Configuring Wired Networks on IAPs

If the wired clients must be supported on the Instant Access Points (IAPs), configure wired port profiles and assign these profiles to the ports of an IAP.

The wired ports of an IAP allow third-party devices such as VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. phones or printers (which support only wired port connections) to connect to the wireless network. You can also configure an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. for additional security on the Ethernet Ethernet is a network protocol for data transmission over LAN. downlink.

To configure wired port profiles on IAP, complete the following steps:

1. In the WebUI, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click Show Advanced.
5. Click the Interfaces tab.

   The Interfaces page is displayed.

6. Click the Wired accordion.
7. To create a new wired port profile, click + Add Port Profile.

   The Create a New Network page is displayed.

Complete the configuration for each of the tabs in the Create a New Network page as described in the below sections:

Configuring General Network Profile Settings

To configure general network profile settings, complete the following steps in the General tab:

1. Under General, enter the following information:
   1. Name—Enter a name.
   2. ports—Select ports form the drop-down list.
2. Under Advanced Settings section, configure the following parameters:
   • Speed/Duplex—Select the appropriate value from the Speed and Duplex drop-down list. Contact your network administrator if you need to assign speed and duplex parameters.
   • Port Bonding—Turn on the Port Bonding toggle switch to enable port bonding.
   • Power over Ethernet—Turn on the Power over Ethernet toggle switch to enable PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port..
   • Admin Status—The Admin Status indicates if the port is up or down.
   • Content Filtering—Turn on the Content Filtering toggle switch to ensure that all DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. requests to non-corporate domains on this wired port network are sent to OpenDNS.
   • Uplink—Turn on the toggle switch to configure uplink on this wired port profile. If the Uplink toggle switch is turned on and this network profile is assigned to a specific port, the port is enabled as an uplink port.
   • Spanning Tree—Turn on the toggle switch to enable STP Spanning Tree Protocol. STP is a network protocol that builds a logical loop-free topology for Ethernet networks. on the wired port profile. STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports, regardless of forwarding mode. STP does not operate on uplink ports and is supported only on IAPs with three or more ports. By default, STP is disabled on wired port profiles.
   • Loop Protection—Turn on the toggle switch to enable loop protection on the ports of an AP. By default, loop protection is disabled.
   • Loop Detection Interval—Provides the time interval in seconds, to send loop detection packets on the ports of an AP. This option appears only when Loop Protection is enabled.

   • Storm Control Broadcast—Turn on the toggle switch to enable this option. If the AP detects a loop on one of its Ethernet port, it shuts down the Ethernet port. This prevents the AP from receiving or sending any frames.

   • Storm Control Threshold—Specifies the broadcast packets per second on each Ethernet port of an AP before the Ethernet port is shutdown.

   • Auto Recovery—Turn on the toggle switch to enable automatic recovery of the port in the AP, which is shutdown because of loop protection. After the automatic recovery, if the loop re-occurs, then the port is shut down again.

   • Auto Recovery Interval—Specifies the broadcast packets per second on each Ethernet port of an AP before the Ethernet port is shutdown.

   • Inactivity Timeout—Enter the time duration after which an inactive user needs to be disabled from the network. The user must undergo the authentication process to re-join the network.
   • 802.3az—Turn on the toggle switch to enable, to support 802.3az Energy Efficient Ethernet (EEE) standard on the device. This option allows the device to consume less power during periods of low data activity. This setting can be enabled for provisioned APs or AP groups through the wired port network. If this feature is enabled for an AP group, APs in the group that do not support 802.3.az ignore this setting. This option is available for IAPs that support a minimum of Aruba Instant 8.4.0.0 firmware version.
   • Deny Intra VLAN Traffic—Turn on the toggle switch to disable intra VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. traffic. It enables the client isolation and disables all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities.
3. Click Next.

   The VLANs details page is displayed.

Configuring VLAN Network Profile Settings

To configure VLAN settings, complete the following steps in the VLANs tab:

1. Mode—Specify any of the following modes:
   • Access—Select this mode to allow the port to carry a single VLAN specified as the native VLAN. If the Access mode is selected, perform one of the following options:
     • If the Client IP Assignment is set to Instant AP Assigned, proceed to step 6.
     • If the Client IP Assignment is set to External DHCP server assigned, specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode.
   • Trunk—Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs. If the Trunk mode is selected:
   • Specify the Allowed VLAN, enter a list of comma separated digits or ranges, for example 1, 2, 5, or 1-4, or all. The Allowed VLAN refers to the VLANs carried by the port in Access mode.
2. Client IP Assignment—specify any of the following values:
   • Instant AP Assigned—Select this option to allow the virtual controller to assign IP addresses to the wired clients. When the virtual controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The virtual controller can also assign a guest VLAN to a wired client. In the Client VLAN Assignment section, select Default when the client VLAN must be assigned to the native VLAN on the network. Select Custom to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. Click the Show Named VLANs section to view all the named VLANs mapped to VLAN ID. Click + Add Named VLAN and enter the VLAN Name and VLAN ID that is required to be mapped. Clicking OK populates the named VLAN in the VLAN Name to VLAN ID Mapping table.
   • External DHCP server Assigned—Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required.

