SUPPORT STORE CONTACT SIGN IN

I'm Romeo George, and you can ask me anything about the rXg, revenue eXtraction gateway. What can I tell you?

Overview
System
Network
Services
Identities
Policies
Billing
Archives
Instruments
Installation
Lab Manual
Portal Customization
RESTful API
Miscellaneous
View as one page

Wired

The Wired view presents the scaffolds associated with configuring the wired distribution layer of your network, and monitoring/configuring the switch ports throughout your infrastructure.

Switches

An entry in the switches scaffold defines a piece of switching equipment with which the rXg will communicate for the purpose of effecting dynamic VLAN changes when necessary due to a policy shift for a device on the network.

When a device's VLAN assignment has changed due to a policy shift, the rXg will connect to the switch associated with the device's RADIUS realm via the protocol specified in the configuration, and force a disconnect/reconnect, which will reinitiate the RADIUS authentication process, thereby resulting in the new VLAN assignment being applied to the client device.

The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.

The device section specifies information of equipment being configured. Fields with bold text are required. Choose the appropriate option from the supported device types drop-down menu.

Enabling the Monitoring checkbox results in the rXg attempting to import and synchronize Switch Ports from the device, as well as perform ping monitoring of the switch itself, and collect CPU and Memory statistics, where possible.

The SNMP community field specifies the SNMP community string that will be used when attempting to gather CPU and/or Memory information, as well as to collect Switch Port utilization/error/discard data for graphing.

The Switch Fabric field assigns a switch fabric profile to this switch. The Loopback IP , System name , and SPB-m nickname fields must be provided when assigning a switch fabric profile. After supplying the necessary information, the Config sync status link becomes available in the scaffold.

For switches that support configuration management, the Config sync status column contains a link that allows the operator to access bootstrap instructions and enable synchronization.

When bootstrapping a new switch, the operator may retrieve bootstrap commands that will bring a factory default switch or wireless controller into the necessary state to participate in the fabric network, which may be copy/pasted into a console session on the device.

After initial bootstrapping and network connectivity is established, the operator may download a running configuration backup or compare the current running configuration to the expected configuration, based on the associated configuration elements. If changes are needed, they may be pushed to the switch. After successfully synchronizing manually the first time, future configuration changes will be pushed to the device whenever relevant configuration changes are made in the database.

The note field is a place for the administrator to enter a comment. This field is purely informational and has no bearing on the configuration settings.

Switch Fabric

An entry in the Switch Fabric scaffold defines the fabric area of a 802.1aq Shortest Path Bridging-MAC (SPB-m) deployment. All participating fabric switches share the common configuration found here. In addition, each participating fabric switch should have an Infrastructure Device defined with the necessary SPB-m configuration specific to that device.

The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.

The Management I-SID field specifies the I-SID that will be associated with the Management VLAN for management traffic. The Management VLAN is configured per device, under the Switches scaffold.

The Manual area field specifies the IS-IS area that will be used within this fabric in the format: xx.xxxx (ex: 10.0001)

The Primary B-VLAN and Secondary B-VLAN fields indicate the VLANs which will be used for passing encapsulated traffic between participating fabric switches on switch ports designated as NNI ports. These VLANs should be unused elsewhere in your infrastructure.

Switch Ports

Entries in the Switch Ports scaffold are created automatically by enabling the Monitoring checkbox on a supported switch's Infrastructure Device. Ports are imported and speed, packet, error and discard rates are gathered via SNMP and made graphable for each switch port.

The name field represents the port's identification in the switch, and should not be changed.

The NNI Port designates this port as a Network-to-Network Interface. This option must be enabled for any port where two fabric-enabled switches interconnect.

The speed in bps field represents the port's maximum physical speed in bits per second.

Switch Port Profiles

Entries in the Switch Port Profiles scaffold define the behavior of downstream wired infrastructure device ports. Switch port profiles enable an operator to manage virtually unlimited switch ports, without configuring them individually.

The name field is an arbitrary string descriptor used only for administrative identification. Choose a name that reflects the purpose of the record. This field has no bearing on the configuration or settings determined by this scaffold.

