Endpoint Tracking

Table 1. Endpoint Tracking product support

Feature

Product

Release introduced

Endpoint Tracking

5320 Series

Not Supported

5420 Series

Not Supported

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4450 Series

Not Supported

VSP 4900 Series

VOSS 8.7

VSP 7200 Series

VOSS 8.1.1

VSP 7400 Series

VOSS 8.1.1

VSP 8200 Series

VOSS 8.1.1

VSP 8400 Series

VOSS 8.1.1

VSP 8600 Series

Not Supported

XA1400 Series

Not Supported

Endpoint Tracking Overview

Endpoint Tracking provides dynamic assignment of virtual machines (VMs) to IP subnets as they attach to a Shortest Path Bridging (SPB) cloud. Deployment scenarios include VMs connecting to DvR Leaf nodes, or regular SPBM deployments.

ExtremeCloud IQ - Site Engine is integral to the Endpoint Tracking solution. ExtremeCloud IQ - Site Engine delivers automation; there is no need to manually configure server VLANs on data center access switches. Additionally, ExtremeCloud IQ - Site Engine) provides the ability to see what VM MACs exist, and where they are located.

ExtremeCloud IQ - Site Engine's ExtremeConnect module integrates with third-party virtualization software (such as VMware or Microsoft HyperV) and communicates with the ExtremeControl module to automatically extract all of the VM MACs (including VLAN assignment for each MAC) and then automatically create all of the necessary authentication profiles, rules and mappings.

When the switch detects a new VM on a port, it sends a RADIUS request to ExtremeCloud IQ - Site Engine. ExtremeConnect checks with VCenter for the Port Group, VLAN ID, and I-SID information that corresponds with the VM, communicates with the ExtremeControl module for the RADIUS authentication, and sends the RADIUS response back to the switch with the VLAN:ISID binding information. Based on the binding, the switch then automatically creates a dynamic Switched UNI (S-UNI). Dynamic S-UNIs are not saved into the configuration file.

Typical Endpoint Tracking Implementation Example

The following example shows a typical implementation of Endpoint Tracking and the dynamic I-SID assignment process, as provisioned in ExtremeCloud IQ - Site Engine.

Click to expand in new window
Endpoint Tracking Example

The sequence within and among the four example VLANs in this configuration is as follows:

  1. The RADIUS server authenticates VM1, and the switch automatically creates a Switched UNI with VLAN 10 and I-SID 10 binding, (using the outbound attributes received from the RADIUS server). Subsequently, the server authenticates VM2, which uses the same Switched UNI.

  2. Similarly, on the other side of the SPB cloud, the RADIUS server authenticates VM5 and the switch automatically creates a Switched UNI with VLAN 30 and I-SID 10 binding, (using the outbound attributes received from the RADIUS server). Subsequently, the server authenticates VM6, which uses the same Switched UNI.

  3. The same sequence occurs for VMs 3 and 4, and PCs 7 and 8, with the first authentication in each VLAN providing the outbound RADIUS attributes needed for the creation of a Switched UNI for that VLAN.

  4. The final result is that VMs 1, 2, 5, and 6 can access each other on I-SID 10, and VMs 3, 4, 7, and 8 can access each other on I-SID 20.

Static S-UNIs and Visibility Mode

Endpoint Tracking can also be used in cases where static S-UNIs are configured on Endpoint Tracking-enabled ports. In this case, the MACs are allowed by default on the static S-UNI. However, by default, the MACs learned on a static S-UNI are not learned at the Endpoint Tracking level. Endpoint Tracking Visibility Mode allows tracking of MACs that are learned on static S-UNIs. This implies that a binding is created for these MACs, but these bindings do not create dynamic S-UNIs, they are used for tracking purposes only.

Interface Support

Endpoint Tracking is supported on Ethernet ports, MLTs, and SMLTs.

If the switch is a Virtual IST (vIST) peer, the dynamic Switched UNI is synchronized to its vIST peer as follows:

VM Moves and VLAN:ISID Bindings

When a VM moves to a new switch within a network (with no change to the VLAN segment), the new switch triggers a new RADIUS authentication, which points that VM MAC to the new switch, and new bindings are applied on the new switch. The old switch detects that the VM MAC is moved and automatically deletes the old binding, if the old binding has not already aged out.

However, if a VM remains attached to the same (previously authenticated) switch, but the VLAN segment is changed, you must push a reauthentication request from ExtremeCloud IQ - Site Engine to force the required binding updates. For more information about managing binding updates using RADIUS Change-of-Authorization (CoA) functionality, see ExtremeCloud IQ - Site Engine Integration.

Operational Considerations

Consider the following when implementing Endpoint Tracking: