Access Point Port Usage

AP Ports and how to configure them.

AP ports can be used in different ways depending on the AP model and deployment type. Using wired port profiles, AP ports can be configured with an uplink or downlink persona. The persona of an AP’s Ethernet port determines how the port is used, where the port connects, and what type of traffic is carried.

  • Uplink Ports – Are used to connect APs to the access switching layer. Uplink ports support the APs management VLAN, carry AP management traffic, establish tunnels to Gateways and forward bridged client traffic.

  • Downlink Ports – Are used to connect wired client devices to the APs or APs operating as Mesh Points to downstream switches. Similar to WLAN profiles, downlink ports can bridge or tunnel client traffic, support authentication and apply policies via user roles.

HPE Aruba Networking Central and the default configuration of the APs include default profiles that configure specific ports as uplinks or downlinks depending on the number of physical Ethernet ports that are installed on the AP and the intended use of the AP. With a few exceptions, uplink ports are used to connect APs to an access switching layer and by default, all models of HPE Aruba Networking APs will implement Ethernet 0/0 as an uplink port.

AP models equipped with dual Ethernet ports may implement both Ethernet 0/0 and Ethernet 0/1 as uplink ports permitting both ports to be connected to the access switching layer in an active / active or active / standby configuration. Hospitality, remote, or APs that can provide Power over Ethernet (PoE) (H, R, or P variants) implement Ethernet 0/0 as an uplink port with all other ports configured as downlink ports.

An example of uplink and downlink port usage for various AP types is depicted below. In this example all APs connect to the access switching layer using their Ethernet 0/0 ports which have a default or user defined uplink wired port profile assigned. All APs will obtain a management IP address on their configured management VLAN, communicate with Central and forward client traffic using their uplink port.

Wired client devices connect to downlink ports which varies by platform. Each wired client’s traffic either being locally bridged or tunneled by the AP based depending on the traffic forwarding configuration within the assigned downlink wired port profile. Wired client devices optionally being MAC or 802.1X authenticated by a RADIUS server or Cloud Auth service.

Uplink and Downlink Ports

Uplink ports are used to connect APs to the access switching layer. Depending on the AP model, an AP can be connected using a single uplink port or dual uplink ports operating in an active / active or active / standby configuration. Both APs and Central include a default uplink wired port profile named default_wired_port_profile that is assigned to AP uplink ports by default. The default port assignment will vary based on AP series and model.

AP Family AP Model Default Assignment
300 Series AP-303, AP-303H, AP-303P, AP-304, AP-305 Ethernet 0/0
310 Series AP-314, AP-315, AP-318 Ethernet 0/0
320 Series AP-324, AP-325 Ethernet 0/0 & Ethernet 0/1
330 Series AP-334, AP-335 Ethernet 0/0 & Ethernet 0/1
340 Series AP-344, AP-345 Ethernet 0/0 & Ethernet 0/1
360 Series AP-365, AP-367 Ethernet 0/0
370 Series AP-374, AP-375, AP-375EX, AP-375ATEX, AP-377, AP-377EX Ethernet 0/0 & Ethernet 0/1
380 Series AP-387 Ethernet 0/0
500 Series AP-503H, AP-504, AP-505, AP-505H Ethernet 0/0
503 Series AP-503, AP-503R Ethernet 0/0
510 Series AP-514, AP-515, AP-518 Ethernet 0/0 & Ethernet 0/1
530 Series AP-534, AP-535 Ethernet 0/0 & Ethernet 0/1
550 Series AP-555 Ethernet 0/0 & Ethernet 0/1
560 Series AP-565, AP-565EX, AP-567, AP-567EX Ethernet 0/0
570 Series AP-574, AP-575, AP-575EX, AP-577, AP-577EX Ethernet 0/0 & Ethernet 0/1
580 Series AP-584, AP-585, AP-585EX, AP-587, AP-587EX Ethernet 0/0 & Ethernet 0/1
605R Series AP-605R Ethernet 0/0
610 Series AP-615 Ethernet 0/0
630 Series AP-634, AP-635 Ethernet 0/0 & Ethernet 0/1
650 Series AP-654, AP-655 Ethernet 0/0 & Ethernet 0/1

The default uplink wired port profile default_wired_port_profile is present on all HPE Aruba Networking APs in a factory defaulted state as well as in each configuration group in Central. This default assignment permits both un-provisioned and provisioned APs to be connected to the access switching layer using a single uplink or dual uplinks without any additional configuration being required. When connected using dual uplink ports, a high-availability bonded link is automatically created by the APs that operates in either active / active configuration if LACP is detected or active / standby if LACP is absent.

APs using the default uplink wired port profile implement untagged VLAN 1 for management by default and require a dynamic host configuration protocol (DHCP) server to service the VLAN for host addressing. To successfully discover and communicate with Central, the DHCP server must provide a valid IPv4 address, subnet mask, default gateway and one or more domain name servers. Internally, a switched virtual IP interface (SVI) with a DHCP client is bound to VLAN 1.

The default configuration of the uplink wired port profile will:

  • Configure the port as a trunk

  • Configure VLAN 1 as the native VLAN

  • Permit all VLANs (1-4094)

  • Enable port-bonding

With the default uplink wired port profile, APs can support both bridged and/or tunneled clients with no modification being required. The AP’s native VLAN is set to 1 and all other VLANs are permitted on the uplink ports. All AP management traffic will be forwarded on VLAN 1 untagged while bridged client traffic will be forwarded out the assigned VLAN with a corresponding VLAN tag.

The default wired port profile:

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 port-bonding
 no shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x

Default wired port profile assignments:

Port Profile Assignments
------------------------
Port  Profile Name
----  ------------
0     default_wired_port_profile
1     default_wired_port_profile
2     wired-SetMeUp
3     wired-SetMeUp
4     wired-SetMeUp
USB   wired-SetMeUp

AP deployments exclusively using tunnel forwarding only require an untagged management VLAN to be configured on the access switching layer for operation. The switchports that each AP connect to will be configured for access mode with the desired AP management VLAN ID assigned. Both the AP and the access layer switches will forward all Ethernet frames untagged. The AP will implement VLAN 1 while the peer access layer switch will implement the configured access VLAN. This is identical to how Campus APs operated in AOS 6 and AOS 8.

An example of an AP implementing the default uplink wired port profile connected to an access switchport is depicted below. In this example the AP is connected to port 1/1/1 on an access layer switch that is configured with the access VLAN 70. The AP in this example implements VLAN 1 for management which indirectly maps to VLAN 70 on the access layer switch.

AP Connected to an Access Switchport

When WLAN and/or wired port profiles are configured with bridged or mixed forwarding, the AP management and one or more dedicated bridged user VLANs will be extended from the access switching layer to the APs. The switchports that each AP connect will be configured for trunk mode with a native VLAN and 802.1Q tagged bridged VLANs assigned. As a recommended best practice, only the untagged management VLAN and the 802.1Q tagged bridged user VLANs should be extended to the APs. AP management traffic is forwarded untagged while bridge user traffic is forwarded 802.1Q tagged.

An example of an AP implementing the default uplink wired port profile connected to a trunk switchport is depicted below. In this example the AP is connected to port 1/1/1 on an access layer switch that is configured with the native VLAN 70 and allowed VLANs 70,76-79. The AP in this example implements VLAN 1 for management which indirectly maps to native VLAN 70 on the access layer switch. All bridged clients are assigned to VLAN IDs 76–79 which are 802.1Q tagged between the AP and the peer access layer switch.

AP Connected to a Trunk Switchport

Management VLAN

By default, access points implement native VLAN 1 for management which is untagged out the AP’s uplink ports. APs will utilize untagged VLAN 1 for IP addressing and communication with Central without any further configuration being required in Central. APs require a DHCP server to provide an IP address, default gateway and one or more name server IP addresses and Internet access to be able to communicate with Central.

The default management VLAN for an AP can be seen by issuing the show ip interface brief command in the console. The br0 label will indicate that the default VLAN 1 is being used by the AP for management, when a different VLAN is assigned as the management VLAN then the VID will be appended to the br0 interface.

AP Default Management VLAN

AOS 10.5 introduces the option to change the management VLAN ID configuration of APs to a new value for deployments that require such a configuration. APs can be easily re-configured to use a new untagged VLAN for management that matches the management VLAN ID configured in the access switching layer or may implement an 802.1Q tagged management VLAN if required.

Changing the AP’s management VLAN to a different value requires a new uplink wired port profile to be configured and assigned to the AP’s Ethernet 0/0 and optionally Ethernet 0/1 uplink ports. A new uplink wired port profile is recommended to preserve the configuration in the default uplink port profile. This permits the default profile to be reassigned to the AP’s uplink ports in the event of a misconfiguration.

The new uplink wired port profile includes the Use AP Management VLAN as Native VLAN option that must be enabled for the management VLAN to be modified. The new profile can be configured for access or trunk depending on if bridged user VLANs are required. When trunk mode is configured, the Native VLAN and Allowed VLANs must be configured and the AP’s management VLAN must be included in the Allowed VLAN list. The configuration is similar to how a trunk port is configured on a typical Ethernet switch.

The topic Configuring Wired Port Profiles on APs covers the configuration of wired port profiles for access points running AOS 10.

Example configuration of an access wired port profile applied to an AP’s configuration:

wired-port-profile uplink_profile_access
 switchport-mode access
 allowed-vlan all
 native-vlan ap-ip-vlan
 port-bonding
 no shutdown
 access-rule-name uplink_profile_access
 speed auto
 duplex auto
 no poe
 type employee
 captive-portal disable
 no dot1x
!
enet0-port-profile uplink_profile_access
enet1-port-profile uplink_profile_access

Example configuration of a trunk wired port profile applied to an AP’s configuration:

wired-port-profile uplink_profile_trunk
 switchport-mode trunk
 allowed-vlan all
 native-vlan ap-ip-vlan
 port-bonding
 no shutdown
 access-rule-name uplink_profile_trunk
 speed auto
 duplex auto
 no poe
 type employee
 captive-portal disable
 no dot1x
!
enet0-port-profile uplink_profile_trunk
enet1-port-profile uplink_profile_trunk

Once the uplink profile has been saved and applied, the APs management VLAN ID can then be changed under System > VLAN configuration. When the AP Management VLAN is changed, the Customize VLANs of Uplink Ports option will automatically change to Native VLAN Only. The APs will continue to use the default VLAN 1 for management until a new management VLAN ID is specified and saved.

AP Management VLAN

Demonstrating the change of an AP using a modified management VLAN can be accomplished by issuing the show ip interface brief command to the AP. With the management VLAN changed to VLAN 71, the output will now show the br0.71 interface with an IPv4 address and network mask assigned. The br0.71 label indicates that VLAN 71 is now being used by the AP for management. The management VLAN in this example is untagged from the AP as VLAN 71 is configured as the Native VLAN in the uplink wired port profile.

AP New Management VLAN

VLAN enforcement

The uplink wired port profile is used to configure the operation of the uplink ports which includes the VLAN configuration. By default, the APs uplink ports are assigned the default_wired_port_profile which configures the native VLAN as 1 and accepts traffic from all VLANs.

The ability to configure and apply a new uplink port profile with more restrictive VLAN configuration has been supported for some time, this option is typically not needed as we recommend that the VLANs be pruned at the access switching layer. As a recommended best practice only the AP management and bridged user VLANs should be extended to the APs.

Some customers may not wish to prune VLANs at the access layer and instead extend all VLANs to the AP. By default, APs will automatically discover VLANs based on traffic that is received on their uplink ports. If all VLANs are extended to the APs, the APs will automatically learn VLAN IDs, and MAC addresses as flooded frames and packets are received on their uplink ports. If tunneled VLANs are also extended to the APs, MAC flapping may occur as MAC addresses can be learned on two traffic paths.

If VLANs cannot be pruned at the access switching layer, VLAN enforcement can be enabled on the APs to restrict which VLANs that the APs accept. VLAN enforcement requires a new trunk uplink port profile to be configured and applied to the APs that includes the Native VLAN and a restrictive Allowed VLAN list. The Allowed VLAN list must only include the APs management VLAN and bridged user VLANs. All other VLANs must be excluded.

An example of an uplink wired port profile configured to only accept traffic from a specific range of VLANs is depicted below. In this example the APs management VLAN is 71 and the bridged user VLANs are 76-79. The Allowed VLAN list in this example includes the VLANs 71, 76-79:

wired-port-profile uplink_profile_trunk
 switchport-mode trunk
 allowed-vlan 71,76-79
 native-vlan ap-ip-vlan
 port-bonding
 no shutdown
 access-rule-name uplink_profile_trunk
 speed auto
 duplex auto
 no poe
 type employee
 captive-portal disable
 no dot1x
!
enet0-port-profile uplink_profile_trunk
enet1-port-profile uplink_profile_trunk

Once the new uplink wired port profile has been configured and applied to the uplink ports, VLAN enforcement can be enabled under System > VLAN within the configuration group. VLAN enforcement is enabled by setting the Customize VLANs of Uplink Ports option to All VLAN Settings. Once saved, the APs will only accept traffic from VLANs you configured in the Allowed VLAN list within the uplink wired port profile.

VLAN enforcement configuration within a configuration group is depicted below. The APs in this example have also been re-configured to use VLAN 71 for management which is configured as the Native VLAN in the above wired port profile. The management VLAN has been included to highlight that the management VLAN must be included in the Allowed VLAN list within the modified uplink profile.

AP Management VLAN

HPE Aruba Networking APs equipped with a second Ethernet port can optionally be dual connected to an access switching layer. If LACP is implemented, traffic can also be load-balanced between the uplink ports. Each APs uplink port can be strategically distributed between switchports in separate I/O modules within a chassis or between members of a stack. APs may also be connected to separate chassis or stacks placed in separate wiring closets if VLANs and broadcast domains are common to both uplink ports. Dual uplinks allow APs to maintain network connectivity to the access switching layer in the event of an I/O module, stack member or wiring closet failure.

APs can be connected using dual uplinks operating in an active / active or active / standby configuration without any additional configuration being required in Central. The default uplink wired port profile permits port-bonding by default and will place the APs Ethernet 0/0 and Ethernet 0/1 ports into either an active / active or active / standby state:

  • Active / Active – If LACP BPDUs from the same LACP group are received on both the APs Ethernet 0/0 and Ethernet 0/1 ports.

  • Active / Standby – If no LACP BPDUs are received on both the APs Ethernet 0/0 and Ethernet 0/1 ports.

Active / standby

With an active / standby dual-uplink deployment, both the Ethernet 0/0 and Ethernet 0/1 ports are connected to the access switching layer. During normal operation the APs Ethernet 0/0 uplink port is used for AP management and traffic forwarding while the APs Ethernet 0/1 uplink port is in a standby state and will not transmit or receive management or user traffic. The APs Ethernet 0/1 port will only become active if the link on the Ethernet 0/0 uplink port is lost.

Active-Standby Failover

The primary LAN requirement to support APs using an active / standby uplink configuration is that the VLANs and associated IP networks (broadcast domains) must be common to both AP uplink ports. APs implementing active / standby uplinks do not support layer 3 failover and cannot be connected to switchports implementing separate VLAN IDs or broadcast domains. The switchport configuration and broadcast domains for both uplink ports must be identical for failover to work. If the link to the Ethernet 0/0 interface is lost, the APs will transition their management IP interface, orchestrated tunnels, and bridged client traffic to their Ethernet 0/1 link. From the access switching layer perspective, the APs management IP address, MAC address and all bridged clients MAC addresses will move.

For most active / standby deployments, each AP will be connected to a common access layer switch or stack where the APs uplink ports are distributed between I/O modules within in a chassis or members of a stack. This permits the APs to continue operation in the event that an I/O module or stack member fails.

An example of a typical active / standby deployment using a stack of CX switches is depicted below. In this example the APs Ethernet 0/0 and Ethernet 0/1 ports implement the default uplink wired port profile where each uplink port connects to a separate stack member within a VSF stack:

  • Ethernet 0/0 – The active uplink port is connected to switchport 1/1/10 (first stack member)

  • Ethernet 0/1 – The standby uplink port is connected to switchport 2/1/10 (second stack member)

Within the VSF stack, both switchports are configured as trunks with the same Native VLAN and Allowed VLANs configured. The AP in this example will implement untagged VLAN 71 for management and 802.1Q tagged VLANs 76-79 to service bridged clients.

Illustration of a switch stack and AP setup for active-standby failover within a single closet.

interface 1/1/10
   no shutdown
   description [BLD10-FL1-AP-1-0/0]
   no routing
   vlan trunk native vlan 71
   vlan trunk allowed 71,76-79
...
interface 2/1/10
   no shutdown
   description [BLD10-FL1-AP-1-0/1]
   no routing
   vlan trunk native vlan 71
   vlan trunk allowed 71,76-79

If additional redundancy is required, APs implementing active / standby uplinks can be connected to separate switches or stacks located in the same wiring closet or separate wiring closets. This permits additional redundancy in the event of a power failure. Both deployments are supported as long as the same VLAN IDs and broadcast domains are present on both uplink ports. Connecting APs to switchports using different VLAN IDs or broadcast domains is not supported.

An example of a typical active / standby deployment using separate stacks of CX switches is depicted below. In this example the APs Ethernet 0/0 and Ethernet 0/1 ports implement the default uplink wired port profile where each uplink port connects to a stack member on in separate VSF stacks:

  • Ethernet 0/0 – The active uplink port is connected to switchport 1/1/10 (first VSF stack)

  • Ethernet 0/1 – The standby uplink port is connected to switchport 2/1/10 (second VSF stack)

Within each VSF stack, the switchports are configured as trunks with the same Native VLAN and Allowed VLANs configured. The AP in this example will implement untagged VLAN 71 for management and 802.1Q tagged VLANs 76-79 to service bridged clients. VLANs 71,76-79 in this example are extended between both VSF stacks.

Illustration of multiple switches or switch stacks and AP setup for active-standby failover across switches or closets.

BLD10-FL1-IDF-A

interface 1/1/10
   no shutdown
   description [BLD10-FL1-AP-1-0/0]
   no routing
   vlan trunk native vlan 71
   vlan trunk allowed 71,76-79
BLD10-FL1-IDF-B

interface 1/1/10
   no shutdown
   description [BLD10-FL1-AP-1-0/1]
   no routing
   vlan trunk native vlan 71
   vlan trunk allowed 71,76-79

Active / active

With an active / active dual-uplink deployment, both the Ethernet 0/0 and Ethernet 0/1 ports are connected to a common access layer switch or stack using Link Aggregation Control Protocol (LACP). During normal operation, both the Ethernet 0/0 and Ethernet 0/1 ports are active and using hashing algorithms will both carry management and user traffic. If either link or path fails, management and user traffic will automatically failover to the remaining active link.

Active-active load sharing

Active / active configuration requires that both AP uplink ports be connected to peer switchports that are in the same LACP link aggregation group. The LACP bond will not establish if the uplink ports are connected to switchports configured in separate LACP groups. Note that HPE Aruba Networking switches will detect this mismatch condition and place one of the switchports into a LACP blocking state. Additionally, for the LACP bond to become active, all AP uplinks and peer switchports in the LACP bond must negotiate at the same speed. If one of the links in the bond negotiate at a slower speed than the other link, the LACP bond will not establish.

An active / active uplink deployment using LACP requires each AP to be connected to a common access layer switch. This can be a chassis, stack or a logical switch implementing virtualization technology permitting LACP links to be distributed between two physical switches. The APs uplink ports are distributed between I/O modules within in a chassis, members of a stack or the logical switches.

An example of a typical active / active deployment using a stack of CX switches is depicted below. In this example the APs Ethernet 0/0 and Ethernet 0/1 ports implement the default uplink wired port profile where each uplink port connects to a separate stack member within a VSF stack:

  • Ethernet 0/0 – Is connected to switchport 1/1/10 in LACP LAG group 110 (first stack member)

  • Ethernet 0/1 – Is connected to switchport 2/1/10 in LACP LAG group 110 (second stack member)

Illustration of an AP using an active / active connection to a switch stack.

BLD10-FL1-IDF-A

interface 1/1/10
   no shutdown
   description [BLD10-FL1-AP-1-0/0]
   lag110
...
interface 2/1/10
   no shutdown
   description [BLD10-FL1-AP-1-0/1]
   lag110
...
interface lag 110
   no shutdown
   description BLD10-FL1-AP1
   no routing
   vlan trunk native vlan 71
   vlan trunk allowed 71,76-79
   lacp mode active

During normal operation, traffic transmitted by the AP to the access switching layer is hashed and distributed across both of the AP’s Ethernet 0/0 and Ethernet 0/1 ports. This includes AP management, tunneled user traffic and bridged user traffic. The fields that APs use to hash egress traffic will be dependent on the traffic type and number of headers that are available:

  • Layer 2 Frames – APs will hash egress traffic across both uplinks based on source MAC / destination MAC.

  • Layer 3 Packets – APs will hash egress traffic across both uplinks based on source MAC / destination MAC and source IP / destination IP.

For tunneled user traffic to a primary cluster consisting of two or more cluster nodes, multiple layers of traffic distribution will occur. The IPsec and GRE tunnels will be distributed between the APs uplink ports based on layer 2 and layer 3 headers while tunneled clients will be distributed between GRE tunnels based on each tunneled client’s bucketmap assignment:

  • GRE Tunnels – APs will hash GRE tunnels based on source MAC / destination MAC and source IP / destination IP.

  • Tunneled Clients – Traffic for each tunneled client is anchored to a specific cluster node based on bucketmap assignment.

PoE redundancy

When utilizing dual uplinks, APs may receive power from the Ethernet 0/0 and/or Ethernet 0/1 uplink ports. Depending on the AP series and model, APs may either simultaneously source power from both uplink ports using sharing or source power from either port using failover. With the exception of the 510 series that can only source power from Ethernet 0/0, APs will either support sharing or failover.

PoE standards and failover options for dual Ethernet equipped AP models:

AP Series PoE Standards PoE Redundancy
320 Series 802.3af, 802.3at Failover
330 Series 802.3af, 802.3at Failover
340 Series 802.3af, 802.3at Failover
510 Series 802.3af, 802.3at, 802.3bt No
530 Series 802.3at, 802.3bt Sharing
550 Series 802.3at, 802.3bt Sharing
570 Series 802.3at, 802.3bt Sharing
630 Series 802.3at, 802.3bt Failover
650 Series 802.3af, 802.3at, 802.3bt Sharing

The AP-530, AP-550, and AP-570 series APs will balance the draw power on each uplink port and will generally draw 40% / 60% power on each port, best case. The AP 650 will draw power from Ethernet 0/0 first and then Ethernet 0/1 once Ethernet 0/0 is maxed out. The max budget on the AP-650 series is the sum of both ports whereas on the AP-530, AP-550, and AP-570 series whichever port is lowest divided by .6.

Downlink ports are used to connect wired client devices to APs but may also be used to connect APs operating as Mesh Points to clients or downstream switches when Mesh bridging is deployed. The number of ports that can be implemented as downlinks will vary based on the number of physical Ethernet ports available on the AP and the number of Ethernet ports that are employed as uplinks.

When downlinks are implemented to connect wired client devices, user traffic can be bridged or tunneled based on the traffic forwarding mode configured in the profile. Client devices can also be optionally MAC, 802.1X or Captive Portal authenticated with static or dynamic VLAN and user role assignments.

The default downlink wired port profile wired_SetMeUp is present on all HPE Aruba Networking APs in a factory defaulted state but is absent in Central. The default downlink profile is assigned to non-uplink ports by default on Hospitality APs.

wired-port-profile wired-SetMeUp
  no shutdown
  switchport-mode access
  allowed-vlan all
  native-vlan guest
  access-rule-name wired-SetMeUp
  speed auto
  duplex auto
  type guest
  captive-portal disable
  inactivity-timeout 1000
Port Profile Assignments
------------------------
Port  Profile Name
----  ------------
0     default_wired_port_profile
1     default_wired_port_profile
2     wired-SetMeUp
3     wired-SetMeUp
4     wired-SetMeUp
USB   wired-SetMeUp

Bridged

Downlink ports configured for bridge forwarding can be used to connect wired client devices to APs or to connect Mesh Points to downstream access layer switches when Mesh bridging is deployed. The downlink wired port profile can be configured for access supporting a single untagged access VLAN or as a trunk supporting a single Native VLAN and one or more 802.1Q tagged VLANs.

When the downlink profile is configured for bridge forwarding, the AP bridges traffic received on a downlink port to an uplink port on the assigned VLAN. The VLAN assignment and uplink port profile configuration determines if the bridged traffic is forwarded out the uplink port untagged or tagged.

When configuring a downlink port profile with bridge forwarding, the VLANs that are configured must be present on APs uplink ports. If the default uplink port profile is implemented, all VLANs are allowed by default. If a user defined uplink port profile is implemented, the bridged VLANs must be included in the Allowed VLAN list. The VLANs must also be extended to the APs from the access switching layer.

An example of a downlink bridged port profile configured for access is depicted below. In this example an IP camera is connected to the APs Ethernet 0/1 downlink port and is assigned to access VLAN 79. VLAN 79 is extended between the access switching layer and the APs Ethernet 0/0 uplink port and is 802.1Q tagged between both ports.

Access bridged downlink port

An example of a downlink bridged port profile configured for trunk is depicted below. In this example an IP phone is connected to the APs Ethernet 0/1 downlink port where untagged VLAN 76 is used for data and 802.1Q tagged VLAN 77 is used for voice. Both VLANs are extended between the access switching layer and the APs Ethernet 0/0 uplink port and is 802.1Q tagged between both ports.

Trunk bridged downlink port

An example of a downlink bridged port profile configured for trunk used for Mesh bridging is depicted below. In this example a user defined uplink port profile with the native VLAN 71 and allowed VLANs 71,76-79 has been assigned to the Mesh Portals Ethernet 0/0 uplink port that connects to the access switching layer. A user defined downlink port profile has been assigned to the Mesh Points Ethernet 0/0 port with the same native VLAN 71 and allowed VLANs 71,76-79. VLANs 71,76-79 are effectively extended from the access switching layer over the mesh link to the remote access layer switch.

Mesh trunk bridged downlink port

Tunneled

Downlink ports configured for tunnel forwarding can be used to connect wired client devices to APs. A downlink wired port profile can only be configured for access supporting a single untagged VLAN. Tunneled trunk ports configured with multiple VLANs is not supported today.

When the downlink profile is configured for trunk forwarding, the AP tunnels traffic received on a downlink port to the selected primary cluster. As with tunneled WLAN clients, each tunneled wired client is assigned a UDG and S-UDG session within the primary cluster via the published bucketmap. If datacenter redundancy is required, failover between a primary and secondary cluster is also supported.

Each tunneled downlink port profile can be configured to tunnel traffic to a specified primary cluster. APs supporting multiple downlink ports can implement port profiles that all tunnel to the same primary cluster or may implement port profiles tunneling to separate primary clusters (MultiZone).

An example of downlink tunneled port profiles applied to hospitality APs is depicted below. In this example two downlink port profiles with tunnel forwarding have been assigned to the APs downlink ports to support in-room services and guest devices:

  • Ethernet 0/1 – A downlink port profile is assigned to support a SmartTV which is MAC authenticated and assigned to VLAN 74.

  • Ethernet 0/2 – Ethernet 0/4 – A downlink port profile is assigned to support hotel guest devices which are Captive Portal authenticated and assigned to VLAN 75.

Access Tunnel Downlink Ports


Last modified: March 20, 2024 (a365f3b)