ap wired-ap-profile

ap wired-ap-profile {default | <profile-name>}

broadcast

clone {default | <source> }

forward-mode {bridge|split-tunnel|tunnel}

no

switchport {access vlan <vlan> | mode {access|trunk} | trunk {allowed vlan <vlan-list>| add <vlan-list> | except <vlan-list> | remove <vlan-list>}} | {native vlan <vlan>}

trusted

wired-ap-enable

wired-ap-mode {normal|daisy-chain}

Description

This command configures a wired AP profile. This command is only applicable to Aruba APs that support a second Ethernet port. The wired AP profile configures the second Ethernet port (enet1) on the AP.

For mesh deployments, this command is applicable to all Aruba APs configured as mesh nodes. If you are using mesh to join multiple Ethernet LANs, configure and enable bridging on the mesh point Ethernet port.

Mesh nodes only support bridge mode and tunnel mode on their wired ports (enet0 or enet1). Split tunnel mode is not supported.

Use the bridge mode to configure bridging on the mesh point Ethernet port. Use tunnel mode to configure secure jack operation on the mesh node Ethernet port.

When configuring the Ethernet ports on APs with multiple Ethernet ports, note the following requirements:

If configured as a mesh portal, connect enet0 to the managed device to obtain an IP address. The wired AP profile controls enet1.Only enet1 supports secure jack operation.

If configured as a mesh point, the same wired AP profile will control both enet0 and enet1.

Parameter

Description

ap wired-ap-profile

<profile-name>

Name of this instance of the profile. The name must be 1–63 characters.

broadcast

Forward broadcast traffic to this tunnel.

clone <source>

Name of an existing wired AP profile from which parameter values are copied.

forward-mode

In this default forwarding mode, the AP handles all 802.11 association requests and responses, but sends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the managed device for processing. The managed device removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual. This parameter controls whether data is tunneled to the managed device using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination (corporate traffic goes to the managed device, and Internet access remains local). All forwarding modes support band steering, TSPEC or TCLAS enforcement, 802.11k and station blacklisting/denylisting.

bridge

802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus AP is in bridge mode, the AP handles all 802.11 association requests and responses, encryption or decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed.

An AP in bridge mode supports 802.1X and MAC authentication types.

Virtual APs in bridge mode using static WEP should use key slots 2–4 on the managed device. Key slot 1 should only be used with Virtual APs in tunnel mode.

split-tunnel

802.11 frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the managed device, and Internet access remains local). An AP in split-tunnel mode supports only the 802.1X authentication type.

An AP in split-tunnel forwarding mode handles all 802.11 association requests and responses, encryption or decryption, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed.

Virtual APs in split-tunnel mode using static WEP should use key slots 2–4 on the managed device. Key slot 1 should only be used with Virtual APs in tunnel mode.

tunnel

In this default forwarding mode, the AP handles all 802.11 association requests and responses, but sends all 802.11 data packets, action frames, and EAPOL frames over a GRE tunnel to the managed device for processing. The managed device removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual.

no

Negates any configured parameter.

switchport

Configures the switching mode characteristics for the port.

access vlan <vlan>

The VLAN to which the port belongs. The default is VLAN 1.

mode {access|trunk}

The mode for the port, either access or trunk mode. The default is access mode.

trunk allowed vlan

{add <vlan-list> |

except <vlan-list>|

remove <vlan-list>|

<vlan-list}

Allows multiple VLANs on the port interface.

You must define this parameter using VLAN IDs or VLAN names

VLAN IDs and VLAN names cannot be listed together.

trunk native vlan <vlan>

The native VLAN for the port (frames on the native VLAN are not tagged with 802.1q tags).

trusted

Sets port as either trusted or untrusted. The default setting is untrusted.

wired-ap-enable

Enables the wired AP. The wired AP is disabled by default.

wired-ap-mode

Enables the wired AP mode. The wired AP mode can be set to daisy-chain or normal modes.

daisy-chain

Enables daisy-chain mode. In this mode, the port works on trusted bridge mode and it retains the previous wired port configuration even when the Controller is disconnected.

normal

Enables the wired AP in normal mode.

Example

The following command configures the enet1 port on a multi-port AP as a trunk port:

(host) [mynode] (config) #ap wired-ap-profile wiredap1

(host) [mynode] (Wired AP profile "wiredap1") #switchport mode trunk

(host) [mynode] (Wired AP profile "wiredap1") #switchport trunk allowed 4,5

Command History

Release

Modification

ArubaOS 8.4.0.0

The wired-ap-mode parameter was introduced.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system, except for noted parameters.

Config mode Mobility Conductor.