Universal Network Profile (UNP)

Universal Network Profile (UNP)

Universal Network Profile (UNP)Virat ParmarData & Wireless

#

COPYRIGHT 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Universal Network Profile (UNP)Agenda:Understanding the UNP concept:IntroductionBenefitUNP types, ports, profile etc.How UNP works?Added advantages in 8x.Configuring UNP on 8xHow UNP works in 8x?Configuration examples.Show commands.

#COPYRIGHT 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

The Universal Network Profile (UNP) feature provides network administrators with the ability to define and apply network access control to specific types of devices by grouping such devices according to specific matching profile criteria.Defined under Access Guardian domain.Access Guardian is a collection of Alcatel-Lucent security functions that work together to provide a proactive and dynamic network security framework designed for network access control (NAC) that covers: Device and/or user authentication and classification. (Only RADIUS authentication is supported)Host Integrity CheckUser Network Profiles.Adding more granularity/control over the Network Access.Mobility solution for the device/user.Added advantage of creating virtual machine network profiles (vNPs) and user network profiles for unified access.Bandwidth Management.

Understanding the UNP concept Introduction.


Understanding the UNP concept Introduction.Benefits:UNP provides mobility and security according to the end user role.Simplify network access control management.Automate bandwidth management allocation.


Understanding the UNP concept UNP profile and Types

UNP classifies the devices based on attributes configured in the UNP profile.A profile consists of configurable attributes that help to define a group of users or devices that have similar requirements for access to network resources. A device sending traffic that matches such attributes is then assigned to either a VLAN or Shortest Path Bridging (SPB) service that is associated with the UNP. Dynamic assignment of devices using UNPs is achieved through port-based functionality that provides the ability to authenticate and classify device traffic. Authentication verifies the device identity and provides a UNP name.If authentication is not available or is unsuccessful, classification rules associated with the UNPs, as well as the UNP port configuration attributes are applied to the traffic to determine the UNP assignment. Types of UNP profile:VLAN profile.Service profile.


Normally, VLAN profiles are manually created by the administrator. Dynamic VLAN profile configuration is also supported. (certain traffic conditions and the UNP port configuration)The VLAN profile consists of the following attributes:UNP name.VLAN ID.Classification Rules.QoS policy list name.A UNP profile is dynamically created when the trust VLAN tag option is enabled and one of the following conditions occurs:A tagged packet received on the UNP port contains a VLAN tag that matches an existing MVRP VLAN in the switch configuration that is not assigned to a profile.No matching VLAN in the switch configuration.Note: Dynamic UNP VLANs are not saved in the switch configuration file (boot.cfg). Understanding the UNP concept VLAN profile


UNP service classification profiles are manually created by the administrator. Dynamic configuration of service profiles is not supported. Not supported in an MCLAG configuration.A UNP service classification profile consists of the following attributes:UNP name. Tag value. I-SID number. Backbone VLAN.Classification Rules. QoS policy list name.

Cont.Understanding the UNP concept Service profile


Understanding the UNP concept Service profileThe service profile attributes (VLAN tag, I-SID, and BVLAN) are used to define an SPB service access point (SAP) for traffic that is classified by the service profile. The VLAN tag combined with the local UNP access port, on which matching profile traffic is received, specifies the encapsulation value for the SAP. The I-SID and BVLAN ID specify a backbone service for the SAP and is the service that will forward the matching profile traffic through the network.


Understanding the UNP concept UNP port.Two types of UNP ports: BridgeIf a port is configured as a UNP bridge port, then traffic received on that port is only classified using VLAN profiles. UNP bridge port is dynamically assigned to a VLAN.AccessIf a port is configured as a UNP access port, then traffic received on that port is only classified using SPB service profiles.UNP access ports are not dynamically assigned to VLANs. (As traffic is being classified to the SPB-SAP)


Understanding the UNP concept Dynamic UNP VLAN.

UNP dynamic VLANs differ from standard VLANs as follows:A dynamic VLAN cannot be deleted using standard VLAN commands. The VLAN is only removed when the UNP to which the VLAN is assigned is deleted.UNP dynamic VLANs are identified as a separate type of VLAN. The vlan show commands will display this type with the default name of UNP-DYN-VLAN and the designated type as UNP Dynamic Vlan.Dynamic VLANs are not saved in the ! VLAN: section of the switch configuration file (boot.cfg). However, the unp commands to enable dynamic VLAN configuration and create the UNP are saved in the ! DA-UNP: section of boot.cfg. As a result, the VLAN is created again on the next switch boot-up.


