Extreme-Dynamic-Client-Assignments

The Extreme-Dynamic-Client-Assignments Vendor Specific Attribute (VSA) is a RADIUS VSA for dynamic VLAN and Private VLAN (PVLAN) creation. You can also configure VLAN parameters, such as VLAN name, I-SID to VLAN association, and I-SID name.

Note

Product Notice: This section does not apply to XA1400 Series, VSP 8600 Series, or VSP 4450 Series (flex-uni ports).

Name: Extreme-Dynamic-Client-Assignments
Value: 253
Type: String
Vendor: Extreme
Extreme Vendor ID is 1916

The Extreme-Dynamic-Client-Assignments VSA supports the following VLAN-based features:

IGMP Snooping
DHCP Snooping
Dynamic ARP Inspection (DAI)

You configure these features through the Extreme-Dynamic-Config RADIUS VSA before you use the VSA Extreme-Dynamic-Client-Assignments.

RADIUS Change of Authorization (CoA) is supported also. With CoA, a RADIUS server can remove a client device from a network and force it to re-authenticate.

Note the following points regarding VLAN creation with the Extreme-Dynamic-Client-Assignments VSA:

Platform VLAN manual configuration—This maps the Extreme-Dynamic-Client-Assignments Radius VSA without create. Only the options used to define the existing functionality of mapping clients to VLAN on regular ports or vlan:isid on flex-uni ports are used—Primary VLAN (PV), Virtual Network Identifier (VNI), and Egress VLAN (EV). The Secondary VLAN (SV), VLAN Name (VN), and VNIN attributes for dynamic VLAN are ignored.
Regular VLAN configuration—This maps the VSA with the option create=vlan. The Multiple Spanning Tree Protocol (MSTP) instance is 0. When platform VLAN is dynamically created, all VLAN parameters are also dynamically applied; a static VLAN setting is not allowed. Dynamic platform VLANs and dynamic I-SIDs names will exist as long as EAP clients reference them. If clients do not use them, then they are deleted and are not saved in the configuration file.
PVLAN configuration—This maps with the usage of Extreme-Dynamic-Client-Assignments Radius VSA with the create=pvlan option. The EAP and Private VLANs on regular ports are not supported. But they are supported on flex-uni ports. The MSTP instance is 0. When you dynamically create a private VLAN, all VLAN parameters are also dynamically created; this is no static setting allowed. Dynamic PVLANs and dynamic I-SIDs names will exist as long as EAP clients reference them. If clients do not use them, then they are deleted and are not saved in the configuration file.

Use the information in the following tables and this string format to create a dynamic VLAN—

create=vlan|pvlan,pv=Primary VLANID, sv=secondary VLANID, vni=ISID,
                ev=EGRESS-VLAN-tag, vn=vlan-name, vnin=isid-name

Note

If ev is missing, it will default to 0. You can also use U or T (case-sensitive). When ev is set to U, it is untagged or 0. When ev is set to T, it takes the value of pv or tagged. If pv is not specified, then an error occurs and the VSA is ignored.

Table 1. String Options for Dynamic VLAN Creation
Option	Note
`create=vlan \| pvlan`	If `create` is missing, the assumption is that a manually created VLAN exists. Note the following two examples: `create=vlan`—dynamically creates a platform VLAN. `create=pvlan`—dynamically creates a private VLAN. This option is ignored on DVR Leafs.
`pv=Primary VLANID`	The platform VLAN that the client is assigned. This option is valid for any combination of the `create` command.
`sv=Secondary VLANID`	This option is only valid for a private VLAN and if the `create` option is also used.
`vni=ISID`	If you did not use `create` then you can use `vni` on flex-uni ports with `ev` to assign a client to a Switched UNI (S-UNI). The `vni` command also has the role of mapping the dynamic created VLAN to the VNI.
`ev=EGRESS-VLAN-tag`	Use this option on regular ports to tag or untag the egress for the PV. Use this option on flex-uni ports as `c-vid` in S-UNI creation.
`vn=Vlan name`	Valid only if you use `create`.
`vnin=ISID name`	Valid only if you use `create`.

Table 2. **VSA Equivalency with Radius Attributes**
Port Type	RADIUS Attribute	Extreme-Dynamic-Client-Assignments Radius VSA	Comment
Regular port.	Tunnel Private GroupID.	Without `create`. `pv=Primary VLANID`.	This adds the port to the primary VLAN; tag is the port tag.
	`Egress-VLANID`.	Without `create`. `pv=Primary VLANID`. `ev= EGRESS-VLAN-tag`.	Untagged: `ev = 0`. Tagged: `ev = pv`. This adds the port to the primary VLAN; The VLAN egress tag is dictated by the `ev`.
	`Egress-VLAN-Name`.	Not Supported.	-
Flex-Uni ports.	`FA VLAN:ISID`.	Without `create`. `vni=[ISID]` `ev= [EGRESS-VLAN-tag]`.	Untagged: `ev = 0`. Tagged: `ev != 0`. A S-UNI is created, either MAC-based or regular, depending on MHMV/MHSA setting; uses `i-sid` (vnid) and `c-vid` (ev) values.
	`Egress-VLANID + FA VLAN:I-SID`.	Supported by the same combination for FA VLAN:ISID.	-
	`Egress-VLANID + Tunnel Private GroupID + autoIsidOffset`.	Without `create`. `pv=Primary VLANID`. `ev= EGRESS-VLAN-tag`.	Untagged: `ev = 0`. Tagged: `ev != 0`. A S-UNI is created, either MAC-based or regular, depending on MHMV/MHSA setting; uses auto configured `i-sid` from pv value and `c-vid` (ev) values.
	`Egress-VLAN-Name + FA VLAN:I-SID` >	Not supported.	-
	`Egress-VLAN-Name + Tunnel Private GroupId + autoIsidOffset`.	Not supported.	-

The dynamic VLAN is deleted after you disconnect all of the clients across the Extensible Authentication Protocol (EAP) ports. The port is removed when the last client is disconnected and the saved I-SID name is restored.

You cannot delete a static VLAN if EAP ports are assigned to it. But the VLAN can be deleted if you have added EAP FlexUNI ports to it. When you do this action, all MAC addresses are flushed, and any Non-EAP (NEAP) sessions are deleted. The MAC address is re-learned in I-SID and a new RADIUS authentication can now create a dynamic VLAN. For EAP sessions, the session goes to the re-authentication state, and the new RADIUS authentication can create a dynamic VLAN.

In Multiple Host Multiple VLAN (MHMV), all VSAs received from RADIUS are deleted and not processed, except for the last one.