Here is a short technote to demonstrate "Device profile" feature for CX 6200/6300/6400 switches. Device profile was a popular feature in AOS-S switch like 2930F/M and the aim of the feature is to automatically discover the key devices that are connected to the switch port using LLDP/CDP and to enable automatic configuration of the switch ports in which they are connected without the need for authentication.
This technote will demo device profile feature for when an Aruba AP is connected dynamically changing switch port configuration for
Hope you’ll find it useful and as always please send through your feedback for improvements.
Hope you'll find it useful and as always please send through your feedback for improvements.
Your phone seems to support LLDP-MED. If you want to match on the LLDP vendor OUI take care that this is not the Ethernet Vendor OUI instead it is the Vendor OUI inside an optional organizational LLDP TLV. For phones supporting the LLDP-MED extension you need to specify the organizational LLDP TLV who specified the LLDP-MED extension which was the TIA TR-41 Committee. Therefore a different vendor oui value needs to be used:port-access lldp-group Phone_group seq 10 match vendor-oui 0012bb
If you want to match on the Ethernet Vendor OUI you can use the device-profile mac-group feature as you described but as if you have not configured 802.1X or MAC authentication on the interface, you need to configure "port-access device-profile mode block-until-profile-applied" on the interface instead.
Is there way to use this feature to override a port config for an already pre-configured port? For example we currently have an AP installed that is bridged traffic and the ports are trunk, we want to auto-update the ports to access once we install the new AP. Or if we already have one type of device on it and we unplug it and plug in a different one, can it switch the port over? I tested it with one device and it seems like the port configuration has higher priority than the port-access device-profile. I was wondering if there is an additional option to override whatever config is on that port.
I just tested a very similar scenario. My goal is to have a switch with all access ports preconfigured and homogenous and have the ports be dynamically assigned the config once they see a device connect.
I have made a config where there are 2 dummy VLAN, one is "restricted" and one is "fail". I have assigned them each to a role. I also created a "user" and "employee" vlan (which CPPM can assign). Then I had roles with "phone", "camera", "AP" and had them each separate named VLAN.
The workflow works like this: all ports have a RADIUS MAC authentication port access configuration on them and have been assigned VLAN 1 by default (also dummy vlan). When a device connects, it sends a RADIUS request to the CPPM and CPPM answers with a tunnel ID of the vlan we want to assign, which means that the client is in the MAC repository of CPPM and is a valid PC user and gets put in to the CPPM specified VLAN and gets access to its VLAN resources. If the user is not a valid user, then CPPM sends back a deny. Port is configured to fall into "restricted" role and its VLAN if radius reply is deny. If radius doesn't respond, then it falls into the "fail" role by default (easier for debugging to see if radius is actually responding).
After this, the profiling is applied. It checks the mac rules to see if device is AP, Camera or ip-phone and if the mac address (or oui) is specified then it applies that role and the port is reconfigured to the vlan that is specified in the phone role.
#specify the RADIUS server
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.