Understanding the UNP concept ClassificationThe following classification methods are implemented through UNP functionality and profile criteria provide the ability to tailor profiles for specific devices (physical or virtual):MAC-based authentication using a RADIUS-capable server. A profile name is returned upon successful authentication. An alternate UNP is configurable to which devices are assigned when authentication is successful but a UNP name was not returned by the server.Switch-wide classification rules to classify on source MAC or IP address (no authentication required).VLAN tag classification to create dynamic VLAN port associations based on the VLAN ID tag of packets received from the device. This functionality is not limited to UNP VLANs; the device is assigned to any existing VLAN that matches the device tag.Default profile classification is used for untagged traffic or traffic not classified through other methods.Authentication server down support allows the configuration of a UNP to which devices that require MAC authentication are assigned when the RADIUS server is unreachable. When a device is assigned to this UNP, a timer is automatically started that determines how long the device remains assigned to the UNP before another attempt is made to reach the RADIUS server.


Understanding the UNP concept How it works?UNP is enabled on individual switch ports and profiles are defined to determine the dynamic VLAN assignment for devices connected through the UNP ports.When UNP is enabled on a switch port, a device classification process is triggered when the port receives traffic. Based on both the UNP port and profile configuration, traffic is processed as follows to determine the profile association and subsequent VLAN assignment for the device traffic.


Understanding the UNP concept How it works?


Understanding the UNP concept How it works?


Understanding the UNP concept Decision makingIn the event that UNP port traffic matches more than one classification rule, the following rule precedence is applied to determine which UNP to apply to the traffic.


Added advantages in 8x (via Access Guardian 2.0)MAC-based and 802.1X-based authentication using a RADIUS-capable server.Redirection for Captive Portal authentication.Redirection to ClearPass Policy Manager (CPPM): Bring Your Own Devices (BYOD) user device registrationIntegrity checkUNP assignmentQoS policy list assignmentSimplified configuration by implementing the edge-profiles and edge-port.No more VLAN profile or Service profile and bridge ports or access ports.Added attributes for more control over the network access:Location-based policy, Time-based policyCaptive Portal authentication, Captive Portal profileAuthentication flag and Redirect flag.


Added advantages in 8x (via Access Guardian 2.0)

Added attributes:Location-based policy:Defines criteria (such as the slot/port, system name and location) to determine if a device is accessing the network from a valid location.2. Time-based policy:Specifies the days and times during which a device can access the network.Note: If a device violates above given policy, the device is placed into an unauthorized state, even though it is still assigned to the profile.

3. Captive Portal profile.4. Captive Portal authentication:Internal Captive Portal authentication process is triggered when a user device is assigned to the profile5. Authentication flag:Configures the authentication flag status for the profile. When enabled, only devices that were successfully authenticated (through Layer 2 MAC or 802.1X authentication) can be assigned to the profile.6. Redirect flagConfigures the redirect status for the profile. When enabled, the profile will interact with the ClearPass Policy Manager (CPPM) as part of the OmniSwitch Bring Your Own Devices (BYOD) solution.


Added advantages in 8x Configuring UNP on 8xConfiguring the UNP feature consists of 2 tasks:Profile configurationDefine profile attributes that enforce network access control for devices classified into the profile.Port configurationEnable UNP functionality on individual ports.Troubleshooting Tip: By default, UNP is disabled on all ports even if profiles exist in the switch configurationProfile configuration:Create an Edge profile.(Optionally) Configure classification rules for the profile. When classification is enabled on a UNP port, these rules are applied to traffic received on the port to determine which UNP is applied to the traffic. (802.1x would take advantage over the classification rule)Define a temporary UNP to which devices classified on UNP bridge ports are assigned in the event the authentication server is down or unreachable. A configurable timer is also available to specify how long a device remains in this temporary UNP.QoS policies (Optional)

Cont.


Added advantages in 8x Configuring UNP on 8x2. Port configuration:802.1X-based or MAC-based authentication.An alternative UNP for 802.1X or MAC authentication. When authentication is successful but the RADIUS server does not return a UNP name, the alternate pass UNP is applied to the device traffic.Rule-based classification. When classification is enabled, UNP rules are applied to device traffic if authentication fails or is not available. A default profile. The default UNP is applied to traffic when other classification methods do not provide a profile name.


