Security

Reply
Highlighted
New Contributor

LLDP ByPass for AP on SwitchOS >16.06

Dear Guys 

 

I'm trying to deploy APs to my network infrastructure protected by Dot1X / Clearpass.

 

The switch configuration looks as following (example):

 

 

aaa port-access use-lldp-data
aaa port-access authenticator 3-6
aaa port-access authenticator 3 client-limit 2
aaa port-access authenticator 4 client-limit 2
aaa port-access authenticator 5 client-limit 2
aaa port-access authenticator 6 client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 3-6
aaa port-access 3 controlled-direction in
aaa port-access 3 mixed
aaa port-access 4 controlled-direction in
aaa port-access 4 mixed
aaa port-access 5 controlled-direction in
aaa port-access 5 mixed
aaa port-access 6 controlled-direction in
aaa port-access 6 mixed

device-profile name "ARUBA-AP"
untagged-vlan 930
tagged-vlan 900-903,913,933
exit
device-profile type "aruba-ap"
associate "ARUBA-AP"
enable
exit

 

As long as I connect an AP to a port-access protected port, the AP won't get online and does't get his device profile. If I connect the AP to a not protected port, the device profile looks quite good and I get the AP running.

 

In switchOS version before 16.06, there was a command named

 

aaa port-access lldp-bypass

 

In 16.06 and above, there isn't anymore and got deleted without any notice in release notes I think.

 

My intention is, that the switch doesn't get lldp units and therefore does not conigure the AP. I made a port mirror to check this, and that it actually looks like LLDP from the AP does not get to the switch.

 

How would the way be with 16.06. In 16.05 and below, I got the configuration working.

 

Thanks for your help!!!

 

... sw OS version I tried is 

 

Image stamp:
/ws/swbuildm/rel_yakima_qaoff/code/build/lakes(swbuildm_rel_yakima_qaoff_rel_ya
kima)
Nov 21 2018 04:56:04
YA.16.08.0001
264
Boot Image: Primary

Boot ROM Version: YA.15.20


Accepted Solutions
Highlighted

Re: LLDP ByPass for AP on SwitchOS >16.06

Looking at the build number you pasted, it seems you are trying this on a 2530.

 

This switch model does not support the function you are looking for.

It's supported on 2540 and upwards and is still there in the most recent version of AOS-S.

 

For example, 16.10 command index guide of the 2540:

https://support.hpe.com/hpesc/public/docDisplay?docId=a00091317en_us

View solution in original post


All Replies
Highlighted

Re: LLDP ByPass for AP on SwitchOS >16.06

Looking at the build number you pasted, it seems you are trying this on a 2530.

 

This switch model does not support the function you are looking for.

It's supported on 2540 and upwards and is still there in the most recent version of AOS-S.

 

For example, 16.10 command index guide of the 2540:

https://support.hpe.com/hpesc/public/docDisplay?docId=a00091317en_us

View solution in original post

Highlighted

Re: LLDP ByPass for AP on SwitchOS >16.06

Duplicate post created by airheads

Highlighted
New Contributor

Re: LLDP ByPass for AP on SwitchOS >16.06

That it was, 1000thanks!

Highlighted
New Contributor

Re: LLDP ByPass for AP on SwitchOS >16.06

 
LLDP ByPass for AP on SwitchOS >16.06

Dear Guys 

 

I'm trying to deploy APs to my network infrastructure protected by Dot1X / Clearpass.

 

The switch configuration looks as following (example):

 

 

aaa port-access use-lldp-data
aaa port-access authenticator 3-6
aaa port-access authenticator 3 client-limit 2
aaa port-access authenticator 4 client-limit 2
aaa port-access authenticator 5 client-limit 2
aaa port-access authenticator 6 client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 3-6
aaa port-access 3 controlled-direction in
aaa port-access 3 mixed
aaa port-access 4 controlled-direction in
aaa port-access 4 mixed
aaa port-access 5 controlled-direction in
aaa port-access 5 mixed
aaa port-access 6 controlled-direction in
aaa port-access 6 mixed

device-profile name "ARUBA-AP"
untagged-vlan 930
tagged-vlan 900-903,913,933
exit
device-profile type "aruba-ap"
associate "ARUBA-AP"
enable
exit

 

As long as I connect an AP to a port-access protected port, the AP won't get online and does't get his device profile. If I connect the AP to a not protected port, the device profile looks quite good and I get the AP running.

 

In switchOS version before 16.06, there was a command named

 

aaa port-access lldp-bypass

 

In 16.06 and above, there isn't anymore and got deleted without any notice in release notes I think.

 

My intention is, that the switch doesn't get lldp units and therefore does not conigure the AP. I made a port mirror to check this, and that it actually looks like LLDP from the AP does not get to the switch.

 

How would the way be with 16.06. In 16.05 and below, I got the configuration working.

 

Thanks for your help!!!

 

... sw OS version I tried is 

 

Image stamp:
/ws/swbuildm/rel_yakima_qaoff/code/build/lakes(swbuildm_rel_yakima_qaoff_rel_ya
kima)
Nov 21 2018 04:56:04
YA.16.08.0001
264
Boot Image: Primary

Boot ROM Version: YA.15.20


@jonasstalder wrote:

Dear Guys 

 

I'm trying to deploy APs to my network infrastructure protected by Dot1X / Clearpass.

 

The switch configuration looks as following (example):

 

 

aaa port-access use-lldp-data
aaa port-access authenticator 3-6
aaa port-access authenticator 3 client-limit 2
aaa port-access authenticator 4 client-limit 2
aaa port-access authenticator 5 client-limit 2
aaa port-access authenticator 6 client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 3-6
aaa port-access 3 controlled-direction in
aaa port-access 3 mixed
aaa port-access 4 controlled-direction in
aaa port-access 4 mixed
aaa port-access 5 controlled-direction in
aaa port-access 5 mixed
aaa port-access 6 controlled-direction in
aaa port-access 6 mixed

device-profile name "ARUBA-AP"
untagged-vlan 930
tagged-vlan 900-903,913,933
exit
device-profile type "aruba-ap"
associate "ARUBA-AP"
enable
exit

 

As long as I connect an AP to a port-access protected port, the AP won't get online and does't get his device profile. If I connect the AP to a not protected port, the device profile looks quite good and I get the AP running.

 

In switchOS version before 16.06, there was a command named

 

aaa port-access lldp-bypass

 

In 16.06 and above, there isn't anymore and got deleted without any notice in release notes I think.

 

My intention is, that the switch doesn't get lldp units and therefore does not conigure the AP. I made a port mirror to check this, and that it actually looks like LLDP from the AP does not get to the switch.

 

How would the way be with mcdonalds survey code 16.06. In 16.05 and below, I got the configuration working.

 

Thanks for your help!!!

 

... sw OS version I tried is 

 

Image stamp:
/ws/swbuildm/rel_yakima_qaoff/code/build/lakes(swbuildm_rel_yakima_qaoff_rel_ya
kima)
Nov 21 2018 04:56:04
YA.16.08.0001
264
Boot Image: Primary

Boot ROM Version: YA.15.20


I got really good information from this content.thanks for sharing.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: