Link Search Menu Expand Document
calendar_month 19-Feb-26

Small Campus Wired Connectivity

This chapter describes the element profiles required to build the aggregation and access switch configuration and the implementation procedure. In this guide, collapsed core and aggregation are used interchangeably to describe the same set of switches.

The wired architecture implements Multiple Spanning Tree Protocol and Link Aggregation Groups to ensure a redundant, loop-free topology with high-bandwidth uplinks. Access ports are standardized using 802.1X user authentication with support for seamless onboarding of wireless access points. Security is fortified at the access layer using DHCP Snooping and Dynamic ARP Inspection.

Table of contents

Element Profile Summary

This table summarizes the Element Profiles configured on the small campus wired switches and their scope of application.

Profile NameCentral Profile PathType/ScopeDevice FunctionPrimary Purpose
SC-AG-STPVLANs & Networks > STPSiteAggregation SwitchConfigure MSTP priority on aggregation VSF stack.
SC-DHCP-SNOOPINGNetwork Services > DHCP SnoopingSiteAccess SwitchEnable security against rogue DHCP servers.
EMPLOYEE-WIREDVLANs & Networks > VLANsSite- Aggregation Switch
- Access Switch		Create required Layer 2 VLANs.
EMPLOYEE-WLAN    
IOT    
GUEST    
REJECT-AUTH    
CRITICAL-AUTH    
BLACKHOLE    
SC-AGG-SYSTEMSystem > Switch SystemSiteAggregation SwitchConfigure common global switch parameters.
SC-ACC-SYSTEM  Access Switch 
ENABLE-COASecurity > Authentication Server GlobalGlobal / SiteAccess SwitchEnable CoA dynamic authorization on switches.
ARUBA-AP-IDInterfaces > Device IdentityGlobalAccess SwitchDefine LLDP parameters used to identify Aruba APs.
ACCESS-DOT1X-MACSecurity > AAA AuthenticationDeviceAccess SwitchDefine 802.1X and MAC authentication parameters on access ports.
AG1-LAG-TO-AC1Interfaces > Port Profile (Aggregation)SiteAggregation SwitchConfigure downlink port settings from aggregation switches to access switches.
AG1-LAG-TO-AC2    
 Interfaces > Switch Interface Configuration (Aggregation)Device Manual uplink configuration from aggregation switches to WAN gateways, and apply port profiles on aggregation downlinks to access switches.
AC-LAG-TO-AGInterfaces > Port Profile (Access)SiteAccess SwitchConfigure uplink port settings from access switches to aggregation switches.
SC-ACCESSInterfaces > Port Profile (Access)SiteAccess SwitchConfigure colorless ports parameters for authentication and loop protection.
SC-ACCESS-MEMBERInterfaces > Interface ProfileSiteAccess SwitchAssign port profiles to port numbers.
SC-ACCESS-STACKInterfaces > Interface ProfileSiteAccess SwitchAssign member interface profiles to VSF stack IDs.

Entering Configuration Mode

In the upper right corner of the Central web application, click the Configuration gear icon.

Configuration Gear

Several Central contexts do not allow direct navigation into the configuration context, including Central’s Menu context that provides access to Central’s Audit Trail. The Audit Trail is often used in the configuration process, as it provides logs on profile configuration changes and that status of configuration pushes to devices. After selecting Central’s Menu context, the Configuration gear is not available for selection.

Central's Menu icon and context

To return to the Configuration context after navigating to a context that does not display the Configuration gear icon, first click on the Home button in the upper left of the Central web application, and then click on the Configuration gear.

Central Home button

The following procedures assume the reader is in the Configuration context and does not explicitly include steps for entering the configuration context.

Configure Multiple Spanning Tree Protocol (MSTP)

When a loop is introduced into a network, it causes catastrophic disruption to network services. MSTP is enabled to automate blocking loops.

MSTP is useful during the bring-up process to block loops that exist prior to configuring link aggregation bundles that logically remove loops between switches. After the topology setup is complete, MSTP blocks loops introduced by network users and prevents the unintentional introduction of loops between network components due to operator error.

It is best practice to configure STP priority such that a pre-determined VSX pair or VSF stack of switches operates as the known STP root of a spanning-tree domain.

Spanning-Tree Summary for Small Campus

Central automatically imports some switch configuration, when a switch is onboarded, including STP configuration. Imported configurations are defined in device-level profiles. To gain the benefit of standardizing configuration across multiple switches with a global or site scoped STP profile, the imported device-level profiles must first be deleted. Applying a single STP profile for all access switches reduces errors and ensures a consistent configuration.

After deleting device scoped STP profiles, Central applies the STP defaults profile to all access, aggregation, and core CX switches, which enables MSTP and sets the STP priority to 8. This profile is inherited from the global scope. A new profile must be applied to aggregation switches with a better STP priority to ensure they become the root of the STP tree.

Delete Auto-Created STP Profiles

The following procedure deletes the automatically created STP device profiles based on auto-imported device values.

Step 1 On the left-hand Configuration menu, click Devices.

Configuration Menu

Step 2 In the Search field, enter SC-AG to filter the devices, then click SC-AG1.

Device List filtered by search text

Step 3 In the VLANs & Networks card, click STP.

VLANs & Networks Card

Step 4 To delete the profile, hover over the device-level STP profile, then click the trash can icon.

Imported STP Profile

Note: Device-level imported profiles use the following naming convention: profile-<device serial number>.

Step 5 On the Delete Profile confirmation dialogue box, click Delete.

Delete Profile dialogue box

Step 6 A new, inherited STP profile is displayed for the device. Verify the following values for the profile:

  • Name: STP defaults
  • Inherits From: Global

Default STP Profile in profile list

Note: If the new profile is not immediately displayed, refresh the browser.

Step 7 Repeat steps 1-6 for each switch or switch stack.

After completing this procedure, all switches and switch stacks inherit the STP defaults profile.

Set Aggregation Switches as STP Root

The following procedure creates a new STP profile with a better STP priority than the default profile. It is then applied to the aggregation VSF stack to ensure it becomes the STP root.

Step 1 On the left-hand Configuration menu, click Library.

Configuration Menu

Step 2 On the VLANs & Networks card, click STP.

VLANs & Networks Card

Step 3 Click Create Profile.

Create Profile Button

Step 4 Enter the following non-default values on the profile and click Create.

  • Name: SC-AGG-STP
  • Default Instance Priority: 4

STP Profile

Step 5 Hover over the new profile and click the ••• context menu icon.

context menu display

Step 6 On the context menu, click Assign.

context menu options

Step 7 On the Assign Profile page, check Aggregation Switch.

Device Function List

Step 8 To the right of the Scopes heading, click the plus sign (+).

Step 9 On the Add Scope page, select the following values and click Add

  • Scope Level: Sites
  • Assign to Scope: SMALL-CAMPUS-SITE

Add Scope dialogue box

Step 10 Click Assign.

Completed Assign Profile dialogue box

Configure VLANs

Enable DHCP Snooping

DHCP snooping must be enabled globally on a switch and individually for each VLAN. The DHCP Snooping profile enables DHCP snooping globally on the switch and contains the list of trusted DHCP servers. Individual VLAN settings are configured when creating VLAN profiles.

When using centralized DHCP services, the list of DHCP servers is typically only two or three entries. However, many small campuses implement DHCP on the WAN gateway device, which typically uses a different DHCP server IP for each VLAN. When using this method, it is important to enter the full list of DHCP server IPs to ensure clients can receive a DHCP lease.

Profile Path: Network Services > DHCP Snooping
Device Functions: Access Switch
Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • Profile Name: SC-DHCP-SNOOPING
  • Check Enable DHCP V4 Snooping
  • In the Add Trusted Server dialogue box, enter the following settings:
    • a comma delimited IP address list of trusted DHCP servers in the IPv4 Address field
    • VRF: default

Add trusted DHCP server dialogue box

The full DHCP Snooping profile is shown below:

DHCP Snooping profile

Create VLANs

VLANs provide network segmentation and apply some basic security protections, including DHCP snooping and ARP inspection.

The wired-only VLANs in this small campus example are configured for ARP inspection. When a switch does not have an SVI for a VLAN, ARP inspection relies on DHCP snooping to establish IP address to MAC address correlation.

It is important that ARP inspection not be enabled for VLANs used by bridge-mode wireless clients to accommodate client roaming. If ARP inspection is enabled and a wireless client roams to an AP that is not attached to the switch where the initial DHCP request occurred, there is no state correlating the client’s IP and MAC addresses for the ARP inspection process, and the wireless client traffic is dropped.

Create Wired VLANS

In this small campus example, the VLANs listed in the table below contain only wired traffic.

VLAN IDNameDescription
20EMPLOYEE-WIREDEmployee Wired Data
50REJECT-AUTHRejected Authentication
51CRITICAL-AUTHCritical Authentication Fallback

Profile Path: Networks & VLANs > VLAN
Device Functions: Aggregation Switch, Access Switch
Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values for each VLAN:

  • VLAN ID: < VLAN ID >
  • Name: < VLAN Name >
  • Description: < VLAN Description >
  • Check DHCP V4 Snooping
  • Check Enable ARP Inspection
  • Check Enable IGMP Snooping

VLAN profile for wired-only network

Create Wireless/Wired VLANS

In this small campus example, the VLANs listed in the table below contain both wired and wireless traffic. Unlike wired-only VLANs, ARP inspection is not enabled on the following VLANs to accommodate wireless client roaming across APs that are attached to different switches.

VLAN IDNameDescription
25EMPLOYEE-WLANEmployee Wireless Data
30IOTIoT Devices
40GUESTGuest Users

Profile Path: Networks & VLANs > VLAN
Device Functions: Aggregation Switch, Access Switch
Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • VLAN ID: < VLAN ID >
  • Name: < VLAN Name >
  • Description: < VLAN Description >
  • Check DHCP V4 Snooping
  • Check Enable IGMP Snooping

VLAN profile for networks that contain wireless clients

Create Blackhole VLAN

The blackhole VLAN is configured only on access switches. It is not trunked to the collapsed core, and no network services are provided. This VLAN is used to ensure access is not unintentionally provided to wireless clients when a VLAN is not returned in the AAA process.

Profile Path: Networks & VLANs > VLAN
Device Functions: Access Switch
Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • VLAN ID: 999
  • Name: BLACKHOLE
  • Check DHCP V4 Snooping
  • Check Enable ARP Inspection

Establish Collapsed Core VLAN Overrides

The access layer is responsible for DHCP snooping and ARP inspection enforcement. These features are disabled on the aggregation switch by establishing a device override of inherited values.

Step 1 On the left-hand Configuration, click Devices, then enter search criteria to display the desired switch and click the collapsed core switch name.

Device list filtered by search criteria

Step 2 On the list of user VLANs, click on a VLAN.

Collapsed core device VLAN list

Step 3 To create a local device override, click Save as local profile.

Save as local profile checkbox

Step 4 On the Policy section under Switch Parameters, perform the following and click Update.

  • Uncheck DHCPv4 Snooping
  • Uncheck Enable ARP Inspection

VLAN switch policy parameters

Step 5 Repeat steps 2-4 until DHCPv4 snooping and ARP inspection have been removed from all user VLANs.

When complete, there are two visual indicators that a device-level profile override is in place. A partially filled blue circle to the left of a profile indicates an override is applied, and the Assigned Scope for all VLANs with overrides will show Central’s internal device ID for the switch.

VLAN switch policy parameters

Define Base Switch Parameters

The Switch System profile defines basic location and contact information, the 802.1X and MAC authentication servers used for authenticating users and devices, and the loop-protect re-enable timer.

