Configuring Wired Port Profiles on Instant APs

If the wired clients must be supported on the Instant Access Points (IAPs), configure wired port profiles and assign these profiles to the ports of an IAP.

The wired ports of an IAP allow third-party devices such as VoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network. phones or printers (which support only wired port connections) to connect to the wireless network. You can also configure an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. for additional security on the EthernetEthernet is a network protocol for data transmission over LAN. downlink.

To configure wired port profiles on IAP, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click Show Advanced.
5. Click the Interfaces tab.

   The Interfaces page is displayed.

6. Click the Wired accordion.
7. To create a new wired port profile, click +Add Port Profile.

   The Create a New Network pane is displayed.

Complete the configuration for each of the tabs in the Create a New Network page as described in the below sections:

Configuring General Network Profile Settings

To configure general network profile settings, complete the following steps in the General tab:

1. Under General, enter the following information:

   1. Name—Enter a name.
   2. ports—Select port(s) form the drop-down list.

2. Under Advanced Settings section, configure the following parameters:

   1. Speed/Duplex—Select the appropriate value from the Speed and Duplex drop-down list. Contact your network administrator if you need to assign speed and duplex parameters.
   2. Port Bonding—Turn on the Port Bonding toggle switch to enable port bonding.
   3. Power over Ethernet—Turn on the Power over Ethernet toggle switch to enable PoEPower over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port..
   4. Admin Status—The Admin Status indicates if the port is up or down.
   5. Content Filtering—Turn on the Content Filtering toggle switch to ensure that all DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. requests to non-corporate domains on this wired port network are sent to OpenDNS.
   6. Uplink—Turn on the toggle switch to configure uplink on this wired port profile. If the Uplink toggle switch is turned on and this network profile is assigned to a specific port, the port is enabled as an uplink port.
   7. Spanning Tree—Turn on the toggle switch to enable STPSpanning Tree Protocol. STP is a network protocol that builds a logical loop-free topology for Ethernet networks. on the wired port profile. STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports, regardless of forwarding mode. STP does not operate on uplink ports and is supported only on IAPs with three or more ports. By default, STP is disabled on wired port profiles.
   8. Inactivity Timeout—Enter the time duration after which an inactive user needs to be disabled from the network. The user must undergo the authentication process to re-join the network.
   9. 802.3az—Turn on the toggle switch to enable, to support 802.3az Energy Efficient Ethernet (EEE) standard on the device. This option allows the device to consume less power during periods of low data activity. This setting can be enabled for provisioned APs or AP groups through the wired port network. If this feature is enabled for an AP group, APs in the group that do not support 802.3.az ignore this setting. This option is available for IAPs that support a minimum of Aruba Instant 8.4.0.0 firmware version.
   10. Deny Intra VLAN Traffic—Turn on the toggle switch to disable intra VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. traffic. It enables the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities.

3. Click Next.

   The VLANs details page is displayed.

Configuring VLAN Network Profile Settings

To configure VLAN settings, complete the following steps in the VLANs tab:

1. Mode—Specify any of the following modes:
   • Access—Select this mode to allow the port to carry a single VLAN specified as the native VLAN. If the Access mode is selected, perform one of the following options:
     • If the Client IP Assignment is set to Virtual Controller Assigned, proceed to step 6.
     • If the Client IP Assignment is set to Network Assigned, specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode.
   • Trunk—Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs. If the Trunk mode is selected:
   • Specify the Allowed VLAN, enter a list of comma separated digits or ranges, for example 1, 2, 5, or 1-4, or all. The Allowed VLAN refers to the VLANs carried by the port in Access mode.
   • If the Client IP Assignment is set to Network Assigned, specify a value for Native VLAN. A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN. You can specify a value within the range of 1-4093.
2. Client IP Assignment—specify any of the following values:
   • Instant AP Assigned—Select this option to allow the virtual controller to assign IP addresses to the wired clients. When the virtual controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The virtual controller can also assign a guest VLAN to a wired client. In the Client VLAN Assignment section, select Default when the client VLAN must be assigned to the native VLAN on the network. Select Custom to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. Click the Show Named VLANs section to view all the named VLANs mapped to VLAN ID. Click +Add Named VLAN and enter the VLAN Name and VLAN ID that is required to be mapped. Clicking OK populates the named VLAN in the VLAN Name to VLAN ID Mapping table.
   • External DHCP server Assigned—Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required.
3. Click Next.

   The Security details page is displayed.

