Port Profiles Overview
Port profiles provide a convenient way to manually or automatically provision switch interfaces. Mist supports the following two types of port profiles based on how a profile is assigned to a port:
-
Static port profiles—A static port profile is the profile that is manually assigned to a specific switch port. These profiles are used for static provisioning of switch ports.
-
Dynamic port profiles—Dynamic port profiles help the switch port detect the device connected to it by using the port assignment rules configured and assign a matching profile to the port dynamically. Dynamic port profiles are used for autoprovisioning of switch ports (colorless ports).
- System-defined port profiles—By default, Juniper Mist provides you with system-defined port profiles that are preconfigured for you. These work the same way regular port profiles do, except these are available for you to use if you do not want to configure your own. The system-defined port profiles provided by Mist are as follows: ap, iot, uplink, default, and disabled.
Static Port Profiles
The static port profile assignment involves two steps - configuring a port profile and assigning it manually to a specific switch port. You can configure port profiles from the Port Profiles tile on the switch template or the switch details page. You can manually assign the profile to a port from the Port Config tab in the Select Switches section of the switch template, or from the Port Configuration section on the switch details page.
Port profiles provide a convenient way to manually or automatically provision EX switch interfaces. Going into the EX4300, we'll first create VLANs. We'll make a camera network with VLAN ID 30 and an IoT network with VLAN ID 29.
You can create as many networks as needed. You can create the profiles, for example, a camera, and map it to the camera network that we just created. Customize the settings as desired, such as PoE and STP.
We'll repeat this process to create profiles for a corporate device enabling 802.1x authentication, an IoT device configured with PoE, and an access point configured as a trunk port. It's very simple to modify profiles to meet your specific requirements. Then we go into the port configuration section to associate the configurations with port profiles.
Here we map ports 1 through 5 to be with an AP profile, ports 6 through 10 with a corporate device profile, ports 11 through 15 with IoT profiles, and ports 16 to 20 with the camera profile. This is how to create port profiles. We can also create port aggregation uplinks to be associated with the appropriate profiles.
When you save all of your changes, this pushes the configuration to the particular switch. This covers how EX switches are manually provisioned with port profiles from the Juniper MIST Cloud.
Dynamic Port Profiles
Dynamic port profiles enable you to configure rules for dynamically assigning port profiles to an interface. When a user connects a client device to a switch port with dynamic profile configuration, the switch identifies the device and assigns a suitable port profile to the port. Dynamic port profiling utilizes a set of device properties of the client device to automatically associate a preconfigured port and network setting to the interface. You can configure a dynamic port profile based on the various parameters such as LLDP name and MAC address.
Dynamic port configuration involves two steps:
- Set up rules for dynamically assigning port profiles. Here's an example of a
rule that automatically assigns the port profile 'AP' to a Mist AP. As per this
rule, when the port identifies a device with a chassis ID that starts with
D4:20:B0, it assigns the 'AP' profile to the connected device.
For more information, see the Dynamic Port Configuration step in Configure Switches.
Specify the ports that you want to function as dynamic ports. You can do this by selecting the Enable Dynamic Configuration check box on the Port Config tab in the Select Switches section of the switch template. You can also do this at the switch level, from the Port Configuration section on the switch details page.
We recommend that you create a restricted network profile that can be assigned to unknown devices when connected to the switch ports enabled with dynamic port configuration. In the above example, the port is enabled with dynamic port configuration and is assigned with a restricted VLAN. In this case, if the connected device doesn't match the dynamic profiling attributes, it will be placed into a restricted VLAN such as a non-routable VLAN or a guest VLAN.
Ensure that the default or restricted VLAN used in dynamic port configuration does not have an active DHCP server running. Otherwise, you might encounter stale IP address issue on certain legacy devices.
Dynamic port configuration on a switch is meant for establishing connection to IoT devices, APs, and user port endpoints. You should not use it to create connection between switches, switches and routers, and switches and firewalls. You should not enable Dynamic Port Configuration on the uplink port. Also, you should not enable Dynamic Port Configuration on the uplink port.
See Configure Switches for more information on how to configure port profiles.
