You are here: CLI_commands > wired-port-profile
Previous TopicNext Topic

wired-port-profile

wired-port-profile <port>

access-rule-name <name>

allowed-vlan <vlan>

auth-server <name>

captive-portal {<type>[exclude-uplink <types>]|external[exclude-uplink <types>| profile <name>[exclude-uplink <types>]]}

content-filtering

dot1x

duplex <duplex>

l2-auth-failthrough

mac-authentication

native-vlan <vlan>

poe

radius-reauth-interval <minutes>

server-load-balancing

set-role <attribute>{{equals|not-equal|starts-with|ends-with|contains} <operator> <role>|value-of}

set-role-mac-auth <MAC-authentication>

set-role-machine-auth <machine-only> <user-only>

set-role-pre-auth <role>

set-role-unrestricted

set-vlan <attribute>{equals|not-equals|starts-with|ends-with|contains} <operator> <VLAN-ID>|value-of}

shutdown

spanning-tree

speed <speed>

switchport-mode <mode>

type <type>

uplink-enable

no…

Description

This command configures a wired port profile for wired IAP clients.

Syntax

Command/Parameter

Description

Range

Default

wired-port-profile <port>

 Creates a wired profile.

access-rule-name <name>

 Maps the already configured access rules with the wired profile.

allowed-vlan <vlan>

Configures a list of allowed VLANs. The Allowed VLAN refers to the VLANs carried by the port in Access mode.

You can configure the list of comma separated digits or ranges 1,2,5 or 1-4, or all.

auth-server <name>

Configures the authentication server for the wired profile.

 

captive-portal{<type>[exclude-uplink <types>]|external[exclude-uplink <types>| profile <name>[exclude-uplink <types>]]}

Enables internal or external captive portal authentication for the wired profile users.

You can also disable redirection to the captive portal based on the type of current uplink.

If the external captive profiles are created, you can specify the profile name by using the external and profile keywords and associated parameters.

content-filtering

 Enables content filtering

dot1x

 Enables 802.11X authentication for the Wired profile users Disabled

duplex <duplex>

Assigns a value for duplexing client traffic based on the capabilities of the client, the AP, and the cable. You can specify full, half, or auto.

 full, half, auto auto

l2-auth-failthrough

 Allows the clients to use 802.1X authentication when MAC authentication fails. Disabled

mac-authentication

 Enables MAC authentication Disabled

native-vlan <vlan>

Configures a value for Native VLAN. A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN.

1-4093

poe

Enables power over Ethernet

 Enabled

radius-reauth-interval <minutes>

Configures a reauthentication interval at which all associated and authenticated clients must be reauthenticated.

server-load-balancing

 Enables load balancing across two RADIUS servers if two authentication servers are configured for the SSID. Enabled

set-role <attribute>

{{equals| not-equal|starts-with|

ends-with| contains}operator>

<role>| value-of}

Assigns a user role to the clients. The first rule that matches the configured condition is applied.

You can specify any of the following conditions:

l contains — The rule is applied only if the attribute value contains the specified string.
l ends-with — The rule is applied only if the attribute value ends with the specified string.
l equals — The rule is applied only if the attribute value is equal to the specified string.
l not-equals — The rule is applied only if the attribute value is not equal to the specified string.
l starts-with — The rule is applied only if the attribute value begins with the specified string.
l value-of - This rule sets the user role to the value of the attribute returned. To set a user role, the value of the attribute must already be configured on the IAP.

set-role-machine-auth <machine-only><user-only>

Configures a machine authentication rule.

You can assign different rights to clients based on whether their hardware device supports machine authentication.

Machine authentication is only supported on Windows devices, so this can be used to distinguish between Windows devices and other devices such as iPads.

set-role-mac-auth <mac-only>

 Configures a MAC authentication based user role.

set-role-pre-auth <role>

 Configures a pre-authentication role to allow some access to the guest users before the client authentication.

set-role-unrestricted

 Configures unrestricted access control.

set-vlan <attribute>

{equals|not-equals| starts-with|

ends-with| contains} <operator>

<VLAN-ID>| value-of}

Assigns a VLAN to the clients. The first rule that matches the configured condition is applied.

You can specify any of the following conditions:

l contains — The rule is applied only if the attribute value contains the specified string.
l ends-with — The rule is applied only if the attribute value ends with the specified string.
l equals — The rule is applied only if the attribute value is equal to the specified string.
l not-equals — The rule is applied only if the attribute value is not equal to the specified string.
l starts-with — The rule is applied only if the attribute value begins with the specified string.
l value-of - This rule sets the VLAN to the value of the attribute returned. To set a user role, the value of the attribute must already be configured on the IAP.

shutdown

 Shuts down the admin status port up, down up
spanning-tree

Enables Spanning Tree Protocol on the wired profile.

STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports, regardless of forwarding mode. STP will not operate on the uplink port and is supported only on IAPs with three or more ports. By default Spanning Tree is disabled on wired profiles.

speed <speed>

 Assigns a value for indicating speed of client traffic based on the capabilities of the client, the AP, and the cable. 10,100,200, auto auto

switchport-mode <mode>

Defines the switchport mode for the wired profile.

You can specify any of the following modes:

l Access — Use this mode to allow the port to carry a single VLAN specified as the native VLAN.
l Trunk — Use this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs.
access, trunk trunk

type <type>

 Defines the primary usage of the wired profile.

employee, guest

employee

uplink-enable

 Enables uplink for the wired profile
no… Removes any existing configuration

Usage Guidelines

Use this command to create a wired profile for employee and guest users. The Ethernet ports allow third-party devices such as VoIP phones or printers (which support only wired connections) to connect to the wireless network. You can also configure an Access Control List (ACL) for additional security on the Ethernet downlink.

Example

The following example configures a wired profile for an employee network:

(Instant AP)(config)# wired-port-profile employeeWired1

(Instant AP)(wired ap profile"employeeWired1")# type employee

(Instant AP)(wired ap profile"employeeWired1")# speed auto

(Instant AP)(wired ap profile"employeeWired1")# duplex auto

(Instant AP)(wired ap profile"employeeWired1")# no shutdown

(Instant AP)(wired ap profile"employeeWired1")# poe

(Instant AP)(wired ap profile"employeeWired1")# uplink-enable

(Instant AP)(wired ap profile"employeeWired1")# content-filtering

(Instant AP)(wired ap profile"employeeWired1")# switchport-mode trunk

(Instant AP)(wired ap profile"employeeWired1")# allowed-vlan 2,3,5

(Instant AP)(wired ap profile"employeeWired1")# native-vlan 1

(Instant AP)(wired ap profile"employeeWired1")# mac-authentication

(Instant AP)(wired ap profile"employeeWired1")# dot1x

(Instant AP)(wired ap profile"employeeWired1")# l2-auth-failthrough

(Instant AP)(wired ap profile"employeeWired1")# auth-server server1

(Instant AP)(wired ap profile"employeeWired1")# server-load-balancing

(Instant AP)(wired ap profile"employeeWired1")# radius-reauth-interval 20

(Instant AP)(wired ap profile"employeeWired1")# access-rule-name wiredACL

(Instant AP)(wired ap profile"employeeWired1")# set-role Group-Name contains wired wired-instant

(Instant AP)(wired ap profile"employeeWired1")# set-vlan ap-name equals test 400

(Instant AP)(wired ap profile"employeeWired1")# end

(Instant AP)# commit apply

The following example configures a guest wired profile:

(Instant AP)(config)# wired-port-profile guestWired1

(Instant AP)(wired ap profile"guestWired1")# type guest

(Instant AP)(wired ap profile"guestWired1")# speed auto

(Instant AP)(wired ap profile"guestWired1")# duplex auto

(Instant AP)(wired ap profile"guestWired1")# no shutdown

(Instant AP)(wired ap profile"guestWired1")# poe

(Instant AP)(wired ap profile"guestWired1")# uplink-enable

(Instant AP)(wired ap profile"guestWired1")# content-filtering

(Instant AP)(wired ap profile"guestWired1")# switchport-mode trunk

(Instant AP)(wired ap profile"guestWired1")# allowed-vlan 200,201,400

(Instant AP)(wired ap profile"guestWired1")# native-vlan 1

(Instant AP)(wired ap profile"guestWired1")# captive-portal external exclude-uplink Ethernet

(Instant AP)(wired ap profile"guestWired1")# mac-authentication

(Instant AP)(wired ap profile"guestWired1")# auth-server server1

(Instant AP)(wired ap profile"guestWired1")# server-load-balancing

(Instant AP)(wired ap profile"guestWired1")# access-rule-name wiredACL

(Instant AP)(wired ap profile"guestWired1")# set-role Group-Name contains wired wired-instant

(Instant AP)(wired ap profile"guestWired1")# set-vlan ap-name equals test 200

(Instant AP)(wired ap profile"guestWired1")# end

(Instant AP)# commit apply

Command History

Version

Description
Aruba Instant 6.3.1.1-4.0 This command is modified.
Aruba Instant 6.2.1.0-3.4 This command is modified.

Aruba Instant 6.2.1.0-3.3

This command is introduced.

Command Information

IAP Platform

Command Mode

All platforms

Configuration mode and Wired port profile configuration sub-mode.