Why use Dynamic Port Configuration?
Traditionally, ports are configured on a switch based on the device that is connected with a few parameters like VLAN, Trunk/Access etc on every single port basis.
Port profiles provide one layer of abstraction to create those profiles with the above parameters once and then re-uses them on ports as they come up or designates them ahead in advance.
With port profiles in place, the administrator still needs to assign these profiles to the ports manually in one of two ways.
1. Have a designated set of ports for dedicated devices (e.g. AP ports set as 1 through 10, camera ports set as ports 11 through 20 etc.)
OR
2. Assign ports as the ports come up which is laborious and needs a dedicated team for this effort.
Dynamic Port Configuration (DPC) provides the ability to assign port profiles to client devices automatically without the need for either one of the above. With DPC, we can allow the client device to identify itself to the system via device properties and provision the assigned port configuration automatically. With Dynamic port configuration enabled, a user can plug in any device such as Access Points, Security Cameras, and VoIP devices to the switch ports, and the appropriate port profiles will be configured to allow network access without manual intervention.
List of Dynamic Port Configuration rules supported based on which clients can be identified
- LLDP Chassis ID
- LLDP System Name
- Radius Username
- Radius Filter-ID
- Ethernet mac-address
- LLDP Description
Set-up of dynamic port profiles involves two steps:
1. Set up the rules for device identification
- Choose from one of the options listed above
2. Assign the ports on which you would like to enable
- It can be all ports or a select few for which you would like to enable DPC
Best Practice to set up a Dynamic Port Configuration
Keeping network security in mind, we recommend creating a restricted network profile, which will be assigned to unknown devices when connected to the switch ports that are enabled with DPC.
a) The advantage with this methodology is that the devices which don’t meet the DPC criteria set by the admin will only be provided with a profile that is restricted (non-routable VLAN, guest VLAN, etc.).
b) Connected devices which do meet a DPC criteria will be provided with the corresponding port profile.
c) Ensure the default/restricted VLAN for DPC configuration does not have an active DHCP server running (To avoid any stale IP issue on certain legacy devices)
Detailed Configuration Guide
1. Set up a restricted VLAN
2. Create
a) Restricted Port Profile – which is default on the port
b) Wireless profile – which will be assigned when client matches the DPC criteria
3. Determine the device property that you would use to automatically identify the client
a) In this example we use the LLDP information:
mist@standalone> show lldp neighbors interface ge-0/0/4
LLDP Neighbor Information:
Local Information:
Index: 40 Time to live: 120 Time mark: Tue Dec 29 20:45:24 2020 Age: 28 secs
Local Interface: ge-0/0/4
Parent Interface: –
Local Port ID: 518
Ageout Count: 0
Neighbour Information:
Chassis type: Mac address
Chassis ID : 5c:5b:35:50:0b:db
Port type: Mac address
Port ID : 5c:5b:35:50:0b:db
Port Description: ETH0
System name : 5c5b35500bdb
System Description: Mist Systems 802.11ax Access Point.
b) Based on the LLDP information from the device we can define the Dynamic Port Configuration rule using LLDP Chassis ID or System Name or LLDP Description (case sensitive) to configure with the required port profile. In the below example, we use the chassis ID starting with “5c:5b:35”, which would match with any Mist AP connected to the switch, which would then be automatically provisioned with the “wireless” profile
4. Save the configuration and the Dynamic Port Configuration will trigger for the next link-up event for the switch port
Dynamic Port Configuration Checklist –
We can configure & check the Dynamic Port Configuration using the below API
GET – https://api.mistsys.com/api/v1/sites/c3b8f61c-c5a2-495d-9a5c-9b129624e9bf/devices/00000000-0000-0000-1000-<device mac addr>
"dynamic": { "mode": "dynamic", "rules": [ { "src": "lldp_chassis_id", "usage": "wireless", "equals": "5c:5b:35", "expression": "[0:8]" } ] } "port_config": { "ge-0/0/2-3": { "usage": "restricted_access", "dynamic_usage": "dynamic" }
5. Verification
The configured Dynamic port profile is updated on the Switch Insights page under Switch events & front panel as well
NOTE:
- It takes about a couple minutes for the profiles to be applied after recognizing the client, and a couple of minutes after that to update the UI.
- In case of switch reboots or a mass link up/down event of all ports on a particular switch, it will take about ~20 minutes for all ports to be assigned to the right profile (this is assuming, DPC is enabled on all ports).
- It is best practice to avoid providing IP address on the default port profile prior to the profile applied by Dynamic Port Profile (Once the clients receive an IP, they will not seek another IP after the new profile is applied).
- ge-168/5/X is a dummy interface created to avoid keeping the interface-range from being empty for a dynamic usage. A interface-range without any member results in config error for JUNOS.