The Default checkbox, declares the selected switch port profile as the default for any newly imported switches

The Move Ports checkbox, if selected, will move ports associated with a different default profile to a profile upon save. This should be used in conjunction with the Default checkbox.

The Ports field defines individual switch ports to associate with this profile.

The Native VLAN field is used to define the untagged VLAN that ports associated to a profile should use.

The Shutdown checkbox declares ports associated to this profile to be disabled.

The VLANs field defines the VLANs that should be tagged on ports associated with a profile.

The RADIUS drop-down menu can be used to enable 802.1x or MAC Authentication Bypass, on ports associated to a profile.

The native I-SID specifies the network that untagged traffic from this port should be placed into when building a Fabric configuration script.

The NNI Port designates this port as a Network-to-Network Interface. This option must be enabled for any port where two fabric-enabled switches interconnect.

Switch Model-specific Configuration Details

This section contains a collection of switch model-specific configuration details required to bring the switch online and enable the config sync.

Cisco IOS switches

A Cisco IOS switch requires a few changes to its default running config, namely

  • baseline configuration
  • SNMP community configuration
  • VTP VLAN mode change
  • default RADIUS configuration
  • changes to AAA configuration
  • MAB configuration

Baseline configuration

There are several changes to the baseline Cisco IOS configuration, including the following modifications.

Disable TCP and UDP small servers that run in the switch for diagnostics purposes. 

no service udp-small-servers
no service tcp-small-servers

Disable local HTTP server (it is not used with config sync)

no ip http server

Enable password encryption service

service password-encryption

Enable SSHv2, generate the necessary RSA key, and enable SSH as the preferred transport protocol on the VTY lines. Note that the IP domain name must be also set for the RSA key to be generated. 

ip domain name <your-local-domain-name>
crypto key generate rsa general-keys modulus 4096
ip ssh version 2
line vty 0 15
  login local
  transport input ssh
exit

SNMP community configuration

The SNMP read-only community access needs to be configured, as follows:

snmp-server community public ro

The default community used by rXg ('public') can be modified in the Cisco ISO switch configuration 'Network::Wired::Switches' scaffold, when creating or editing the given Cisco IOS switch entry, under the 'Network Monitor' section, as shown below. The example shows a non-default community name of 'publick'.

snmp-community

In active production networks, the use of non-default SNMP communities is strongly recommended.

VTP VLAN mode change

If the given Cisco IOS switch supports VTP, change the VTP mode on the switch from the default 'client' to 'transparent', as follows, in the configuration mode

(config)#vtp mode transparent

Once modified, the status of the VTP changes from 

show vtp  status
VTP Version capable             : 1 to 3
VTP version running             : 3
VTP Domain Name                 : NAME
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : d4ad.7139.5480

Feature VLAN:
--------------
VTP Operating Mode                : Client
Number of existing VLANs          : 30
Number of existing extended VLANs : 0
Maximum VLANs supported locally   : 1005
Configuration Revision            : 6
Primary ID                        : 700b.4fdb.3c80
Primary Description               : CWD-WAVHS-01CS
MD5 digest                        : 0x84 0xFB 0xFD 0x73 0xB0 0x72 0xF1 0x47 
                                    0x6D 0x7E 0x26 0xB4 0xC6 0x49 0x08 0xB9 


Feature MST:
--------------
VTP Operating Mode                : Transparent

to 

show vtp status 
VTP Version capable             : 1 to 3
VTP version running             : 3
VTP Domain Name                 : NAME
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : d4ad.7139.5480

Feature VLAN:
--------------
VTP Operating Mode                : Transparent
Number of existing VLANs          : 5
Number of existing extended VLANs : 0
Maximum VLANs supported locally   : 1005


Feature MST:
--------------
VTP Operating Mode                : Transparent

indicating a 'Transparent' VLAN operating mode, as required.

Default RADIUS configuration

The default RADIUS configuration requires the creation of a RADIUS server configuration on the Cisco switch side, as follows. An arbitrary name (rXg) is used in the example below, while the IP address (radius-server-ip) and the key values are obtained from the local rXg installation. The IP address must be reachable from the Cisco IOS switch management interface, and it is typically equal to the default management plane gateway. The RADIUS server key (radius-server-key) is obtained from the 'Services::RADIUS::RADIUS Server Options' scaffold, as shown below.

