see what VM MACs exist, and where they are located.
ExtremeCloud IQ - Site Engine's ExtremeConnect module integrates with third-party virtualization software (such as VMware or Microsoft HyperV) and communicates with the ExtremeControl module to automatically extract all of the VM MACs (including VLAN assignment for each MAC) and then automatically create all of the necessary authentication profiles, rules and mappings.
When the switch detects a new VM on a port, it sends a RADIUS request to ExtremeCloud IQ - Site Engine. ExtremeConnect checks with VCenter for the Port Group, VLAN ID, and I-SID information that corresponds with the VM, communicates with the ExtremeControl module for the RADIUS authentication, and sends the RADIUS response back to the switch with the VLAN:ISID binding information. Based on the binding, the switch then automatically creates a dynamic Switched UNI (S-UNI). Dynamic S-UNIs are not saved into the configuration file.
The following example shows a typical implementation of Endpoint Tracking and the dynamic I-SID assignment process, as provisioned in ExtremeCloud IQ - Site Engine.
The sequence within and among the four example VLANs in this configuration is as follows:
The RADIUS server authenticates VM1, and the switch automatically creates a Switched UNI with VLAN 10 and I-SID 10 binding, (using the outbound attributes received from the RADIUS server). Subsequently, the server authenticates VM2, which uses the same Switched UNI.
Similarly, on the other side of the SPB cloud, the RADIUS server authenticates VM5 and the switch automatically creates a Switched UNI with VLAN 30 and I-SID 10 binding, (using the outbound attributes received from the RADIUS server). Subsequently, the server authenticates VM6, which uses the same Switched UNI.
The same sequence occurs for VMs 3 and 4, and PCs 7 and 8, with the first authentication in each VLAN providing the outbound RADIUS attributes needed for the creation of a Switched UNI for that VLAN.
The final result is that VMs 1, 2, 5, and 6 can access each other on I-SID 10, and VMs 3, 4, 7, and 8 can access each other on I-SID 20.
Endpoint Tracking can also be used in cases where static S-UNIs are configured on Endpoint Tracking-enabled ports. In this case, the MACs are allowed by default on the static S-UNI. However, by default, the MACs learned on a static S-UNI are not learned at the Endpoint Tracking level. Endpoint Tracking Visibility Mode allows tracking of MACs that are learned on static S-UNIs. This implies that a binding is created for these MACs, but these bindings do not create dynamic S-UNIs, they are used for tracking purposes only.
Endpoint Tracking is supported on Ethernet ports, MLTs, and SMLTs.
If the switch is a Virtual IST (vIST) peer, the dynamic Switched UNI is synchronized to its vIST peer as follows:
If the MAC is learned on an SMLT UNI interface, all Switched UNI information is synchronized to the vIST peer.
If the MAC is learned on a non-SMLT UNI interface, only the I-SID is synchronized to the vIST peer.
When a VM moves to a new switch within a network (with no change to the VLAN segment), the new switch triggers a new RADIUS authentication, which points that VM MAC to the new switch, and new bindings are applied on the new switch. The old switch detects that the VM MAC is moved and automatically deletes the old binding, if the old binding has not already aged out.
However, if a VM remains attached to the same (previously authenticated) switch, but the VLAN segment is changed, you must push a reauthentication request from ExtremeCloud IQ - Site Engine to force the required binding updates. For more information about managing binding updates using RADIUS Change-of-Authorization (CoA) functionality, see ExtremeCloud IQ - Site Engine Integration.
Consider the following when implementing Endpoint Tracking:
A RADIUS server used for Endpoint Tracking provides authorization only; no accounting processes are supported. Although accounting is enabled by default for all RADIUS servers, it is not currently supported for use with Endpoint Tracking, even if left enabled.
Fabric Attach is not supported on ports or MLT/SMLTs that have Endpoint Tracking enabled.