Aruba CX switches support a feature called “Device Profiles” which are used to dynamically assign interface attributes based on the type of devices connected to the port without using a RADIUS server. This feature is useful in scenarios when an administrator needs to dynamically assign certain types of devices different settings, such as VLAN, QoS policies etc, this simplifies the switchport configuration by allowing each switchport to be configured identically.
Device profile information:
- The device profiles can match criteria such as the device MAC address or attributes learnt from LLDP or CDP. Criteria is matched in order, LLDP, CDP and local MAC address (LLDP has the highest priority and MAC address has the lowest priority).
- The Role defines the settings to be applied to the port such as VLAN (number or name), QoS trust mode, PoE priority, Ingress User Policy (class ACL) etc.
- The Device Profile associates the criteria method (CDP, LLDP or MAC address) and role.
- The block-until-profile-applied mode must be configured under the interface.
Configuration
In this scenario an Aruba CX 6300 running firmware version 10.10.1030 is configured to automatically assign unique device profiles for Aruba Access Points and Cisco IP Phones and apply different settings.
VLANs
Three VLANs are created for Data (Users/Machines), Wireless Users and Voice (IP Phones).
vlan 11 name Data vlan 12 name Wireless vlan 13 name Voice voice
Matching
A MAC group (mac-group) is configured to match on MAC address, MAC mask or MAC OUI. In this example the MAC OUI of Aruba Networks is used, any Aruba AP with a MAC address starting with e4:d3:f1 will match this rule, up to 64 MAC rules can be defined per group.
mac-group AP-MAC seq 10 match mac-oui e4:d3:f1
A CDP group (cdp-group) is configured to determine whether the CDP information of the connected device contains the hardware platform that matches “Phone”. The CDP group can utilise CDP information such as platform, sw-version and voice-vlan-query.
port-access cdp-group -IP-PHONE seq 10 match platform Phone
In order to determine the CDP information to create cdp-group, run the command show cdp neighbour <ifname>
6300# show cdp neighbor-info 1/1/46 Local Port : 1/1/46 MAC : ac:f5:e6:7a:XX:XX Device ID : SEPACF5E67A6AXX Address : 192.168.10.116 Platform : Cisco IP Phone 8851 Duplex : full Version : sip88xx.11-1-1MSR2-1.loads Capability : host,phone,two_port_mac_relay Voice VLAN Support : Yes Neighbor Port-ID : Port 1
Roles
The roles contain the device specify settings you wish to apply to the interface.
Create a role for IP Phones that explictly assign the VLAN called “Voice”, this could also be the VLAN number (in this instance 13).
port-access role IP-PHONE-ROLE description IP Phone stp-admin-edge-port vlan access name Voice
For the Wireless Access Point an Aruba Instant AP is utilised where wireless user traffic is bridged, requiring a trunk port on the switch. The AP itself will be placed in the native VLAN 11 and the wireless users will used VLAN 12.
port-access role WIRELESS-AP-ROLE description Wireless AP stp-admin-edge-port vlan trunk native 11 vlan trunk allowed 11,12
Default Role
A default role is required for devices that do not dynamically match the criteria of either an Aruba AP or Cisco IP Phone, where no other explicit role exists, or role cannot be derived for that device. In this example we shall configure a default role called DEFAULT-ROLE and apply an ACL (class) to permit a limited set of services.
A class is configured which matches on port/protocol.
class ip DHCP 10 match udp any any eq dhcp-server class ip DNS 10 match udp any any eq dns class ip WEB-SERVICES 10 match tcp any any eq http 20 match tcp any any eq https 30 match tcp any any eq ftp
A port-access policy called DEFAULT-POLICY is created to reference the classes.
port-access policy DEFAULT-POLICY 10 class ip DNS 20 class ip DHCP 30 class ip WEB-SERVICES
A port-access role is created, VLAN configured, and the DEFAULT-POLICY is associated to the role.
port-access role DEFAULT-ROLE description User Port stp-admin-edge-port vlan access 11 associate policy DEFAULT-POLICY
Device Profiles
The device profile ties together the match criteria of the device and the associated role.
port-access device-profile WIRELESS-AP-PROFILE enable associate role WIRELSS-AP-ROLE associate mac-group AP-MAC ! port-access device-profile IP-PHONE-PROFILE enable associate role IP-PHONE-ROLE associate cdp-group IP-PHONE
Interfaces
The edge interfaces only require basic information to enable the devices profiles, the command mode block-until-profile-applied must be configured and the default role must be defined using the command port-access fallback-role <ROLE>. Although VLAN 1 is configured on the interface, this will be overridden by the VLAN as defined in the role that is dynamically applied to the interface.
interface 1/1/1-1/1/48 no shutdown no routing vlan access 1 port-access fallback-role DEFAULT-ROLE port-access device-profile mode block-until-profile-applied
Verification
An Aruba Access Point, Cisco IP Phone and another device is connected to the switch, run the command show port-access clients. From the output below we can confirm the device on 1/1/42 has been assigned the DEFAULT-ROLE, this is because it’s neither a Cisco IP Phone nor an Aruba AP. The Aruba AP on 1/1/44 has been dynamically assigned the WIRELESS-AP-ROLE and the Cisco IP Phone on 1/1/46 has been dynamically assigned the IP-PHONE-ROLE.
Run the command show interface 1/1/44 to confirm the basic interface configuration.
Run the command show port-access client interface 1/1/44 detail. From the output below we can confirm settings are dynamically applied to the interface as per the role WIRELESS-AP-ROLE. We can determine the Native VLAN is 11, with VLANs 11 and 12 allowed on the trunk.
Run the command show interface 1/1/44 will also confirm the VLAN configuration applied.
To confirm the settings applied to the IP Phone run show port-access client interface 1/1/46 detail. From the output below, we can confirm the device profile IP-PHONE-PROFILE and the correct settings have been applied to the connected endpoint.
Finally run the command show port-access clients interface 1/1/42 detail. From the output below we can determine the connected endpoint matched the fallback role, as the device is neither a Cisco IP Phone nor an Aruba AP, therefore the DEFAULT-ROLE is applied. We can also determine the access VLAN is 11 and the policy DEFAULT-POLICY has been applied to the interface, the output also confirms the details of the class.
Summary
Device Profiles can be very useful in a non-NAC (RADIUS) environment, once the device profiles have been defined the configuration can be deployed across the Aruba CX switching infrastructure and reliably apply interface settings depending on the device connected to the switchport.