Switch Configuration for VyOS Integration

1. Overview

This runbook configures Catalyst switches to support VyOS HA deployment:

  • LAB-3560CX-01 (10.50.1.10) - Access switch with IBNS 2.0

  • C9300-01 (10.50.1.11) - Core switch (similar configuration)

TRUNK CONFIGURATION - READ THIS FIRST

# WRONG - This REMOVES all other VLANs from trunk (OUTAGE!)
switchport trunk allowed vlan 100

# CORRECT - This ADDS to existing trunk
switchport trunk allowed vlan add 100

2. Phase 1: Document Current State

2.1. 1.1 Capture Running Config (Pre-Change)

# From workstation - backup current configs
ssh 3560-cx.inside.domusdigitalis.dev "show running-config" > /tmp/3560cx-pre-vyos.txt
ssh c9300-01.inside.domusdigitalis.dev "show running-config" > /tmp/c9300-pre-vyos.txt

2.2. 1.2 Current VLAN Database (LAB-3560CX-01)

VLAN Name Purpose

10

Data

User workstations

20

Voice

VoIP phones (switchport voice vlan)

30

Guest

Guest network

40

IoT

IoT devices

100

Management

Infrastructure management (SVI: 10.50.1.10)

666

Native

Native VLAN (unused, shutdown)

999

Critical Auth

Auth-fail / AAA timeout remediation

2.3. 1.3 Current Trunk Ports (LAB-3560CX-01)

Interface Connected To Allowed VLANs

Te1/0/1

TRUNK-TO-SUPERMICRO-KVM-02 (vyos-02)

10,20,30,40,100,999

Te1/0/2

TRUNK-TO-SUPERMICRO-KVM-01 (vyos-01)

10,20,30,40,100,999
KVM trunk ports already have all required VLANs. No trunk changes needed for VyOS migration.

3. Phase 2: VLAN Database Updates

3.1. 2.1 VLANs for VyOS Migration

Review if additional VLANs needed for VyOS features:

VLAN Name Purpose Status

110

SECURITY

ISE, Vault, security services

Add if needed

120

SERVICES

Application services

Add if needed

 
configure terminal
! Only add if not already present
vlan 110
 name SECURITY
!
vlan 120
 name SERVICES
!
end

! Verify
show vlan brief | include SECURITY|SERVICES

3.2. 2.2 Add VLANs to KVM Trunks (if added)

Use add keyword to preserve existing VLANs!

 
configure terminal
interface TenGigabitEthernet1/0/1
 switchport trunk allowed vlan add 110,120
!
interface TenGigabitEthernet1/0/2
 switchport trunk allowed vlan add 110,120
!
end

! Verify - new VLANs added to existing list
show interfaces trunk | include Te1/0/1|Te1/0/2

4. Phase 3: RADIUS Configuration

4.1. 3.1 RADIUS Server Group

The switch uses ISE-RADIUS server group for 802.1X authentication:

aaa group server radius ISE-RADIUS
 server name ISE-01
 server name ISE-02
 ip radius source-interface Vlan100
 deadtime 15

4.2. 3.2 RADIUS Servers

Server Name IP Address Purpose

ISE-01

10.50.1.20

Primary (all personas)

ISE-02

10.50.1.21

Secondary (all personas)

4.3. 3.3 CoA (Change of Authorization) Clients

aaa server radius dynamic-author
 client 10.50.1.20 server-key <RADIUS_KEY>
 client 10.50.1.21 server-key <RADIUS_KEY>
 auth-type any
RADIUS keys stored in gopass: gopass show v3/domains/d000/network/radius

