Extreme-Dynamic-Config

This attribute configures port and VLAN based attributes.

The following features can be configured using Extreme-Dynamic-Config RADIUS VSA.

Note

Note

If you use the Extreme-Dynamic-Config RADIUS VSA, then Dynamic ARP Inspection and DHCP Snooping are only enabled on the default VLAN if IPSG is present in the RADIUS attributes.

AN-ADVERTISMENTS:100Half or AN-ADVERTISMENTS:100H

AN-ADVERTISMENTS:100Half or AN-ADVERTISMENTS:100H settings configure Custom Auto-Negotiation Advertisements (CANA) speed and duplex to the following supported values:

BPDU

This setting enables Bridge Protocol Data Unit (BPDU) Guard on the port where the client resides.

DAI

This setting enables Dynamic ARP Inspection (DAI) on the VLAN received from the RADIUS server. For a Flex-UNI port, DAI enables on the platform VLAN associated with the I-SID received from the RADIUS server.

DAI also enables on the default VLAN of the port to prepare for IP Source Guard (IPSG), which requires DAI and DHCP Snooping enabled on all VLANs. If the RADIUS server does not return a VLAN of I-SID, DAI enables on the default VLAN. For Flex-UNI ports, DAI enables on the platform VLAN associated with the untagged I-SID.

Note

Note

If you use the Extreme-Dynamic-Config RADIUS VSA, then Dynamic ARP Inspection is only enabled on the default VLAN if IPSG is present in the RADIUS attributes.

DHCPSNOOP

This setting enables DHCP Snooping on the VLAN received from the RADIUS server. For a Flex-UNI port, DHCP Snooping enables on the platform VLAN associated with the I-SID received from the RADIUS server.

DHCP Snooping also enables on the default VLAN of that port to prepare for IP Source Guard (IPSG), which requires DAI and DHCP Snooping enabled on all VLANs. If the RADIUS server does not return a VLAN of I-SID, DHCP Snooping enables on the default VLAN. For Flex-UNI ports, DHCP Snooping enables for the platform VLAN associated with the untagged I-SID.

Note

Note

If you use the Extreme-Dynamic-Config RADIUS VSA, then DHCP Snooping is only enabled on the default VLAN if IPSG is present in the RADIUS attributes.

IGMPSNOOP

This setting enables IGMP Snooping on the VLAN received from the RADIUS server. For a Flex-UNI port, IGMP Snooping enables on the platform VLAN associated with the I-SID received from the RADIUS server.

IPSG

This setting enables IP Source Guard (IPSG) on the port where the client resides.

In order to apply IPSG, DHCP Snooping and DAI must be configured on the RADIUS server. DHCP Snooping and DAI must be enabled on all VLANs.

The following is an example of a log message that displays if a setting is not configured correctly:

GlobalRouter EAP WARNING Cannot apply Radius IP Source Guard attribute on port 3/15 without DHCP Snooping and DAI attributes.

REAUTH or REAUTH:100

This setting enables EAPOL reauthentication on a port either manually using CLI or dynamically through RADIUS. The origin identifies how reauthentication was configured either CONFIG or RADIUS.

SLPPGUARD

This setting enables Simple Loop Prevention Protocol (SLPP) Guard on the port where the client resides.

WOL

This setting enables EAP traffic-control (Wake On LAN) on the port where the client resides.

Session Timeout and Reauthentication VSA behavior

Session REAUTH status Cause
EAP Session Without REAUTH VSA On MAC ageout.
Note: Session timeouts if the client is not connected.
With REAUTH VSA On periodically timer and MAC ageout.
NEAP Session Without REAUTH VSA On MAC Ageout.
With REAUTH VSA Useful for silent devices, session stays active despite MAC ageout. Session is removed only by manual intervention or RADIUS reject/timeout.
Note: The same command activates both EAP and NEAP reauthentication. If reauthentication is needed for EAP, NEAP reauthentication for silent devices is automatically activated.
Command Level Processing Configuration Prerequisites
Session-timeout per session basis.

Changes the reauth interval for a particular session.

none.

Enable port level reauthentication.

VSA (REAUTH:300 or REAUTH) per port basis.

Changes the port configuration.

Enable reauthentication and configure interval.

none.

Expected Behavior for DHCP Snooping and DAI Vendor Specific Attributes

The following table shows the behavior for Dynamic Host Configuration Protocol Snooping (DHCP Snooping) and Dynamic ARP Inspection (DAI) Vendor Specific Attributes (VSA) for each authentication scenario, depending on Extensible Authentication Protocol (EAP) Operational mode, Flex-UNI mode, and IP Source Guard (IPSG) VSA or RADIUS VLAN/ISID.

Table 1. Expected Behavior for DHCP Snooping and DAI VSAs

EAP Operational Mode

IPSG VSA received

Flexi-UNI

RADIUS VLAN/I-SID

DHCPSNOOP and DAI VSA received

Mutiple Host Single Authentication (MHSA)

Yes Yes Yes

DHCP, DAI, and IPSG enabled on all associated Platform VLANs.

MHSA Yes Yes No

DHCP, DAI, and IPSG enabled on all associated Platform VLANs.

MHSA Yes No Yes

DHCP, DAI, and IPSG enabled on all associated Platform VLANs.

MHSA Yes No No

DHCP, DAI, and IPSG enabled on all associated Platform VLANs.

MHSA No Yes Yes

DHCP and DAI enabled on Platform VLAN associated with RADIUS I-SIDs.

MHSA No Yes No

DHCP and DAI enabled on all static Platform VLANs.

MHSA No No Yes

DHCP and DAI enabled on received RADIUS VLAN.

MHSA No No No

DHCP and DAI enabled on default VLAN.

Mutiple Host Multiple VLAN (MHMV)

Yes Yes Yes

DHCP, DAI, and IPSG enabled on Platform VLAN associated with RADIUS I-SID and Platform VLAN associated with untagged I-SID.

MHMV Yes Yes No

DHCP, DAI, and IPSG enabled on Platform VLAN associated with untagged I-SID.

MHMV Yes No Yes

DHCP, DAI, and IPSG enabled on RADIUS VLAN and default VLAN.

MHMV Yes No No

DHCP, DAI, and IPSG enabled on default VLAN.

MHMV No Yes Yes

DHCP and DAI enabled on Platform VLAN associated with RADIUS I-SID.

MHMV No Yes No

DHCP and DAI enabled on Platform VLAN associated with untagged I-SID.

MHMV No No Yes

DHCP and DAI enabled on received RADIUS VLAN.

MHMV No No No

DHCP and DAI enabled on default VLAN.

Note:

If no RADIUS VLAN or Platform VLAN is associated with RADIUS I-SID, DHCP Snooping and DAI are enabled on the default VLAN or Platform VLAN associated with static untagged I-SID.