Added advantages in 8x Configuring UNP on 8x (Example)Configure UNP VLANs and Profile Parameters:1. Configuring the vlan.-> vlan 102. Configuring UNP1 with VLAN 10 and a MAC classification rule using the unp edge-profile and unp classification mac-address command: -> unp edge-profile unp1-> unp vlan-mapping edge-profile vlan 10-> unp classification mac-address 11:11:11:11:11:11 edge-profile unp13. Create a QoS policy list for UNP1 and then associate the list to UNP1 using the unp edge-profile qos-policy-list command parameter: (Optional)-> policy condition c1 source ip 10.2.2.1-> policy action a1 redirect port 1/2-> policy rule r1 condition c1 action a1-> policy list list1 type unp-> policy list list1 rules r1 enable-> unp edge-profile unp1 qos-policy-list list1


Added advantages in 8x Configuring UNP on 8x (Example)Configure UNP Port ParametersEnable UNP on the ports to which network devices are connected. If UNP is not enabled on a port, UNP device classification is not applied to device traffic received on that port.-> unp port 2/1/1 enableEnable MAC authentication on the UNP ports using the unp mac-authentication command. -> unp port 2/1/1-10 mac-authentication enableIf authentication is not enabled then the MAC of the device connected to the port is not sent to the RADIUS server for authentication. Configure an alternate UNP (Optional) using the unp mac-authentication pass-alternate command.-> unp port 2/1/1-10 mac-authentication pass-alternate edge-profile macPassEnable classification on the UNP ports using the unp classification command.-> unp port 2/1/1-10 classification enableIf classification is not enabled, UNP will not apply profile rules to classify traffic.Configure a default UNP (Optional) using the unp default-edge-profile command.-> unp port 2/1/1-10 default-edge-profile def_unpIn the event when all the classification fails.


Added advantages in 8x Configuring UNP on 8x (Example)Configure Global UNP ParametersSpecify a UNP to apply to device traffic when the authentication server is down:-> unp auth-server-down temp_unpAn authentication server down timer is initiated for the device when the device assigned to the VLAN associated with this UNP.Change the authentication server down timer value (Optional)-> unp auth-server-down timeout 120Re-authentication would be initiated only after the specified timeout value.


Added advantages in 8x How it work in 8x?


Configuration examplesMAC Authentication with UNPConfigure the RADIUS serveraaa radius-server name RAD1 host 100.1.1.1 key abc123aaa device-authentication mac RAD1Configure three UNPs with VLAN 200, VLAN 100 and VLAN 10.unp name unp1 vlan 200unp name unp2 vlan 100unp name unp3 vlan 10Enable UNP on the ports that will receive the device traffic.unp port 1/1 enableConfigure the unp3 as the default profile for the UNP port.unp port 1/1 default-unp unp3Enable MAC authentication on the port and configure unp2 as the pass alternate UNP.unp port 1/1 mac-authentication enable unp port 1/1 mac-authentication pass-alternate unp-name unp2Enable trust VLAN tag on the UNP port.unp port 1/1 trust-tag enable


Configuration examplesUNP Classification RulesThe following example is applied when device classification is enabled for the UNP port and MAC authentication has failed (or is disabled):1. Configure the classification rule (aka MAC-rule).unp classification mac-address 00:11:22:33:44:55 unp-name unp12. Enable the UNP feature and mac-authentication on the port.unp port 1/1 enableunp port 1/1 mac-authentication enable3. Enable the classification to classify the ingress traffic to the port.unp port 1/1 classification enable


Configuration examplesClassification using QoS Policy ListsThe below given qos command would redirect the traffic coming from IP address 10.1.1.10 to port 1/2.policy condition c1 source ip 10.1.1.10policy action a1 redirect port 1/2policy rule r1 condition c1 action a1 no default-listpolicy list list1 type unppolicy list list1 rule r1qos applyThe below given command associates the unp2 profile with this policy listunp name unp2 policy-list-name list1After successful authentication, the list1 policy list associated with the unp is applied on the MACunp port 1/1 enableunp port 1/1 mac-authentication enable pass-alternate unp-name unp2


Show commandsProfile Configuration:- > show unpName Vlan Policy List Name-------------------------------------+----+--------------------Sales 100 list1Finance 1000 list2 - > show unp FinanceName Vlan Policy List Name------------------------------------+----+---------------------Finance 1000 list2

UNP Global Configuration- > show unp global configurationDynamic Vlan Configuration: Enabled,Auth Server Down UNP: SrvDownUnp,Auth Server Down Timeout (Sec) : 60