Configure Access Switch System Profile

Profile Path: System > Switch System
Device Functions: Access Switch
Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • Name: < access switch profile name >
  • Location: < location of switch >
  • Contact: < contact information >
  • Timezone: < local timezone of switch >
  • 802.1X Authentication Server Group: < user/device authentication group >
  • MAC Authentication Server Group: < user/device authentication group >
  • Loop Protect Re-Enable Time: 300

Configure Aggregation Switch System Profile

The aggregation switch does not require authentication or loop-protect definitions.

Profile Path: System > Switch System
Device Functions: Aggregation Switch
Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • Name: < access switch profile name >
  • Location: < location of switch >
  • Contact: < contact information >
  • Timezone: < local timezone of switch >
  • Uncheck Enable 802.1X
  • Uncheck Enable MAC Authentication

Configure Switch-Only AAA Options

RADIUS servers and groups were created in the Small Campus Shared Profiles chapter.

Access switches need two additional authentication and authorization options.

  • Dynamic authorization must be enabled at the global level on a switch to support RADIUS change of authorization (CoA)
  • A set of parameters must be defined to dynamically identify access points.

Dynamically identifying access points allows any PoE-capable port to support AP operations without requiring an administrator to pre-configuring specific port numbers.

Enable Change of Authorization

RADIUS Change of Authorization (CoA) must be enabled globally on a switch. The Authentication Server Global profile enables CoA, which can be assigned a global scope to enable CoA on all access switches in an organization, or it can also be scoped to only those sites that require it.

Profile Path: Security > Authentication Server Global
Device Functions: Access Switch
Scope: Global

Configure the following non-default values:

  • Name: ENABLE-COA
  • Check Enable RadSec
  • Under Dynamic Authorization, check Enable

Authentication Server Global profile

Note: RadSec is not used in this example deployment. Enable RadSec is checked to expose the checkbox to enable the CoA Dynamic Authorization checkbox. This requirement will be modified in the near future.

Configure AP Device Identification

A Device Identity profile defines LLDP criteria used to automatically determine when an access point is connected to an access switch port. When an AP is connected, the switch port is auto-configured as an 802.1Q trunk with appropriately tagged VLANs, by associating a role that specifies the port’s expected operational behavior.

The configuration defined in this profile is used by the switch’s AAA process, when a port is configured to enable LLDP bypass.

Profile Path: Interfaces > Device Identity
Device Functions: Access Switch
Scope: Global

Configure the following non-default values:

  • Name: ARUBA-AP-ID
  • Description: LLDP criteria to dynamically identify Aruba APs
  • Role: ARUBA-AP

Add the following LLDP Group Identifiers

  • Action: Match, Identifiers: Vendor OUI, Vendor OUI: 000B86
  • Action: Match, Identifiers: Vendor OUI, Vendor OUI: D8C7C8
  • Action: Match, Identifiers: Vendor OUI, Vendor OUI: 6CF37F
  • Action: Match, Identifiers: Vendor OUI, Vendor OUI: 186472
  • Action: Match, Identifiers: System Description, Vendor OUI: ArubaOS

Authentication Server Global profile

AAA Authentication Profile

The AAA Authentication profile specfies the type of authentication used on access ports. The small campus uses 802.1X authentication for employees and MAC authentication for IOT devices. The profile specifies the server groups to use for authentication, the role applied to hosts when the authentication servers are unavailable, and the role applied to hosts that fail authentication.

LLDP authentication bypass is enabled to automatically configure ports for AP operation, when the attached device matches the Device Identify profile configured above.

Profile Path: Security > AAA Authentication Device Functions: Access Switch Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • Name: ACCESS-DOT1X-MAC
  • Description: Authentication for colorless access ports
  • Authentication Protocol: 802.1X, then MAC
  • Client Limit: 5
  • 802.1X Authentication Server Group: USER-AUTH-SERVERS
  • MAC Authentication Server Group: USER-AUTH-SERVERS

Under Authentication Parameters:

  • Check Switch Specific Parameters
  • Check Allow LLDP Bypass

Under Authorization Parameters:

  • Check Switch Specific Parameters
  • Select Critical Auth Role: CRITICAL-AUTH
  • Select Reject Auth Role: REJECT-AUTH

Under Accounting:

  • Check Interim RADIUS Accounting
  • Accounting Server Group: USER-AUTH-SERVERS

Under 802.1X Parameters:

  • Check Reauthentication
  • Reauthentication Interval: 14400
  • Check Switch Specific Parameters
  • EAPOL Timeout: 2
  • Maximum EAPOL Requests: 1

Under MAC Parameters:

  • Check Reauthentication
  • Reauthentication Interval: 14400

AAA Authentication Profile for access ports

Aggregation/Core Interface Configuration

Central provides multiple methods for configuring switch ports and LAGs. Three methods of applying LAG configuration to ports are featured in this guide. Manual LAG creation and port profiles are methods shown for the collapsed core. Interface profiles are the most powerful and scalable method for configuring ports across a large set of switches, which are implemented for access switches.

Configure LAGs to WAN Gateways

The order of LAG creation between the collapsed core and WAN gateways will vary based on the capabilities of the WAN gateways. If the WAN gateways do not support an LACP fallback option, the LAGs should be configured on the collapsed core first. In most cases, enabling LACP fallback on the collapsed core will allow uninterrupted connectivity to Central using one LAG member interface operating as a standard port, until the WAN gateway LAG configuration is complete. If the WAN gateways support an LACP fallback option, LAG configuration between the core and WAN gateways is not order dependent.

If connectivity between the aggregation switch and Central is disrupted, the switch will fall back to the previous configuration that permitted access to Central after ten minutes. If the WAN gateways will block communication to Central after defining the LAG on the collapsed core switches (even with LACP fallback), it is best practice to stage the necessary WAN gateway configuration changes. Implementing a tightly coordinated LAG configuration for both the collapsed core and gateways will ensure Central reachability is re-established within the ten minute window.

The following process manually configures LAGs to the WAN gateway in the Switch Interface Configuration profile.

Step 1 On the left-hand Configuration menu, click Devices, then enter search criteria to display the desired switch and click the collapsed core switch name.

Device list filtered by search criteria

Step 2 On the Interfaces card, click Switch Interface Configuration.

Interfaces pane

Step 3 In upper left search box, enter the uplink port number connected to the first WAN gateway, select both ports, and then click Create LAG.

Search for and select interfaces for LAG

Note: When establishing a LAG across two switches in a VSF stack or establish an MC-LAG on a VSX pair, it is best practice to use the same port number on both switches to connect to the remote device.

Step 4 On the Create LAG page, configure the following non-default values:

  • LAG ID: 255
  • Location: LAG to WAN GW-1
  • Check LACP Fallback Static
  • VLAN Mode: Trunk
  • Native VLAN: 1
  • Allowed VLANs: 1,20,25,30,40,50-51
  • STP Options: BPDU Filter

Uplink LAG configuration

Note: After this step, implement any necessary WAN gateway configuration changes that are required to quickly restore the collapsed core’s connectivity to Central.

Step 5 Repeat step 4 to create a LAG to the redundant WAN GW on uplink ports 1/1/28 and 2/2/28 with the following non-default values:

  • LAG ID: 256
  • Location: LAG to WAN GW-2
  • Check LACP Fallback Static
  • VLAN Mode: Trunk
  • Native VLAN: 1
  • Allowed VLANs: 1,20,25,30,40,50-51
  • STP Options: BPDU Filter

Configure LAGs to Access Switches

Port profiles are used to assign common settings to a set of switch ports. The following procedure uses a Port Profile to configure LAGs on the aggregation switches that connect to access switches.

Step 1 Create a Port Profile that defines LAG parameters at Library level of the configuration menu.

Profile Path: Interfaces > Port Profile
Device Functions: Aggregation Switch
Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • Name: AG1-LAG-TO-AC1
  • Description: LAG from AG1 to AC1
  • Device: Switch
  • Check Admin State under the Switch
  • Check Enable LAG
  • LAG ID: 1
  • Check LAG Admin State
  • Check LACP Fallback Static
  • VLAN Mode: Trunk
  • Allowed VLANs: 1,20,25,30,40,50-51
  • Check Root Guard

Port Profile that defines access LAG

Note: A unique port profile must be defined for each access switch stack. The LAG ID will be made an alias in the near future, enabling a single Port Profile to be applied to all access switch LAGs from the aggregation switch.

Enabling LACP fallback enables uninterrupted communication with Central by access switches prior to configuring LAGs on the access switches. The untagged VLAN on the aggregation switch LAG is the same as the default access VLAN on the access switches.

Step 2 Under Devices on the left-hand configuration menu, click SC-AG1.

Config menu with display of last device used

Note: The last device selected for configuration from the Devices menu appears is displayed as a shortcut. If the aggregation switch is not listed, click Devices and select the aggregation switch from the list.

Step 3 On the Interfaces card, click Switch Interface Configuration.

Interfaces pane

Step 4 Click the checkbox for interfaces 1/1/1 and 2/1/1, then click Apply Port Profile.

Select interfaces to apply Port Profile

Step 5 Select AG1-LAG-TO-AC1 under Port Profile, then click Save.

Apply Port Profile dialogue box

Step 6 Repeat steps 1-5 for each access switch LAG. A unique LAG ID is required in each Port Profile.

The following non-default values are used to configure the LAG to the second access switch stack:

  • Name: AG1-LAG-TO-AC2
  • Description: LAG from AG1 to AC2
  • Device: Switch
  • Check Admin State under the Switch
  • Check Enable LAG
  • LAG ID: 2
  • Check LAG Admin State
  • Check LACP Fallback Static
  • VLAN Mode: Trunk
  • Allowed VLANs: 1,20,25,30,40,50-51
  • Check Root Guard

Access Switch Interface Configuration

HPE Aruba Networking refers to ports that auto-configure to the needs of connected hosts as colorless ports. Access switches use a combination of port profiles and interface profiles to automate port configuration for network users, IoT devices, and WLAN APs. Colorless ports assign VLANs and enforce policy based on the role assigned to the attached device.

In the following procedure, two port profiles are created. One port profile defines the settings for a LAG to provide redundant upstream connectivity toward the aggregation layer. The second port profile defines the settings applied to colorless access ports.

Rather than applying the port profiles directly to ports, the port profiles will be associated with an Interface Profile to accelerate the configuration process. All access switches assigned to an Interface Profile must have the same physical port configuration. By standardizing on switch models and the function of switch port numbers, administrators can use Interface Profiles to configure thousands of switches with a few simple clicks.

The following Port Profile defines the LAG parameters from an access stack to the aggregation switches. The same profile is applied to all access stacks as part of an interface profile. DHCP snooping trust and ARP snooping trust are enabled to allow DHCP and ARP request responses.

  • Profile Path: Interfaces > Port Profile
  • Device Functions: Access Switch
  • Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • Name: AC-LAG-TO-AG
  • Description: Access switch stack LAG to AG1
  • Device: Switch
  • Check Admin State
  • Check Enable LAG
  • LAG ID: 256
  • Check LAG Admin State
  • Check LACP Fallback Static
  • VLAN Mode: Trunk
  • Allowed VLANs: 1,20,25,30,40,50-51
  • Check DHCPv4 Snooping Trust
  • Check ARP Inspection Trust

Port Profile for Access Stack LAG to Aggregation

Colorless Access Port Profile

The colorless port profile references other profiles to enforce 802.1X authentication for network users, MAC authentication for IoT devices, and LLDP-based authentication for WLAN access points by referencing the AAA Authentication profile previously created.

