New topicConvergence End Point (CEP) Detection

Convergence End Point (CEP) is a mechanism to detect remote IP telephony or video devices on a port and dynamically apply a policy based on the type of CEP device discovered. CEP is only active when ONEPolicy is enabled and configured on the switch. When a CEP device is detected on a port, the configured policy for that device is applied to the user on that port. The switch detects a CEP by inspecting devices on CDP- and Link Layer Discovery Protocol-configured ports. CEP interacts with LLDP, CDP, and ONEPolicy through callbacks and/or inter-process messaging to initiate detection and apply policy.

LLDP and CDP

LLDP and CDP are required to call into CEP to add detected IP telephony devices with the following data:
  • MAC—MAC address of detected device
  • Port—port origin of detection
  • Type—the type of detected device (Cisco, LLDP)
  • inetAddr—IP address of end point device
  • inetType—IP address type of end point device (IPv4, IPv6)
  • inetLen—length of inetAddr

ONEPolicy

  • CEP initializes with, and exists in, the ONEPolicy process and calls directly to modify policy muxRule entries.
  • CEP leverages ONEPolicy port add/del/mod callback integration, satisfying CEP platform port requirements.

For information about configuring CEP detection, see Setting Up Convergence End Point (CEP) Detection.

Note

Note

When both CEP and NetLogin are enabled on the same port, the policy profile name is "active" for both CEP and NetLogin sessions with session applied as "false" for CEP and "true" for NetLogin. If NetLogin authentication is successful, the session applied is false for CEP and true for NetLogin. NetLogin takes higher precedence than the CEP profile.

Learning of CEP entries depends on the LLDP/CDP update on active ports and on disabling and enabling CEP. New entries are learned only after receiving new LLDP/CDP information, and not from existing LLDP neighbors and CDP neighbors table.

For example:

# configure policy convergence-endpoint disable

# show fd
Mac                     Vlan       Age  Flags           Port / Virtual Port List
--------------------------------------------------------------------------------

Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
        x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,
        b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,
        D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC,
        S - Software Controlled Deletion, r - MSRP,
        X - VXLAN, Z - OpenFlow

Total: 0 Static: 0  Perm: 0  Dyn: 0  Dropped: 0  Locked: 0  Locked with Timeout: 0
FDB Aging time: 300
* (Software Update Required) Slot-2 Stack.34 # sh lldp neighbors

        Neighbor           Neighbor                           Neighbor
Port    Chassis ID         Port ID            TTL     Age     System Name
===============================================================================
1:11    00:04:96:99:4F:EB  11                 120     3       X440G2-24t-10G4
2:18    00:04:96:97:E9:EB  18                 120     4       X460G2-48t
2:22    00:04:96:9A:5D:1C  17                 120     7       X460G2-24p-10G4
2:23    00:04:96:52:E8:A4  15                 120     19      Not-Advertised
3:1     (5.1)10.120.93.33  70:38:EE:D0:91:6E  120     3       AVXD0916E
3:17    (5.1)10.127.6.192  D867D9E70736:P1    180     9       SEPd867d9e70736.extremenetworks.com
3:24    (5.1)0.0.0.0       BCF1F2B4E75E:P1    180     45      SEPBCF1F2B4E75E

# show cdp neighbor
Device Id            Local        Hold   Capability   Platform       Port Id
                     Interface    Time
--------------------------------------------------------------------------------
00:04:96:99:4F:EB    1:11         130    RT   I       X440G2-24t-10> Slot:  1, P>
00:04:96:9A:5D:1C    2:22         127     T           X460G2-24p-10> Slot:  1, P>
SEPd867d9e70736      3:17         162        H        Cisco IP Phon> Port 1
SEPBCF1F2B4E75E      3:24         132        H        Cisco IP Phon> Port 1

# configure policy convergence-endpoint enable
Only after new LLDP/CDP packet is received CEP will be detected.
# show lldp neighbors
        Neighbor           Neighbor                           Neighbor
Port    Chassis ID         Port ID            TTL     Age     System Name
===============================================================================
1:11    00:04:96:99:4F:EB  11                 120     27      X440G2-24t-10G4
2:18    00:04:96:97:E9:EB  18                 120     28      X460G2-48t
2:22    00:04:96:9A:5D:1C  17                 120     1       X460G2-24p-10G4
2:23    00:04:96:52:E8:A4  15                 120     13      Not-Advertised
3:1     (5.1)10.120.93.33  70:38:EE:D0:91:6E  120     27      AVXD0916E
3:17    (5.1)10.127.6.192  D867D9E70736:P1    180     3       SEPd867d9e70736.extremenetworks.com
3:24    (5.1)0.0.0.0       BCF1F2B4E75E:P1    180     39      SEPBCF1F2B4E75E
===============================================================================
NOTE: The Chassis ID and/or Port ID might be truncated to fit the screen.

# show fd
Mac                     Vlan       Age  Flags           Port / Virtual Port List
--------------------------------------------------------------------------------
00:04:96:99:4f:eb SYS_VLAN_1000(1000) 0000  dhm           1:11
70:38:ee:d0:91:6e SYS_VLAN_2000(2000) 0000 ndhm     v     3:1
bc:f1:f2:b4:e7:5e SYS_VLAN_1000(1000) 0041 nd m     v     3:24
d8:67:d9:e7:07:36 SYS_VLAN_1000(1000) 0000 n
Note

Note

After CEP devices are mapped to a profile, changing the index value to "0" or to some other policy profile name, the existing CEP connections are still be mapped to the old profile that was configured initially when the CEP devices were detected. To force a refresh of existing detected devices, disable, and then enable, CEP (see configure policy convergence-endpoint) or disable, and then enable, the port(s) (see disable port and enable port).