There’s a very important concept on this day one you need to understand is how can you configure these templates and apply those templates to multiple port configurations or sites. So you have the option of creating a global template. A global template is a template which consists of similarly networks, port profiles, switch matching rules, radio server configurations, et cetera, which can be applied at a ORG level. That means in this scenario you have all this configuration pushed down to every switches, which is part of your ORG. Now you can inherit those configurations at a site level also. That means if you have associated that global template with a particular site, you will inherit all the configurations at that site level. But at the same time, if you see that at this particular site, you want to change the IP address of the radius server.
At a global level in this example, I’m using a radius-server IP address of 192.168.1.10. But for this site, which you have say in the east coast or in the west coast of the country and you have a local radius server in that region, you want to override that site configuration within new radius server of 172.20.1.10. But at same time, we provide another level of overriding that template. Now, if you have to go down to a particular switch and say that for this particular switch, I want to override the configuration what has been configured at a global level or a site level with a switch configuration over here with a switch specific radius server configuration, you can do that. So these templates allow you to organize your configurations at a global level, override that configuration at a site level. And finally, if you want, you can override the information at a switch level.
So all the configurations you do is all overrides between a global site then to a particular site as well as with switch settings. In case of CLIs, it is not overridden. We form a AND operation, so whatever configurations you do at an ORG level will be an OR operation for certain things of the site level. But between the configurations at a site level and a switch level, it is an AND operation. So whatever configurations you are doing at a site or at a global template and then you are adding some configuration on a switch level, it is an AND operation. So let me show you all of this at a live setup, which I have over here.
So here is a look at my setup, which I have. The name of the site is very simple called Primary site default configuration, which I have. So now let’s look at organization. So in this organization what I have is switch template and this is my global organization. The switch template comprises of all the templates which you want to apply globally to the configuration. So in this example, I have a template called production template. In this template, I added the IP address of my radius server. I’m using a cloud version of the radius server. Then I have added the configuration for an NTP server. I have configuration of some CLI commands over here also. So I have added some CLI commands for as a backdoor entry to my switch. I have some commands related to a banner, et cetera, which I want to push to all my switches.
At the same time, what I have done is configure those networks or those VLANs, which we talked about, created a network for IOT. It is simply configured with a VLAN ID of 20. Similarly, I have a corporate network with VLAN ID of 40 as well as a camera network with a VLAN ID of 30. I’ve added another network over here called restricted with a VLAN ID of 99, and I’ll explain to you where we are using this VLAN later.
Now, I have created multiple profiles mapping to this devices or this type of devices which we have in the network. For example, I’ve created a profile called mist-ap. Usually the port is enabled, it is always connected to a trunk port. Mist APs are always connected to a trunk port where I can define, which is my native VLAN, and all the other networks you are allowing through that VLAN port or to through the trunk port. In this case, I have allowed those camera network, the corporate network, and the IOT networks as part of that trunk port. Speed, I left it to auto. Duplex, I left it to auto. MAC limit, if I want to do any of MAC limit, I can do that. POE is enabled. Spanning tree can be enabled or disabled as required. If you want to enable QOS, you’ll be able to do that and if you want to change the MTU values of that particular port, you can do that also.
At the same time, if you want to enable strong control, you can do that. You can increase the amount or the percentage of that at the same time over here. So this is a profile for a Mist AP, usually a trunk board. Then I’ve created another profile for the cameras. In this case, I have a camera profile with which is an access port. Usually it’s mapped to a VLAN of 30. I have not enabled any 8021x authentication and I kept the remaining default configurations over here.
Similarly, I’ve created the profile for corporate device. This is where I map to a VLAN 40, but I have enabled 8021x authentication for those corporate devices. So I have enabled 8021x authentication as well as MAC authentication. Rest of the configurations, I have left it by default, but I’ve enabled spanning tree for this particular set of ports. Similarly, I created another profile for IOT as well as I created a profile for restricted device. This is basically where we are mapping this particular profile to this VLAN 99.
Once these profiles are configured for the different types of devices you have in your network, now we create this dynamic port configuration. For example, I have created a dynamic port configuration for my Mist APs. Usually the Mist APs start with a Mac address of 5c:5b:35, and I say it over here. If I’m getting this information via LLDP, either the chassis ID or the system name, I created a profile saying that as soon as I detect this MAC addresses via LLDP, I will assign that port profile of Mist AP. Similarly, I’ve created another profile for another set of MIST APs. But if you have devices which are not supporting LLDP, which doesn’t support 8021x authentication, you can always create a profile by checking the MAC address of the devices and say that if this particular device starts with a MAC address of E087800 as the first six octets, I’m going to apply that to our IOT device profile.
It’ll be put into that VLAN 20. Similarly, I’ve created another one for my MAC cameras, which doesn’t support LLDP or it doesn’t support 8021x authentication. I’m simply looking at the MAC address and applying it with the profile of say, camera device. So now that you have configured all these profiles, let’s now apply this profile to the switches. So in this case, what we do is create a rule. In this scenario, I have created already a rule call access-2300 where I said if my switch is having a role of access, or you can select the model of the switches also. You can say that for all 2300 switches in my network, I want to configure the ports in this format, saying that port number two is always dedicated for Mist AP, port number four is for corporate device, port number five is for IOT device.
At the same time, port number six is configured for dynamic authentication or dynamic profiling. In this scenario, what I have done is by default, I have mapped that particular port to a restricted device profile, which is mapped to VLAN 99, which is non-notable in your network, and I have enabled dynamic configuration on that particular port. So now if we detect a Mist AP or any of the devices where Mac authentication or MAC detection is done, we will now be able to configure that port dynamically to the Mist AP profile or the camera profile or IOT device profile. And the good part is, as soon as those devices are taken away from the port, we will convert that port to a restricted device profile. So we are not now doing dynamic profiling, but at the same time, we have the option on the mist cloud to convert that port to a restricted port.
At the same time, if you want, you can now assign some CLI commands on this level also, but at the same time, you can override this information at a device level, which I’ll show to you later. Now that I have created this template called production template, I’m going to apply this template to a site. So I have created this site called primary site, for example, and I’ve associated that with this production template and I have one switch at this site. So now what I have over here, as you can see, once I have mapped that particular site with this particular template, all the information which is done at the global level at this template is now available at this particular site.
So now you can come in and override any of the information. For example, if you want to change the radius information for this particular site, you can now do that. So you can say, this is my radius information for this particular site itself. And now what happens in this case, the global radius configuration, which we had is now overwritten with this particular site only. Similarly, you can override the NTP configurations, DNS configurations, et cetera in your network. You can now say that for this particular site, my camera network is not VLAN 30, but it’s going to be VLAN 31 due to whatever reasons you can override that configuration and say my network is at this particular site, which is what we call as primary site is going to be VLAN 31 for camera.
The rest of the networks remains as it is, say corporate network is still 40, but the IOT network also is not VLAN 20, but it is VLAN 21. So you can now inherit all the configurations from a global level, but at the same time override that information if you want to. So we provide you this override functions for every feature and functionality which we add.
So as you can see, we can override the configurations over here for the dynamic port configurations, camera profiles. We can override the information. So we provide you overriding functions for each and every feature functionality, which we do at a global level, at a site level. Now that this is applied over here, now let’s look at the switches which are part of this switch. So in this case, I have a 2300 switch, which is part of this primary site. And as you can go in and look into this particular switch, you will see now that all the configurations we have done for the networks, the camera network, corporate networks, this is inherited by the switch. Similarly, it has inherited all the profiles. It has inherited the dynamic port configurations. Now also at the same time, you can see the template information at the CLI commands, which I added.
But at the same time, for this particular switch, if you want to configure some additional CLI commands, we can do that at a switch level. So when we push the configuration from the cloud to the switches, we will do an AND operation. So now you will be able to push the configurations, which is inherited from the global level, do an AND operation and push the configuration to the CLI level also. So as you can see over here, we have inherited all the configurations from the global level, but again, on a switch level, if you want to override any of the information, including the radius servers, you’ll be able to do that. Any configuration, which shows with an asterisks of over here, blue asterisks means that the configuration is inherited from the global level. And now if you want to add few configurations, which I have done over here at a site level or a device level, you can add them also.
Another important thing to note over here is the role of the switch. So when I created that rules, I created that rule saying that if it’s a 2300 switch, plus it has an access role, it’ll inherit all these configurations over here. Similarly, I have the option of configuring the IP address of the device or of the switch to be using DHCP or static. Or at the same time, the out of bad management port can also have a DHCP and static information. So that’s how you configure all your port profiles. And as a result of these configurations of the port profiles, now you can see that multiple devices, as they are connected to the network, they are applied with the right profile. For example, for APs, I have some profile associated to it. I have a profile for an uplink port. At the same time, I have other devices configured as they come online, they will be inheriting those profiles over here. At the same time, if you go under switch insights and look for any of the data, say for last seven days, you will be able to see as the ports are going up and down, you will see all data related to it. And if we have detected any dynamic port profile, you will be able to see that.
On port number six, I have connected a Mist AP. And since we are having a dynamic profile over here, I will convert that port automatically to our new profile with Mist AP, which will convert that port into a trunk mode, allow the right VLANs on it, and as I take out that AP from that port, this port configuration will go back to a restricted port configuration. So similarly, you can see I have assigned some dynamic port profiles where if I have disconnected the port or connected the port, it goes back to a restricted device in normal condition, but as soon as I detect a Mist AP, I put that same port to a Mist AP configuration. So that’s a quick look at how we are creating templates to apply the templates to an ORG level, site level and override that configuration at a switch level. At the same time, I showed you how you can create multiple VLANs, create those profiles and associate that with the different ports at a global level or a site level, and override that information at a switch level. Thank you for watching.