Configuring Access Guardian Using Guest Tunneling
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-86
Switch Ports for Guest Devices
Configure the ports on which traffic from guest devices will be received as UNP bridge ports. Note that
VLAN translation is not supported on UNP ports that connect to guest devices. There is no VLAN
association with the SAP created for the L2 GRE tunnel, so all traffic egressing on the UNP port must be
untagged.
Guest Tunnel Termination Switch Configuration Guidelines
Consider the following tasks and guidelines provided in this section when configuring the Guest
Tunneling objects required to define a tunnel endpoint on the Guest Tunnel Termination Switch (GTTS).
• Only one GTTS is required in the network; all edge switch guest tunnels terminate on the GTTS.
• The L2 GRE service objects and the loopback port setup are manually configured.
• An external loopback port configuration is required on the GTTS to bridge traffic between the L2 GRE
service domain and the guest VLAN domain.
– One end of the physical loopback cable connects to an access port and the other end connects to a
bridge port.
– The access port is assigned to a SAP for the L2 GRE tunnel.
– The bridge port is assigned to a VLAN.
– When GRE tunneled traffic is received on the SAP loopback port, the GRE encapsulation
information is removed before the traffic is passed through to the bridge loopback port and
forwarded on the VLAN domain.
– When VLAN domain traffic is received on the bridge loopback port, the traffic is passed through to
the SAP loopback port, encapsulated, and sent through the GRE tunnel.
• Guest traffic enters the L2 GRE tunnel untagged and when the traffic reaches the GTTS, the GRE
encapsulation is removed and the traffic is tagged with the VLAN ID of the loopback port to identify
the VLAN domain on which the traffic is forwarded.
Loopback Access Port Guidelines
• The loopback access port and a VLAN tag are used to define the SAP for the L2 GRE tunnel.
• Create an access port Layer 2 profile that will discard all Layer 2 protocol control frames and assign
the profile to the loopback access port.
• Enable VLAN translation on the access port to ensure that egress traffic on the SAP loopback port is
tagged. If VLAN translation is not enabled, make sure the VLAN port for the other side of the
loopback connection is assigned to the appropriate default VLAN to enable the switching of egress
traffic.
L2 GRE Service Guidelines
• Make sure the VPNID value configured on the GTTS matches the corresponding VPNID value
configured on the edge switch.
• Enable VLAN translation for the L2 GRE service to ensure that egress traffic on the SAP loopback
port is tagged; VLAN translation must be enabled at both the access port and service level. If VLAN
translation is not enabled, make sure the VLAN port for the other side of the loopback connection is
assigned to the appropriate default VLAN to enable the switching of egress traffic.
• Enable the remove ingress tag function for the L2 GRE service. This will ensure that traffic entering
the guest tunnel is untagged.
To Next Page
Loading...