3. Client VLAN Assignment—select any of the following values:

   • Default—By default, it is selected.

   • Custom—Select this option to customize the VLAN settings. From the Native VLAN drop-down list, select the scope.

4. Click Next.

   The Security details page is displayed.

Configuring Security Settings

To configure security-specific settings, complete the following steps in the Security tab:

1. On the Security pane, select the following security options as per your requirement:
   • 802.1X Authentication—Set the button to enable 802.1X Authentication on the Security Level sliding bar. Configure the basic parameters such as the authentication server, and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Authentication. Select any of the following options for authentication server:
     • Cloud Auth—On selecting this option, an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server must be configured to authenticate the users. For information on configuring an external server, see Configuring External Authentication Servers for IAPs
     • Internal Server—If an internal server is selected, add the clients that are required to authenticate with the internal RADIUS server. Click the Manage Users link to add the users.
   • MAC Authentication—To enable MAC authentication, set the button on the sliding bar. The MAC authentication is disabled by default.
   • Visitors—Set the sliding button to enable visitors security level authentication. For more information on configuring security on visitors level, see Configuring Wired Networks for Guest Users on IAPs.
   • Open—Set the toggle button to enable, to set security for open network.
2. Enable the Port Type Trusted option to connect uplink and downlink to a trusted port only.
3. In the Primary Server field, perform one of the following steps:
   • Internal Server—To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs.
   • Cloud Auth—To add another server for authentication, configure another authentication server.
4. MAC Authentication—Set the toggle button to enable, to attempt 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication is attempted when the MAC authentication fails.
5. Under the Advance Settings section, configure the following options:
   • Use IP for Calling Station ID—Set the toggle button to enable, to configure client IP address as calling station ID.
   • Called Station ID Type—Select one of the following options:
     • Access Point Group—Uses the VC ID as the called station ID.
     • Access Point Name—Uses the host name of the IAP as the called station ID.
     • VLAN ID—Uses the VLAN ID of as the called station ID.
     • IP Address—Uses the IP address of the IAP as the called station ID.
     • MAC address—Uses the MAC address of the IAP as the called station ID.

       The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled.

   • Reauth Interval—Specify the interval at which all associated and authenticated clients must be re-authenticated.
6. Click Next.

   The Access pane is displayed.

Configuring Access Settings

To configure access-specific settings, complete the following steps:

1. In the Access tab, enable the Downloadable Role toggle switch to allow downloading of pre-existing user roles. For more information, see Configuring Downloadable Roles.
   • The Downloadable Role feature is optional. The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass ClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. server version 6.7.8.
   • At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs.
2. Click the action corresponding to the server.

   The Edit Server page is displayed.

   The Edit Server page displays the radius server name. The Name field is non-editable.

3. Enter the CPPM username along with the CPPM authentication credentials for the radius server.
4. Click Ok.
5. Under Access Rules, configure the following access rule parameters:
   1. Select any of the following types of access control:
      • Role-based—Allows the users to obtain access based on the roles assigned to them.
      • Unrestricted—Allows the users to obtain unrestricted access on the port.
      • Network-based—Allows the users to be authenticated based on access rules specified for a network.
   2. If the Role-based access control is selected:
      • Under Role, select an existing role for which you want to apply the access rules, or click Add Role and add the required role. To add a new access rule, click Add Rule under Access Rules For Selected Roles.

        The default role with the same name as the network is automatically defined for each network. The default roles cannot be modified or deleted.

      • Configure role assignment rules. To add a new role assignment rule, click Add Role Assignment under Role Assignment Rules. Under New Role Assignment Rule:
   3. Select an attribute.
   4. Specify an operator condition.
   5. Enter the string.
   6. Select a role.
   7. Click Save.
6. Click Finish to create the wired port profile successfully.

Configuring Network Port Profile Assignment

To map the wired port profile to Ethernet ports, complete the following steps:

1. In the WebUI, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click Show Advanced.
5. Click the Interfaces tab.

   The Interfaces page is displayed.

6. Click the Wired accordion.

   The Wired Port Profiles table is displayed.

7. Select a port profile in the Wired Port Profiles table , click the edit icon.

   The Networks page is displayed.

8. In the General section, assign the wired port profiles to Ethernet ports or USB Universal Serial Bus. USB is a connection standard that offers a common interface for communication between the external devices and a computer. USB is the most common port used in the client devices. port form the Ports drop-down list.
9. Click Save Settings.

Viewing Wired Port Profile Summary

In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save the settings.