5. Phase 4: IBNS 2.0 / C3PL Policy Configuration

5.1. 4.1 Device Sensor Filters

Device sensor collects endpoint profiling data:

device-sensor filter-list dhcp list DHCP-SENSOR
 option name host-name
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier

device-sensor filter-list cdp list CDP-SENSOR
 tlv name device-name
 tlv name capabilities-type
 tlv name platform-type

device-sensor filter-list lldp list LLDP-SENSOR
 tlv name port-id
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities

device-sensor filter-spec dhcp include list DHCP-SENSOR
device-sensor filter-spec lldp include list LLDP-SENSOR
device-sensor filter-spec cdp include list CDP-SENSOR
device-sensor notify all-changes

5.2. 4.2 Class Maps (C3PL Conditions)

Class maps define the conditions for policy actions:

! AAA server timeout - used for critical auth
class-map type control subscriber match-all AAA_SVR_DOWN
 match authorization-status unauthorized
 match result-type aaa-timeout

! DOT1X authentication method
class-map type control subscriber match-all DOT1X
 match method dot1x

! DOT1X failed with authoritative response (reject)
class-map type control subscriber match-all DOT1X_FAILED
 match method dot1x
 match result-type method dot1x authoritative

! DOT1X no response (no supplicant)
class-map type control subscriber match-all DOT1X_NO_RESP
 match method dot1x
 match result-type method dot1x agent-not-found

! Check if in critical auth mode
class-map type control subscriber match-all IN_CRITICAL_AUTH
 match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

! MAB authentication method
class-map type control subscriber match-all MAB
 match method mab

! MAB failed with authoritative response (reject)
class-map type control subscriber match-all MAB_FAILED
 match method mab
 match result-type method mab authoritative

! NOT in critical auth (for recovery)
class-map type control subscriber match-all NOT_IN_CRITICAL_AUTH
 match activated-service-template DefaultCriticalAuthVlan_SRV_TEMPLATE

5.3. 4.3 Service Templates

Service templates define authorization results:

! Critical authentication - VLAN 999 with limited access
service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
 description Critical Auth VLAN
 access-group ACL_CRITICAL_AUTH
 vlan 999

! Critical voice - maintains voice VLAN during AAA outage
service-template DefaultCriticalVoice_SRV_TEMPLATE
 description Critical Voice VLAN
 voice vlan

! Voice VLAN template
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
 voice vlan

5.4. 4.4 Critical Auth ACL

Allows limited access during AAA server outage:

ip access-list extended ACL_CRITICAL_AUTH
 permit udp any any eq domain        ! DNS
 permit udp any any eq bootpc        ! DHCP client
 permit icmp any any                 ! ICMP for troubleshooting
 permit ip any host 10.50.1.20      ! Allow ISE for recovery
 deny   ip any any log               ! Deny all else

5.5. 4.5 Policy Map - Concurrent DOT1X + MAB

This is the core IBNS 2.0 policy for concurrent authentication:

policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
 !
 ! === SESSION STARTED ===
 ! Try BOTH dot1x AND mab simultaneously (concurrent)
 ! dot1x has priority 10 (higher), MAB has priority 20 (lower)
 event session-started match-all
  10 class always do-all
   10 authenticate using dot1x retries 2 retry-time 0 priority 10
   20 authenticate using mab priority 20
 !
 ! === AUTHENTICATION FAILURE ===
 ! Handle failures based on type - match-first stops at first match
 event authentication-failure match-first
  !
  ! DOT1X explicitly rejected - fall back to MAB
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  !
  ! AAA server unreachable - enter critical auth mode
  10 class AAA_SVR_DOWN do-until-failure
   10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
   20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
   30 authorize
   40 pause reauthentication
  !
  ! No DOT1X supplicant - try MAB
  20 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  !
  ! MAB rejected - restart auth after 60 seconds
  30 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authentication-restart 60
 !
 ! === AAA AVAILABLE (Recovery from outage) ===
 event aaa-available match-all
  ! If in critical auth, clear session to re-authenticate
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  ! If not in critical auth, resume normal reauth
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 !
 ! === AGENT FOUND (Supplicant appeared during MAB) ===
 ! If MAB was running and supplicant appears, switch to dot1x
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 10
 !
 ! === AUTHENTICATION SUCCESS ===
 event authentication-success match-all
  10 class always do-until-failure
   10 authorize

