Wired Intelligent Edge

 View Only
last person joined: 12 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Device Profiles Tutorial for CX switches

This thread has been viewed 234 times
  • 1.  Device Profiles Tutorial for CX switches

    EMPLOYEE
    Posted Jul 01, 2020 06:38 AM
      |   view attached

    Here is a short technote to demonstrate "Device profile" feature for CX 6200/6300/6400 switches. Device profile was a popular feature in AOS-S switch like 2930F/M and the aim of the feature is to automatically discover the key devices that are connected to the switch port using LLDP/CDP and to enable automatic configuration of the switch ports in which they are connected without the need for authentication.

     

    This technote will demo device profile feature for when an Aruba AP is connected dynamically changing switch port configuration for

    • PoE Priority
    • Trunk mode
    • Native VLAN
    • Allowed VLAN
    • QoS Trust boundary

    Hope you’ll find it useful and as always please send through your feedback for improvements.

    Attachment(s)



  • 2.  RE: Device Profiles Tutorial for CX switches

    Posted Sep 17, 2021 08:45 AM
    Hello
    doesn't work for me. Please Help

    I wannt that if the user connects a telephone with vendor oui 00940, it should be automatically moved in vlan 100 for example.
    I have configured with the Tutorial but doesn't work. The telephones always stay in native Vlan 1.
    i don't know what am I doing wrong.Please Help

    my config

    Role Profile"

    sw-arb01#
    port-access role Phone_role
    description agfeo IP Phone-group
    poe-priority high
    trust-mode dscp
    vlan trunk native 1
    vlan trunk allowed 100

    "lldp Profile"

    sw-arb01#
    port-access lldp-group Phone_group

    seq 10 match vendor-oui 000940

    "associate Role and lldp profile with Device Profile."

    sw-arb01#
    Port-access device-profile Phone_prof

    enable
    associate role Phone_role
    associate lldp-group Phone_group

    end


    sh run from Switch

    sw-arb01# sh run
    Current configuration:
    !
    !Version ArubaOS-CX PL.10.08.0001
    !export-password: default
    hostname sw-arb01
    clock timezone europe/amsterdam
    ntp server 10.10.xx.xx iburst
    ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst
    ntp enable
    !
    !
    !
    !
    ssh server vrf default
    vlan 1
    vlan 100
    name Voice
    voice
    spanning-tree
    port-access lldp-group Phone_group
    seq 10 match vendor-oui 000940
    port-access role Phone_role
    description agfeo IP Phone-group
    poe-priority high
    trust-mode dscp
    vlan trunk native 1
    vlan trunk allowed 100
    port-access device-profile Phone_prof
    enable
    associate role Phone_role
    associate lldp-group Phone_group
    interface 1/1/1
    no shutdown
    vlan access 1
    interface 1/1/2
    no shutdown
    vlan trunk native 1
    vlan trunk allowed 107

    Thx and regards


    ------------------------------
    David Lawson
    ------------------------------



  • 3.  RE: Device Profiles Tutorial for CX switches

    EMPLOYEE
    Posted Sep 17, 2021 09:09 PM
    few questions to help narrow it down.
    do your phones support LLDP and is the LLDP OUI vendor correct?
    what version of firmware are you running on CX switch?
    also try the following show commands
    • sh port-access device-profile
    • sh lldp nei de
    • sh port-access device-profile interface all


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 4.  RE: Device Profiles Tutorial for CX switches

    Posted Sep 22, 2021 02:12 PM
    Hello

    please see below my answer.

    -Aruba 6100 m with os Version ArubaOS-CX PL.10.08.0001
    -Agfeo ip phone

    I want the phone to be automatically moved in the predefined vlan 100.

    I did it with lldp protokol but does not work. I did it with mac group doesn't work.
    the phone stays always in vlan 1. Please help.

    ----Configuration with lldp Proticol-----

    swicht# vlan 100
    voice

    port-access lldp-group Phone_group
    seq 10 match vendor-oui 000940

    port-access role phone_role
    description agfeo
    poe-priority high
    trust-mode dscp
    vlan access 100

    port-access device-profile Phone_prof
    enable
    associate role phone_role
    associate lldp-group Phone_group

    Telephone connected to switch, alway in Vlan1

    -----configuration with Mac group-----

    swicht# vlan 100
    voice

    mac-group mac-group1
    seq 10 match mac 00:XX:XX:XX:XX:XX

    port-access role phone_role
    description agfeo
    poe-priority high
    trust-mode dscp
    vlan access 100


    port-access device-profile profile01
    enable
    associate mac-group mac-group1
    associate role phone_role


    ----Telephone connected to switch, alway in Vlan1----

    -sh port-access device-profile

    Profile Name : profile01
    LLDP Groups :
    CDP Groups :
    MAC Groups : mac-group1
    Role : phone_role
    State : Enabled

    -sh lldp nei de
    phone is not displayed.

    # sh port-access device-profile interface all
    No device-profile clients found.

    I do not know what I'm doing wrong

    please Help me.

    my question

    i dont know if the phone support lldp protocol or not, but if not, should mac group profil work or not?


    I do not know what I'm doing wrong. please help
    Thx and regards

    ------------------------------
    David
    ------------------------------



  • 5.  RE: Device Profiles Tutorial for CX switches

    EMPLOYEE
    Posted Sep 24, 2021 06:51 AM
    looks like your phones dont support LLDP.  so the MAC group match should work
    please reach out to TAC so you can resolve this issue in timely manner.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 6.  RE: Device Profiles Tutorial for CX switches

    EMPLOYEE
    Posted Oct 20, 2023 07:28 AM

    Your phone seems to support LLDP-MED. If you want to match on the LLDP vendor OUI take care that this is not the Ethernet Vendor OUI instead it is the Vendor OUI inside an optional organizational LLDP TLV. For phones supporting the LLDP-MED extension you need to specify the organizational LLDP TLV who specified the LLDP-MED extension which was the TIA TR-41 Committee. Therefore a different vendor oui value needs to be used:

    port-access lldp-group Phone_group
       seq 10 match vendor-oui 0012bb




  • 7.  RE: Device Profiles Tutorial for CX switches

    EMPLOYEE
    Posted Oct 20, 2023 07:46 AM

    If you want to match on the Ethernet Vendor OUI you can use the device-profile mac-group feature as you described but as if you have not configured 802.1X or MAC authentication on the interface, you need to configure "port-access device-profile mode block-until-profile-applied" on the interface instead.




  • 8.  RE: Device Profiles Tutorial for CX switches

    Posted Aug 17, 2023 04:02 AM

    Is there way to use this feature to override a port config for an already pre-configured port? For example we currently have an AP installed that is bridged traffic and the ports are trunk, we want to auto-update the ports to access once we install the new AP. Or if we already have one type of device on it and we unplug it and plug in a different one, can it switch the port over? I tested it with one device and it seems like the port configuration has higher priority than the port-access device-profile. I was wondering if there is an additional option to override whatever config is on that port.




  • 9.  RE: Device Profiles Tutorial for CX switches

    Posted Oct 11, 2023 04:07 AM

    Hi!

    I just tested a very similar scenario. My goal is to have a switch with all access ports preconfigured and homogenous and have the ports be dynamically assigned the config once they see a device connect.

    I have made a config where there are 2 dummy VLAN, one is "restricted" and one is "fail". I have assigned them each to a role. I also created a "user" and "employee" vlan (which CPPM can assign). Then I had roles with "phone", "camera", "AP" and had them each separate named VLAN.

    The workflow works like this: all ports have a RADIUS MAC authentication port access configuration on them and have been assigned VLAN 1 by default (also dummy vlan). When a device connects, it sends a RADIUS request to the CPPM and CPPM answers with a tunnel ID of the vlan we want to assign, which means that the client is in the MAC repository of CPPM and is a valid PC user and gets put in to the CPPM specified VLAN and gets access  to its VLAN resources. If the user is not a valid user, then CPPM sends back a deny. Port is configured to fall into "restricted" role and its VLAN if radius reply is deny. If radius doesn't respond, then it falls into the "fail" role by default (easier for debugging to see if radius is actually responding).

    After this, the profiling is applied. It checks the mac rules to see if device is AP, Camera or ip-phone and if the mac address (or oui) is specified then it applies that role and the port is reconfigured to the vlan that is specified in the phone role.

    Example config:

    #specify the RADIUS server

    radius-server host [ip of CPPM] key plaintext [shared key]
    aaa group server radius grp-radius
        server [ip of CPPM]
     
    #specify the vlans
    vlan 1
    name default
    vlan 20
        name WIFI
    vlan 30
        name MGMT
    vlan 40
        name restricted
    vlan 50
        name fail
    vlan 60
        name guest
    vlan 70
        name employee
    vlan 80
    name user
    vlan 90
    name ipphone
    vlan 100
    name camera
     
    #specify the mac device profile groups
    mac-group aruba_ap
         seq 20 match mac-oui 80:8d:b7
     mac-group camera
         seq 20 match mac-oui [camera-oui]
     mac-group ipphone
         seq 20 match mac-oui [ipphone]
     
    port-access role fail
        vlan access 50
    port-access role restricted
        vlan access 40
    port-access role ipphone
        vlan access 90
    port-access role camera
        vlan access 100
    #using instant AP, so the vlans that the SSIDs use have to be tagged on the IAP port that is why this role is different
    port-access role aruba_ap
        vlan trunk native 20
        vlan trunk allowed 20,60,70
    #associate the device profiles with the roles
    port-access device-profile aruba_ap
        enable
        associate role aruba_ap
        associate mac-group aruba_ap
    port-access device-profile camera
        enable
        associate role camera
        associate mac-group camera
    port-access device-profile ipphone
        enable
        associate role ipphone
        associate mac-group ipphone
     
    port-access port-security enable
     
    #define the port security as mac-auth (of course you can use other methoodlike certificates, but for testing I used MAC)
    aaa authentication port-access mac-auth
        radius server-group grp-radius
        enable
    #same config on all access interfaces. Here we define the deny and fail vlans to apply if radius fails or denys.
    interface 1/1/2
        no shutdown
        vlan access 1
        aaa authentication port-access critical-role fail
        aaa authentication port-access reject-role restricted
        aaa authentication port-access mac-auth
    Of course if you have a working radius server then it would be easier to just have everything on the radius server and have it send back the AP, Phone and camera vlans too, but there are scenarios where the user management (Radius side) and network and device management (camera, AP, phone) is two different departments and legally they are not working together. For this cases you can use this config to implement two solutions at the same time. When you have opportunity to use radius for everything, then you should not use this hybrid solution but stick to centralized management. When you don't have a radius then you can use device profiling to make your life easier.
    Hope this helps.
    Br.:
    Daniel