Wired Intelligent Edge

Does the CX switch line have a configuration option for limiting only incoming traffic on a 802.1X-aware port in a pre-auth state?  Use case is active ping sweeps for devices in the pre-auth VLAN that do not send an Ethernet frame otherwise, so they can pass MAB (and also in Wake-on-LAN scenarios?)


------------------------------
Daniel Waites
------------------------------

Hi Daniel

there is no exact equivalent on ArubaOS-CX for this command. However, have a look at "port-access allow-flood-traffic" and "aaa authentication port-access allow-lldp-bpdu" commands, which could do the job in your case.

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-7836.pdf

Best regards,
Thomas

------------------------------
Thomas Siegenthaler
------------------------------

Original Message:
Sent: Apr 27, 2022 03:07 PM
From: Daniel Waites
Subject: AOS-CX equivalent to "controlled-direction" in aaa port-access

Does the CX switch line have a configuration option for limiting only incoming traffic on a 802.1X-aware port in a pre-auth state?  Use case is active ping sweeps for devices in the pre-auth VLAN that do not send an Ethernet frame otherwise, so they can pass MAB (and also in Wake-on-LAN scenarios?)


------------------------------
Daniel Waites
------------------------------

Hello,

The following command should provide similar effect. It allows outgoing BUM traffic on an unauthenticated port.

port-access allow-flood-traffic {enable | disable}
Description
Enables or disables transmission of flood traffic, such as broadcast, multicast, and unknown unicast
messages through a security enabled port on which no client has been authenticated.
By default, transmission of flood traffic is disabled.
Usage
This command can be used to allow Wake-on-LAN packets on security enabled ports, before a client is
authenticated

Examples
Enabling flood traffic on a port:
switch(config-if)# port-access allow-flood-traffic enable

------------------------------
Emil Gogushev
------------------------------

Original Message:
Sent: Apr 27, 2022 03:07 PM
From: Daniel Waites
Subject: AOS-CX equivalent to "controlled-direction" in aaa port-access

Does the CX switch line have a configuration option for limiting only incoming traffic on a 802.1X-aware port in a pre-auth state?  Use case is active ping sweeps for devices in the pre-auth VLAN that do not send an Ethernet frame otherwise, so they can pass MAB (and also in Wake-on-LAN scenarios?)


------------------------------
Daniel Waites
------------------------------

Thank you so much.
I will try it out and hope for the best :)

------------------------------
Best regards,
Alon Haber
------------------------------

Original Message:
Sent: Apr 28, 2022 03:19 AM
From: Emil_G
Subject: AOS-CX equivalent to "controlled-direction" in aaa port-access

Hello,

The following command should provide similar effect. It allows outgoing BUM traffic on an unauthenticated port.

port-access allow-flood-traffic {enable | disable}
Description
Enables or disables transmission of flood traffic, such as broadcast, multicast, and unknown unicast
messages through a security enabled port on which no client has been authenticated.
By default, transmission of flood traffic is disabled.
Usage
This command can be used to allow Wake-on-LAN packets on security enabled ports, before a client is
authenticated

Examples
Enabling flood traffic on a port:
switch(config-if)# port-access allow-flood-traffic enable

------------------------------
Emil Gogushev

Original Message:
Sent: Apr 27, 2022 03:07 PM
From: Daniel Waites
Subject: AOS-CX equivalent to "controlled-direction" in aaa port-access

Does the CX switch line have a configuration option for limiting only incoming traffic on a 802.1X-aware port in a pre-auth state?  Use case is active ping sweeps for devices in the pre-auth VLAN that do not send an Ethernet frame otherwise, so they can pass MAB (and also in Wake-on-LAN scenarios?)


------------------------------
Daniel Waites
------------------------------