Cumulus Linux in the enterprise campus

December 7, 2018 Kevin Witherstine

As most know, Cumulus Linux was originally intended for data center switching and routing but over the years, our customer base has requested that we expand into the enterprise campus feature set too. Slowly, we’ve done just that.

With this expansion though, there are a few items that IT managers tend to take for granted in an all Cisco environment that may need some extra attention when using Cumulus Linux as a campus switch. This is especially the case when it comes to IEEE 802.1x, desk phones, etc.

Most of the phones we inter-operate with have been of the Cisco variety and quite often, those phones are connected to Cisco switches. There are a few tweaks from the default Cumulus settings that need to be called out in this environment and we’ll now go over what those are and how you can tweak them.

Cisco IP Phones TLV change

Cisco IP phones may revert to a different VLAN after initial negotiation. One of our enterprise customers found that according to a Cisco tech note on LLDP-MED and CDP, CDP should be disabled on non-Cisco switches connecting to Cisco phones.

To eliminate this behavior, make the following adjustment to the lldp daemon:

`sudo vi /etc/default/lldpd`

Change this default:

# Enable CDP by default

To this setting:

# Enable CDP by default

then `systemctl restart lldpd.service`

IP Phones random disconnects / Voice quality issues

The problem is straightforward, IP phones will disconnect and re-authenticate randomly. Another symptom is that voice quality may suffer. The problem doesn’t seem to be phone model specific, more a function of having several phones connected to a switch. Most implementations won’t see this problem as it is related specifically to using IP Phones and the Cumulus Linux Redistribute Neighbor function together.

Redistribute Neighbor is a feature that enables devices to span subnets by taking an ARP entry and advertising it’s /32 IPv4 address upstream. More information about this functionality is available in the Cumulus Linux documentation and this fine blog post written by Doug Youd a couple of years ago.

To eliminate this problem, take the following action:

`vi /etc/rdnbrd.conf`

Change these 2 values:

# TX an ARP request to known hosts every keepalive seconds
keepalive = 1

# If a host does not send an ARP reply for holdtime consider the host down
holdtime = 3

To something like this:

# TX an ARP request to known hosts every keepalive seconds
keepalive = 60

# If a host does not send an ARP reply for holdtime consider the host down
holdtime = 240

Then issue `systemctl restart rdnbrd.service`

The theory behind the keepalive and hold time change is that the phone doesn’t have the processing capability to respond to the amount of control traffic that Redistribute Neighbor is sending its way. Redistribute Neighbor sends ARP messages to the device to ensure that it’s still “there”, You don’t want to run into stale entries as you’re advertising that device into the network for reachability.

There is a downside to this timer change which is that you won’t detect devices that “go away” in a timely manner. For instance, if you move that IP phone from one switch to another, you’re /32 route entry won’t flush until the hold time has expired, even if the connecting port goes down.

Configuring Dynamic VLAN with Voice VLAN

By default, the dynamic VLAN feature for dot1x configures ports as an access port when the dynamic VLAN is received in the authorization. In an environment configured with voice VLAN, we need to assign the PVID dynamically, instead of configuring the port as access. Currently, only configuring the host VLAN dynamically is supported so the voice VLAN on the port must still be configured manually.

To change the dynamic VLAN behavior to configure the PVID dynamically, instead of the access VLAN, add the following lines to /etc/hostapd.conf:

After adding the line, the hostapd service must be restarted:
sudo systemctl restart hostapd.service

Configuring EAP Requests from the switch

In some cases, an attached device may initiate the EAP process prior to the link or switch being ready. To handle this, it’s possible to configure the switch to send an EAP request to re-initiate the EAPOL process from the attached client.

To configure this option, edit /etc/hostapd.conf and add the following:

After adding the line, the hostapd service must be restarted:
sudo systemctl restart hostapd.service

In other news

At this time, the solutions outlined above are only tested and supported with VLAN aware bridge implementations. The “voice-VLAN” command documented in Cumulus Linux documentation isn’t needed for the functionality specified above.

I’m sure as we continue to deploy in various campus environments we’ll run across other tidbits to share. Until then, hopefully, this post helps save someone some troubleshooting time.

Previous Article
Campus design feature set-up: Part 5
Campus design feature set-up: Part 5

We’ll show you all the different ways to set up the CL 3.7.5 campus feature: Multi-Domain Authentication in...

No More Articles