Configuring Access Guardian Using Guest Tunneling
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-89
2 Use the vlan command to create the VLAN on which guest traffic is forwarded to a perimeter network
and/or the Internet. The VLAN loopback port is also assigned to this VLAN (either tagged or as the
default VLAN for the loopback port).
-> vlan 50
3 Use the vlan members tagged command or vlan members untagged command to assign the port that
will serve as the VLAN loopback port to the VLAN created in Step 2 (VLAN 50).
-> vlan 50 members port 1/1/3 tagged
-> vlan 50 members port 1/1/3 untagged
4 Use the service l2profile command to configure an Layer 2 profile to drop all L2 protocol control
frames. This profile is assigned to the access port that will serve as the SAP loopback port.
-> service l2profile Guest-l2profile stp drop 802.1x drop 802.1ab drop 802.3ad
drop gvrp drop mvrp drop amap drop
5 Use the service access command to configure a port as a service access port and assign a Layer 2
profile to the same port. Specify the port that will serve as the SAP loopback port and the Layer 2 profile
created in Step 4 (“Guest-l2profile”).
-> service access port 1/1/2 l2profile Guest-l2profile vlan-xlation enable
description “Guest Loopback Port”
6 Use the service l2gre command to create an L2 GRE tunnel service and associate that service with a
Virtual Private VLAN ID (VPNID), also referred to as a guest tunnel ID. Make sure the VPNID value
specified matches the corresponding VPNID value that was configured on the edge switch.
-> service 100 l2gre vpnid 10 vlan-xlation enable remove-ingress-tag enable
admin-state enable description “Guest Service”
7 Use the service sap command to create a Service Access Point (SAP) by associating the L2 GRE
tunnel service created in Step 6 (service 100) with the access port defined in Step 5 (1/1/2) and the VLAN
ID created in Step 2 (VLAN 50).
-> service 100 sap port 1/1/2:50 trusted admin-state enable description “Guest
SAP VLAN 50”
8 Use the service sdp l2gre command to create a unicast Service Distribution Point (SDP) from the
GTTS to each guest tunnel edge switch. Specify the Loopback0 interface address of the edge switch as the
far-end IP address.
-> service sdp 20 l2gre far-end 10.0.0.1 admin-state enable description “Guest
SDP 10.0.0.1”
-> service sdp 21 l2gre far-end 20.0.0.1 admin-state enable description “Guest
SDP 20.0.0.1”
9 Use the service bind-sdp command to bind the L2 GRE service created in Step 6 to the SDPs created
in Step 8.
-> service 100 bind-sdp 20 21
To Next Page
Loading...