Wired Assurance offers dynamic port profiles, so you can simply plug in your device and it will automatically be assigned the appropriate profile. This is also referred to as the provisioning of colorless ports. In this example, we have a Juniper AP assigned to port 5. We also created a port profile called Minimal Access that has access to a guest network on VLAN 99.
Based on what the devices identify themselves as, we can create rules to assign profiles. We'll use the LLDP chassis ID to identify the device, and if it starts with the octet D420B0, it will be given the AP12 profile. So what we just did is set the dynamic profile assignment for port 5. If the wired device does not register as an AP12, then it will get the Minimal Access profile.
If it shows as an AP12, then it gets the AP12 profile. To verify that the port was assigned the right profile, take a look at the switch events log. You can see that the AP12 profile was correctly identified and automatically applied to port 5. Dynamic port profiles are not just limited to Juniper devices alone.
Anything based on LLDP or RADIUS name also falls under the domain of dynamic port profiles. This means that the days of manually assigning profiles to ports or even a range of ports are no longer necessary.
Best Practices in Port Configuration
Here are a few recommendations for your switch ports to work seamlessly with the Mist APs:
-
On a trunk port, prune all the unwanted VLANs. Only the required VLANs (based on the WLAN configuration) should be on the port. Since the APs do not save the configuration by default, APs should be able to get the IP address on the native VLAN to get connected to the cloud and get configured.
-
We do not recommend port security (MAC address limit), except in the case where all WLANs are tunneled.
-
Feel free to enable BPDU guard, as BPDUs are typically not bridged from wireless to wired connection on an AP unless it is a mesh base. BPDUs are data messages that are exchanged across the switches within an extended LAN that uses a spanning tree protocol topology. BPDU packets contain information on ports, addresses, priorities, and costs and ensure that the data ends up where it was intended to go.
Here is a sample port configuration for a Juniper EX Series switch. This configuration assumes the existence of a dedicated management VLAN, a staff VLAN, and a guest VLAN.
interfaces { ge-0/0/0 { native-vlan-id 100; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ management staff guest ]; } } } } } vlans { guest { vlan-id 667; } staff { vlan-id 200; } management { vlan-id 100; l3-interface irb.100; } }
The following example shows how to set an IP address on the management VLAN of a switch (10.10.100.50/24) to be accessible from other networks (gateway of 10.10.100.1).
interfaces { ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ management staff guest ]; } native-vlan-id 100; } } } vlan { unit 100 { family inet { address 10.10.100.50/24; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.10.100.1; } } vlans { guest { vlan-id 667; } staff { vlan-id 200; } management { vlan-id 100; l3-interface vlan.100; } }
For Juniper EX switches, we recommend that you include your switch’s management address in the LLDP configuration.
In this example, the VLAN 100 is used for management, and the same is advertised over LLDP.
The following sample configuration is shown in set mode.
set interfaces irb unit 400 family inet address 10.33.1.110/24 set routing-options static route 0.0.0.0/0 next-hop 10.33.1.1 set routing-options static route 0.0.0.0/0 no-resolve set protocols lldp management-address 10.33.1.110 set protocols lldp port-id-subtype interface-name set protocols lldp interface all set protocols lldp-med interface all
System-defined Port Profiles
System-defined Port Profiles are port profiles that are built into the Mist portal and are available for you to use if you do not want to configure your own port profiles. These are preconfigured for you, so there is no configuration required in order for you to be able to use them. You can, however, delete these system-defined port profiles. This functionality is only available from the Switch Templates level of configuration.
The following steps describe how to delete a system-defined port profile.
The ability to delete a system-defined port profile only applies to the ap, iot, and uplink port profiles.
- From the Mist portal, navigate to Organization > Switch Templates.
- Select the appropriate Switch Template.
- Select the system-defined port profile you wish to delete (ap, iot, or uplink).
- Select the trashcan icon in the top left corner of the Edit Port
Profile configuration.
- A warning will appear letting you know that the delete action is permanent. You
will not be able to recover the port profile once deleted. Enter the name of the
port profile, then select Delete.Note: If you delete the ap, iot, or uplink system-defined port profiles, any reference to these profiles at the Site or device level will revert to the default profile (port configurations or Dynamic Port profiles).Note: If you were to create your own port profile and name it “ap”, “iot”, or “uplink” (after having deleted the system-defined port profiles) it will be treated as any other user-defined port profile.