RADIUS server key location

The resulting configuration command is shown below, with the explicit definition of authorization and accounting ports, using the default RADIUS values. 

radius server rXg
 address ipv4 <radius-server-ip> auth-port 1812 acct-port 1813
 key <radius-server-key>
exit

Changes to AAA configuration

The Cisco IOS switch contains certain default AAA settings, which need to be further modified to accommodate the config sync with the rXg platform, as follows. 

aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
identity profile default

Configure the 'enable' and the 'admin' passwords, using the following command

enable secret <secret-enable-password>
username <username> secret <password>

and make sure the corresponding password is configured under the 'Network::Wired::Switches' scaffold, as shown below. Note that the 'admin' username may be customized, as long as it is configured to match on the rXg and Cisco IOS device sides.

enable-password

MAB configuration

Configuring a Cisco IOS switch for MAC Authentication Bypass (MAB) with Dynamic VLAN Assignment is a common and powerful way to provide network access control for devices that do not support 802.1X (like IP phones, printers, cameras, IoT devices), while still placing them into the correct network segment (VLAN) based on their MAC address.

Under the MAB process, the switch learns the MAC address of a connecting device and sends it as both the username and password to the RADIUS server for authentication.

Under the dynamic VLAN assignment, the RADIUS server sends back specific RADIUS attributes to the switch upon successful authentication, instructing the switch to place the authenticated device into a particular VLAN. The primary attributes for this are: * Tunnel-Type = VLAN (Attribute 64) * Tunnel-Medium-Type = 802 (Attribute 65) * Tunnel-Private-Group-ID = VLAN ID (Attribute 81)

This setup typically relies on a RADIUS server hosted on the rXg to perform the authentication and provide the dynamic VLAN assignment.

The configuration elements required on the Cisco IOS switch can be divided into the system-level and port-level statements, as follows.

The system-level statements are shown below and use the following variables: * radius-server-ip, the IP address of the RADIUS server * radius-server-key, the authentication key of the RADIUS server * radius-server-name, an arbitrary string name for the RADIUS server, e.g., 'rXg'

aaa new-model
!
# Defines authentication method for 802.1X (also used by MAB fallback)
aaa authentication dot1x default group radius          

# Defines authorization method for network access
aaa authorization network default group radius         

# Defines accounting for 802.1X sessions
aaa accounting dot1x default start-stop group radius   

# Enable dynamic authorization (CoA - Change of Authorization)
# This allows the RADIUS server to dynamically re-authenticate or change VLANs without user re-authentication.
aaa server radius dynamic-author client <radius-server-ip> server-key 0 <radius-server-key>

# use the same session ID for all AAA accounting service types within a single call
aaa session-id common

# Define the RADIUS server(s)
radius server <radius-server-name>
 address ipv4 <radius-server-ip> auth-port 1812 acct-port 1813
 key 0 <radius-server-key>

# Send vendor-specific attributes (critical for dynamic VLAN assignment)
radius-server vsa send authentication
radius-server vsa send accounting

# Enable 802.1X globally (MAB requires this)
dot1x system-auth-control

The interface-level statements are shown below, covering the STP-related port protection commands as well as the necessary authentication commands for MAB / dot1x. The onboarding-vlan-id is the VLAN ID used for onboarding purposes (fall back) to be used when and if no other VLAN ID is assigned by the RADIUS server. 

# MAB / dot1x authentication commands
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x
authentication periodic
authentication timer inactivity server
mab

# STP port protect commands
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
spanning-tree guard root
spanning-tree guard loop
udld port aggressive

# fall back (onboarding) VLAN
switchport mode access
switchport access vlan <onboarding-vlan-id>

About

RG Nets is the premium provider of gateways and centralized-authentication appliances designed to manage, provision, and protect revenue-generating networks. Our mission is to create tools that are so good, we would use our own money to buy them.
316 California Ave.
Suite 331
Reno, NV 89509
+1 (408) 441 0100
[email protected]

Company Links

Copyright 2025 RG Nets, Inc.
v2025.08-2-g0e797
Cookies help us deliver our services. By using our services, you agree to our use of cookies.