Both HPE’s proprietary Loop Protection and STP are enabled to prevent network loops. STP control plane protections are also enabled.

Profile Path: Interfaces > Port Profile
Device Functions: Access Switch
Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • Name: SC-ACCESS
  • Description: Standardized access port configuration
  • Device: Switch
  • Check Admin State
  • Access VLAN: 999
  • Check Loop Protection
  • Check Admin Edge
  • Check BPDU Guard
  • Check Root Guard
  • Check TCN Guard
  • Check Enable Port Authentication
  • AAA Profile: ACCESS-DOT1X-MAC

Port Profile for colorless access ports

Interface Profiles

Interface profiles provide flexible assignment of port profiles to sets of switch ports, when configuration can be standardized across a subset of switches. When planning your network, standardize on uplink and access ports to allow for faster configuration using interface profiles. Standardization also helps with documentation, troubleshooting, and communicating with technical support.

In this small campus example, access stacks are sets of two CX 6300F switches with 24 access ports. Uplink ports 25 and 26 are dedicated to the VSF stacking function. Both stack members provide uplinks to the the aggregation block on port 28.

Two types of interface profiles must be defined: standalone/member and stack.

The standalone/member profile assigns port profiles to switch port ranges. The port profile assignment defines the standardized function for each port number. In this small campus example, there are only two port functions: access port and uplink port. The port profiles for these functions were defined in above.

The stack profile assigns standalone/member interface profiles to numerical VSF stack positions. In this example, there are two member switches in each stack. In our example, the same member profile can be applied to both member positions. In larger stacks, some VSF members would be assigned a different interface profile, as no uplink configuration would be required.

Standalone/Member Interface Profile

The standalone/member profile is used to associate port profiles to switch port numbers. This profile can be applied directly to standalone alone switches and switches in a VSX pair. When switches are members of a VSF stack, standalone/member profiles are assigned to specific stack member positions using a stack interface profile.

For this small campus example, only one standalone/member profile is required. It associates the SC-ACCESS colorless port profile to all access ports (1-24), and the AC-LAG-TO-AG port profile to uplink port 28.

When required, additional standalone/member interface profiles are created to accommodate variations in standardized port configuration. For example, a third member in a stack, may not have an uplink to the aggregation switches. An additional standalone/member profile could be created that assigned the SC-ACCESS profile to ports 1-24, but does not make an uplink port profile assignment.

Profile Path: Interfaces > Interface Profile
Device Functions: Access Switch
Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • Name: SC-ACCESS-MEMBER
  • Description: Assign port profiles to ports on switch members of a VSF stack
  • Model: CX 6300F
  • Number of Ports: 24G PoE 4SFP

Under Uplink Port Profile:

  • Ports: 28
  • Assigned Port Profile: AC-LAG-TO-AG

Under Downlink Port Profile

  • Ports: 1-24
  • Assigned Port Profile: SC-ACCESS

Interface Profile for a switch member of a VSF stack

Note: Click + (plus sign) to the right of the switch port to commit the port profile assignment. After clicking +, a new blank line will appear. Only the assignments listed below the top blank line will be added to the profile.

Stack Interface Profile

That stack interface profile assigns standalone/member Interface Profiles to specific member IDs in the stack. In our example, both members are assigned the same member interface profile.

Profile Path: Interfaces > Interface Profile
Device Functions: Access Switch
Scope: Site : SMALL-CAMPUS-SITE

Configure the following non-default values:

  • Name: SC-ACCESS-STACK
  • Description: Assign member interface profiles to access stack members
  • Type: Stack
  • Switch Series: CX 6300
  • Number of Members: 2

For Member 1:

  • Member: 1
  • Number of Ports: 24G PoE 4SFP
  • Member Interface Profile: SC-ACCESS-MEMBER

For Member 2:

  • Member: 2
  • Number of Ports: 24G PoE 4SFP
  • Member Interface Profile: SC-ACCESS-MEMBER

Interface Profile for a VSF switch stack