tunneled-node-server-redirect

Syntax

tunneled-node-server-redirect [secondary-role <ROLE-NAME>]

no tunneled-node-server-redirect [secondary-role <ROLE-NAME>]

Description

Configures traffic redirect to user-based tunnel. Secondary role is the new user role that will be applied to the tunneled traffic by the controller.

The no form of this command stops the traffic re-direction to the controller. Secondary role is the new user role that will be applied to the tunneled traffic by the controller.

Command context

user-role

Parameters

secondary-role <ROLE-NAME>

Specifies the secondary role applied on the user traffic by the controller.

Example

switch(config)# aaa authorization user-role name testrole

switch(user-role)#
 tunneled-node-server-redirect
 tunneled-node-server

The tunneled-node-server-redirect attribute instructs the switch to redirect all traffic with user-role “testrole” to the controller. The secondary-role “authenticated” specified with the redirect attribute should be configured and present on the controller. In versions 16.07 and earlier, the client VLAN on the switch needs to be present on the Controller. With the Reserved VLAN mode introduced in 16.08, this is not required.

 
class ipv4 "testclass"
     10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
     20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
   exit
policy user "testpolicy"
     10 class ipv4 "testclass" action permit
   exit
aaa authorization user-role name "testrole"
   policy "testpolicy"
   vlan-id 100
   tunneled-node-server-redirect secondary-role "authenticated"
   exit
NOTE:

When the reserved-vlan option is used, the applied VLAN ID under the user-role "testrole" will not be considered. This is because the traffic will be redirected to the controller using reserved-vlan, and not the one configured on the switch.

Show the tunneled-node-server status for all users.

switch-PoEP# show tunneled-node-users all

PORT    MAC-ADDRESS     TUNNEL-STATUS   SECONDARY-USERROLE      FAILURE-REASON
1       000ffe-c8ce92   UP              authenticated
5       082e5f-263518   UP              authenticated
NOTE:

Starting from 16.08, the CLI constraint while configuring tunneled-node-server-redirect attribute without configuring VLAN ID has been removed.