Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Frequent Contributor II

CPPM Wired Policy Enforcement: PoE bounce

I've noticed that some devices that are PoE-powered, do not honor the bounce port CoA from CPPM in the following way. The HPE-Port-Bounce-Host message does indeed disable the port. However, some PoE devices will not try to renew their IP if they keep power but link drops. Most devices, I have found, handle the port drop gracefully and the CoA goes off without a hitch. However, devices such as some phones, will not try to renew their IP and just stay up with an IP in the old VLAN.

Example: 
1. Phone powers up on default VLAN 20.

2. CPPM profiles device, assigns VLAN 50, bounces port.

3. Phone stays powered up, but does not renew IP regardless of port admin status.

    a. As a consequence, it has a VLAN 20 IP, but port is untagging packets for VLAN 50.

4. Bounce power on port, and phone comes up as it should in the correct VLAN 50. (because it's already profiled)

 

Is there a way to handle this scenario gracefully? Should we lean on the manufacturer of the endpoint? Can Aruba develop a RADIUS VSA to drop power on a port?

ACEP, ACSP, ACCX #1239
Highlighted
Moderator

Re: CPPM Wired Policy Enforcement: PoE bounce

There is no way to drop power via a RADIUS response.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor II

Re: CPPM Wired Policy Enforcement: PoE bounce

Thanks, Tim.

 

I'm assuming you mean currently?

Is it a possibility to add this feature?

 

I'm curious if there is a workaround besides waiting it out. Dynamic Seg. is an impossible sell, otherwise.

ACEP, ACSP, ACCX #1239
Highlighted
Moderator

Re: CPPM Wired Policy Enforcement: PoE bounce

Currently. You’d need to reach out to your Aruba account team about roadmap.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
MVP Guru Elite

Re: CPPM Wired Policy Enforcement: PoE bounce

it will not be possible using API switch (and reset poe ?)



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Frequent Contributor II

Re: CPPM Wired Policy Enforcement: PoE bounce

Clearpass cannot store the cookie required for the login and subsequent commands as far as I can tell. 

 

Another hurdle is the fact that cycling the power is a multiple step (cmd) process, (conf t, int 1, no power, <WAIT>, power) as shown below.

If there was a one-step API call for this, it would help. However, I don't think this is the correct route moving forward. There should be a RADIUS VSA for this. Similar to HP-Bounce-Port, except HP-Bounce-POE

 

def poe_recycle(baseurl, cookie_header, port):
    """
    Bounce power on any given port on switch
    :param baseurl: imported baseurl variable
    :param cookie_header: Parse cookie resulting from successful loginOS.login_os(baseurl)
    :return: Disable and enable POE on any given port. Print the status on screen
    """
    logging.info("Starting Power recycle for Port {}".format(port))
    cmd = "configure terminal"
    common.anycli(baseurl, cmd, cookie_header)
    cmd = "interface " + port
    common.anycli(baseurl, cmd, cookie_header)
    cmd = "no power-over-ethernet"
    common.anycli(baseurl, cmd, cookie_header)
    logging.info("Power disabled for Port {}".format(port))
    cmd = "power-over-ethernet"
    common.anycli(baseurl, cmd, cookie_header)
    logging.info("Power enabled for Port {}".format(port)
ACEP, ACSP, ACCX #1239
Highlighted
MVP Guru Elite

Re: CPPM Wired Policy Enforcement: PoE bounce

There is a API call for reset a PoE

/poe/ports/X/reset



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Moderator

Re: CPPM Wired Policy Enforcement: PoE bounce

Unfortunately the switch’s REST API is nonstandard from an authN and authZ standpoint so there is no way for CPPM to make an API call to the switch.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: