Deploying an Identity Aware Network

Recommendations

Info

Extreme Networks Application NoteExecution Information:2 # enable cli scripting3 # configure cli mode non-persistent4 # set var EVENT.NAME LOG _ MESSAGE5 # set var EVENT.LOG _ FILTER _ NAME “kerberosevents”6 # set var EVENT.LOG _ DATE “04/07/2010”7 # set var EVENT.LOG _ TIME “01:39:23.44”8 # set var EVENT.LOG _ COMPONENT _ SUBCOMPONENT “IdMgr”9 # set var EVENT.LOG _ EVENT “RecvKerberosTrig”10 # set var EVENT.LOG _ SEVERITY “Debug-Verbose”11 # set var EVENT.LOG _ MESSAGE “Kerberos %0% trigger for %1%@%2%/%3%/%4%/%5%, IP %7%, NB host‘%6%’”12 # set var EVENT.LOG _ PARAM _ 0 “Discover”13 # set var EVENT.LOG _ PARAM _ 1 “john _ smith”14 # set var EVENT.LOG _ PARAM _ 2 “PRIMECORP”15 # set var EVENT.LOG _ PARAM _ 3 “00:11:43:BF:6A:D0”16 # set var EVENT.LOG _ PARAM _ 4 “1:2”17 # set var EVENT.LOG _ PARAM _ 5 “1000014”18 # set var EVENT.LOG _ PARAM _ 6 “JS-PERSONAL”19 # set var EVENT.LOG _ PARAM _ 7 “4.4.4.175”20 # set var EVENT.PROFILE unauth-hostnames21 # set var DISCOVERED _ VLAN corp22 # set var UNAUTH _ VLAN unauthvlan23 # enable cli scripting24 # configure cli mode non-persistent25 # if (!$match($EVENT.LOG _ EVENT,RecvKerberosTrig)) then26 # if ($match($EVENT.LOG _ PARAM _ 6,PRIMECORP) <= 9) then27 # configure vlan $DISCOVERED _ VLAN delete ports $EVENT.LOG _ PARAM _ 428 # configure vlan $UNAUTH _ VLAN add ports $EVENT.LOG _ PARAM _ 429 # endif30 # endif--------------------------------------------------------------------------------Number of UPM Events in Queue for execution: 0* Slot-1 Stack.119 # show vlan---------------------------------------------------------------------------------------Name VID Protocol Addr Flags Proto Ports VirtualActive router/Total---------------------------------------------------------------------------------------corp 2 4.4.4.1 /24 ------------------------ ANY 1 /1 VR-DefaultDefault 1 -------------------------------------------- ANY 0 /0 VR-DefaultMgmt 4095 10.127.1.129 /24 ------------------------ ANY 1 /1 VR-Mgmtnlvlan 7 ----------------------LN-------------------- ANY 0 /0 VR-Defaultunauthvlan 10 -------------------------------------------- ANY 1 /1 VR-Default---------------------------------------------------------------------------------------Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,(d) NetLogin Dynamically created VLAN, (D) VLAN Admin Disabled,(E) ESRP Enabled, (f) IP Forwarding Enabled,(F) Learning Disabled, (i) ISIS Enabled, (L) Loopback Enabled,(l) MPLS Enabled, (m) IPmc Forwarding Enabled,(M) Translation Member VLAN or Subscriber VLAN,(n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled,(O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN,(r) RIP Enabled, (R) Sub-VLAN IP Range Configured,(s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN,(T) Member of STP Domain, (V) VPLS Enabled, (v) VRRP Enabled,© 2010 Extreme Networks, Inc. All rights reserved. Identity Aware Network—Page 66
Extreme Networks Application NoteTotal number of VLAN(s) : 5* Slot-1 Stack.120 # show “unauthvlan”VLAN Interface with name unauthvlan created by userAdmin State: Enabled Tagging: 802.1Q Tag 10Virtual router: VR-DefaultIPv6:NoneSTPD:NoneProtocol: Match all unfiltered protocolsLoopback: DisabledNetLogin: DisabledQosProfile: None configuredEgress Rate Limit Designated Port: None configuredFlood Rate Limit QosProfile: None configuredPorts: 1. (Number of active ports=1)Untag: *1:2(kerb _ port)Flags: (*) Active, (!) Disabled, (g) Load Sharing port(b) Port blocked on the vlan, (m) Mac-Based port(a) Egress traffic allowed for NetLogin(u) Egress traffic unallowed for NetLogin(t) Translate VLAN tag for Private-VLAN(s) Private-VLAN System Port, (L) Loopback port(e) Private-VLAN End Point Port(x) VMAN Tag Translated port6. Deployment Considerations6.1. Memory Usage in the SwitchThe default memory size configured for identity-management is 512KB, and this is consumed from the system as soon as theidentity-management process starts in ExtremeXOS. The memory pool reserved is used for the following purposes:• Tracking various user and device identities: This memory will be used throughout the lifetime of the identity. Eventssuch as identity aging will cause memory held by the process to be given back to the pool reserved for identitymanagement.• Processing several events sent to the identity-management process from other processes such as NetLogin, LLDP, FDBManager, etc. This memory is used to handle events such as user logon notification by NetLogin, and is relinquished assoon as the event has been processed.The table below summarizes the memory consumption for a combination of users and devices.Table 7:User/DeviceAuthentication MethodKerberosActivityLLDPAverage memoryrequired to trackone identityAverage memory required tohandle events related to oneidentity from other processes802.1X Web MACUser + Workstation 3 3 1KB 4KBUser + Workstation 3 512 bytes 4KBVoIP Phone 3 3 512 bytes 6KBVoIP Phone 3 3 512 bytes 6KBNOTESThese numbers for memory requirements are valid for ExtremeXOS 12.4.1, and are subject to change in later ExtremeXOS versionsdepending on the amount of information included as part of an identity.© 2010 Extreme Networks, Inc. All rights reserved. Identity Aware Network—Page 67
Page 1 and 2:
Extreme Networks Application NoteDe
Page 3 and 4:
Extreme Networks Application NoteTa
Page 5 and 6:
Extreme Networks Application Note3.
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Extreme Networks Application Noteco
Page 13 and 14:
Extreme Networks Application NoteSt
Page 15 and 16: Extreme Networks Application NoteSt
Page 21 and 22: Extreme Networks Application Note4.
Page 31 and 32: Extreme Networks Application NoteTh
Page 35 and 36: Extreme Networks Application Note©
Page 39 and 40: Extreme Networks Application NoteDe
Page 59 and 60: Extreme Networks Application Note<r
Page 61 and 62: Extreme Networks Application Note<c
Page 63 and 64: Extreme Networks Application NoteBe
Page 65: Extreme Networks Application Note*
show all

Deploying an Identity Aware Network

Create successful ePaper yourself

Delete template?

Save as template?