- > show unp global configurationDynamic Vlan Configuration: Disabled,Auth Server Down UNP: -,Auth Server Down Timeout (Sec) : 60Classification Rule Configuration- > show unp classification mac-rule MAC Address UNP Name VLAN Tag------------------+----------------------+--------------------00:11:22:33:44:55 Sales 10000:0f:b5:46:d7:56 Finance -

- > show unp classification mac-range-ruleLow MAC Address High MAC Address UNP NameVLAN Tag------------------+------------------+----------------+------------00:11:22:33:44:66 00:11:22:33:44:77 Sales-00:11:22:33:44:88 00:11:22:33:44:99 SalesHR

- > show unp classification ip-ruleIP Address IP Mask UNP NameVLAN Tag---------------+---------------+-------------------------+---------10.1.1.1 255.0.0.0 Engg-50.1.1.1 255.0.0.0 HR 300

- > show unp classification vlan-tag-ruleVLAN Tag UNP Name--------+--------------------------------400 Admin300 HR


Show commandsUNP Port Configuration:- > show unp port Port Mac-Auth Classification Default Pass-Alternate Trust-Tag----+--------+--------------+-------+--------------+---------1/1 Enabled Enabled Sales Finance Enabled1/2 Enabled Disabled Engg Accounting Disabled1/3 Disabled Disabled Engg - Enabled1/4 Disabled Disabled - - Disabled0/10 Enabled Enabled Sales Finance Enabled0/11 Enabled Disabled Engg Accounting Disabled

- > show unp port 1/1Port Mac-Auth Classification Default Pass-Alternate Trust-Tag----+--------+--------------+-------+--------------+---------1/1 Enabled Enabled Sales Finance EnabledUNP User Configuration:- > show unp userTotal users: 3 User Auth Port UsernameMac address IP Vlan UNP Status ----+-----------------+-----------------+---------+----+-------+-----1/1 00:00:00:00:00:01 00:00:00:00:00:01 10.0.0.1 10 Sales Active1/1 00:80:df:00:00:02 00:80:df:00:00:02 10.0.0.2 20 Finance Active 1/2 00:80:df:00:00:03 00:80:df:00:00:03 20.0.0.5 30 - Block

- > show unp user 00:00:00:00:00:01Port : 01/20,Mac-address : 00:00:00:00:00:01,IP : 14.15.16.17,Vlan : 300,UNP : unp3,Login Timestamp : 04/01/1970 18:45:26,Authentication Type : Mac authentication,Authentication Status : Authenticated,Classification Source : RADIUS - Server UNP


Show commands- > show unp user 00:11:11:00:00:12Port : 01/20,Mac-address : 00:11:11:00:00:12,IP : 14.15.16.17,Vlan : 100,UNP : unp1,Login Timestamp : 04/01/1970 18:49:04,Authentication Type : Mac authentication,Authentication Status : Authenticated,Classification Source : RADIUS - Default UNP

- > show unp user 00:11:22:33:44:93Port : 01/20,Mac-address : 00:11:22:33:44:93,IP : 14.15.16.17,Vlan : 400,UNP : unp4,Login Timestamp : 04/01/1970 18:43:11,Authentication Type : Mac authentication,Authentication Status : Failed,Classification Source : Auth Fail - MAC Range Rule UNP- > show unp user 00:11:22:33:44:99Port : 01/20,Mac-address : 00:11:22:33:44:99,IP : 14.15.16.17,Vlan : 500,UNP : unp5,Login Timestamp : 04/01/1971 18:50:01,Authentication Type : - ,Authentication Status : - ,Classification Source : Tag - MAC Rule UNP

- > show unp user 00:11:22:33:44:99Port : 01/20,Mac-address : 00:11:22:33:44:99,IP : 14.15.16.17,Vlan : 500,UNP : unp5,Login Timestamp : 04/01/1971 18:50:01,Authentication Type : Mac Authentication,Authentication Status : Failed,Classification Source : Auth-Server-Down UNP


Show commands- > show unp user 00:11:22:33:44:9APort : 01/21,Mac-address : 00:11:22:33:44:9A,IP : 14.15.16.19,Vlan : 1,UNP : - ,Login Timestamp : - ,Authentication Type : Mac Authentication,Authentication Status : Failed,Classification Source : Auth-Server-Down UNP - Blocked


Documents

Universal Network Profile (UNP)