5.6. 4.6 Interface Templates

Templates for consistent interface configuration:

5.6.1. DefaultWiredDot1xClosedAuth (Access Ports)

template DefaultWiredDot1xClosedAuth
 dot1x pae authenticator
 dot1x timeout tx-period 7
 spanning-tree portfast edge
 spanning-tree bpduguard enable
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 20
 mab
 access-session control-direction in
 access-session closed
 access-session port-control auto
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

5.6.2. AP_UPLINK (Trunk to Access Points)

template AP_UPLINK
 spanning-tree portfast edge trunk
 spanning-tree bpduguard enable
 switchport trunk allowed vlan 10,20,30,100
 switchport trunk native vlan 666
 switchport mode trunk

5.7. 4.7 Interface Application Examples

Current interface configurations:

! DOT1X Access Port with template
interface GigabitEthernet1/0/2
 description [DOT1X] Research Access Port
 ip arp inspection trust
 source template DefaultWiredDot1xClosedAuth
 spanning-tree portfast edge

! AP Port with template
interface GigabitEthernet1/0/3
 description Catalyst 9120 AP
 switchport access vlan 10
 switchport mode access
 ip arp inspection trust
 source template DefaultWiredDot1xClosedAuth
 spanning-tree portfast edge

! KVM Trunk Port (VyOS)
interface TenGigabitEthernet1/0/2
 description TRUNK-TO-SUPERMICRO-KVM-01
 switchport trunk allowed vlan 10,20,30,40,100,999
 switchport trunk native vlan 100
 switchport mode trunk
 ip arp inspection trust
 spanning-tree portfast edge trunk
 ip dhcp snooping trust

6. Phase 5: Verification

6.1. 5.1 Verify VLAN Database

ssh 3560-cx.inside.domusdigitalis.dev "show vlan brief"

6.2. 5.2 Verify Trunk Ports

ssh 3560-cx.inside.domusdigitalis.dev "show interfaces trunk"

Expected output for Te1/0/1 and Te1/0/2:

Port        Mode             Encapsulation  Status        Native vlan
Te1/0/1     on               802.1q         trunking      100
Te1/0/2     on               802.1q         trunking      100

Port        Vlans allowed on trunk
Te1/0/1     10,20,30,40,100,999
Te1/0/2     10,20,30,40,100,999

6.3. 5.3 Verify 802.1X Sessions

ssh 3560-cx.inside.domusdigitalis.dev "show access-session"
ssh 3560-cx.inside.domusdigitalis.dev "show authentication sessions"

6.4. 5.4 Verify RADIUS Connectivity

ssh 3560-cx.inside.domusdigitalis.dev "test aaa group ISE-RADIUS admin password new-code"

7. Phase 6: VyOS Migration Specific

7.1. 6.1 Default Gateway Update

The switch default gateway points to VyOS VIP (same IP as pfSense):

ip default-gateway 10.50.1.1
No change required - VyOS VIP (10.50.1.1) is same as current pfSense IP.

7.2. 6.2 NTP Server Update

ntp server 10.50.1.1 prefer
No change required - VyOS VIP will serve NTP.

7.3. 6.3 Syslog Server

Current syslog target:

logging host 10.50.1.134
This is the Wazuh manager (10.50.1.134). Routing through VyOS is transparent.

8. Rollback

8.1. Remove VLANs from Trunk (if added)

configure terminal
interface TenGigabitEthernet1/0/1
 switchport trunk allowed vlan remove 110,120
!
interface TenGigabitEthernet1/0/2
 switchport trunk allowed vlan remove 110,120
!
end

8.2. Restore from Backup

# Copy pre-change config back
scp /tmp/3560cx-pre-vyos.txt 3560-cx.inside.domusdigitalis.dev:running-config

9. Related