Configuring Security Settings

To configure security-specific settings, complete the following steps in the Security tab:

1. On the Security pane, select the following security options as per your requirement:

   • 802.1X Authentication—Set the toggle button to enable 802.1X Authentication. Configure the basic parameters such as the authentication server, and MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Authentication Fail-Through. Select any of the following options for authentication server:
   • New—On selecting this option, an external RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server must be configured to authenticate the users. For information on configuring an external server, see Configuring External Authentication Servers for APs.
   • Internal Server—If an internal server is selected, add the clients that are required to authenticate with the internal RADIUS server. Click the Users link to add the users.
   • Load Balancing—Set the toggle button to enable, if you are using two RADIUS authentication servers, so that the load across the two RADIUS servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Authentication Servers.
   • MAC Authentication—To enable MAC authentication, enable the toggle button. The MAC authentication is disabled by default.
   • Captive Portal—Set the toggle button to enable captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication. For more information on configuring security on captive portal, see Configuring Wired Networks for Guest Users on IAPs.
   • Open—Set the toggle button to enable, to set security for open network.
2. Enable the Port Type Trusted option to connect uplink and downlink to a trusted port only.

3. In the Primary Server field, perform one of the following steps:

   • Internal Server—To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs.
   • Secondary Server—To add another server for authentication, configure another authentication server.
   • Authentication Survivability—If an external server is configured for authentication, you can enable authentication survivability. Specify a value in hours for Cache Timeout to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours. and the default value is 24 hours. By default, authentication survivability is disabled.
   • Load Balancing—Set the toggle button to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Authentication Servers.
4. MAC Authentication Fail-Thru—Set the toggle button to enable, to attempt 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is attempted when the MAC authentication fails.

5. Under the Advance Settings section, configure the following options:

   • Use IP for Calling Station ID—Set the toggle button to enable, to configure client IP address as calling station ID.
   • Called Station ID Type—Select one of the following options:
   • Access Point Group—Uses the VC ID as the called station ID.
   • Access Point Name—Uses the host name of the IAP as the called station ID.
   • VLAN ID—Uses the VLAN ID of as the called station ID.
   • IP Address—Uses the IP address of the IAP as the called station ID.
   • MAC address—Uses the MAC address of the IAP as the called station ID.

   The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled.

   • Reauth Interval—Specify the interval at which all associated and authenticated clients must be re-authenticated.

6. Click Next.

   The Access pane is displayed.

Configuring Access Settings

To configure access-specific settings, complete the following steps:

1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of pre-existing user roles. or more information, see Configuring Downloadable Roles.

   • The Downloadable Role feature is optional. The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPassClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. server version 6.7.8.
   • At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs

2. Click the action corresponding to the server.

   The Edit Server page is displayed.

   The Edit Server page displays the radius server name. The Name field is non-editable.

3. Enter the CPPM username along with the CPPM authentication credentials for the radius server.
4. Click Ok.

5. Under Access Rules, configure the following access rule parameters:

   1. Select any of the following types of access control:

      • Role-based—Allows the users to obtain access based on the roles assigned to them.
      • Unrestricted—Allows the users to obtain unrestricted access on the port.
      • Network-based—Allows the users to be authenticated based on access rules specified for a network.

   2. If the Role-based access control is selected:

      Under Role, select an existing role for which you want to apply the access rules, or click New and add the required role. To add a new access rule, click Add Rule under Access Rules For Selected Roles.

   The default role with the same name as the network is automatically defined for each network. The default roles cannot be modified or deleted.

   Configure role assignment rules. To add a new role assignment rule, click New under Role Assignment Rules. Under New Role Assignment Rule:

   1. Select an attribute.

   2. Specify an operator condition.

   3. Select a role.

   4. Click Save.

6. Click Finish to create the wired port profile successfully.

Configuring Network Port Profile Assignment

To map the wired port profile to ethernet ports, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click Show Advanced.
5. Click the Interfaces tab.

   The Interfaces page is displayed.

6. Click the Wired accordion.

   The Wired Port Profiles page is displayed.

7. In the Port Profiles Assignments section, assign wired port profiles to Ethernet ports:
   1. Select a profile from the Ethernet 0/0drop down list.
   2. Select the profile from the Ethernet 0/1 drop down list.
   3. If the IAP supports Ethernet 2, Ethernet 3 and Ethernet 4 ports, assign profiles to these ports by selecting a profile from the Ethernet 0/2, Ethernet 0/3, and Ethernet 0/4 drop-down list respectively.
8. Click Save Settings.

Viewing Wired Port Profile Summary

In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs.

Click Save Settings to complete the network profile creation and save the settings.