Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Port Profiles Overview

Port profiles provide a convenient way to manually or automatically provision switch interfaces. Mist supports the following two types of port profiles based on how a profile is assigned to a port:

  • Static port profiles—A static port profile is the profile that is manually assigned to a specific switch port. These profiles are used for static provisioning of switch ports.

  • Dynamic port profiles—Dynamic port profiles help the switch port detect the device connected to it by using the port assignment rules configured and assign a matching profile to the port dynamically. Dynamic port profiles are used for autoprovisioning of switch ports (colorless ports).

Static Port Profiles

The static port profile assignment involves two steps - configuring a port profile and assigning it manually to a specific switch port. You can configure port profiles from the Port Profiles tile on the switch template or the switch details page. You can manually assign the profile to a port from the Port Config tab in the Select Switches section of the switch template, or from the Port Configuration section on the switch details page.

Port profiles provide a convenient way to manually or automatically provision EX switch interfaces. Going into the EX4300, we'll first create VLANs. We'll make a camera network with VLAN ID 30 and an IoT network with VLAN ID 29.

You can create as many networks as needed. You can create the profiles, for example, a camera, and map it to the camera network that we just created. Customize the settings as desired, such as PoE and STP.

We'll repeat this process to create profiles for a corporate device enabling 802.1x authentication, an IoT device configured with PoE, and an access point configured as a trunk port. It's very simple to modify profiles to meet your specific requirements. Then we go into the port configuration section to associate the configurations with port profiles.

Here we map ports 1 through 5 to be with an AP profile, ports 6 through 10 with a corporate device profile, ports 11 through 15 with IoT profiles, and ports 16 to 20 with the camera profile. This is how to create port profiles. We can also create port aggregation uplinks to be associated with the appropriate profiles.

When you save all of your changes, this pushes the configuration to the particular switch. This covers how EX switches are manually provisioned with port profiles from the Juniper MIST Cloud.

Dynamic Port Profiles

Dynamic port profiles enable you to configure rules for dynamically assigning port profiles to an interface. When a user connects a client device to a switch port with dynamic profile configuration, the switch identifies the device and assigns a suitable port profile to the port. Dynamic port profiling utilizes a set of device properties of the client device to automatically associate a preconfigured port and network setting to the interface. You can configure a dynamic port profile based on the various parameters such as LLDP name and MAC address.

Dynamic port configuration involves two steps:

  1. Set up rules for dynamically assigning port profiles. Here's an example of a rule that automatically assigns the port profile 'AP' to a Mist AP. As per this rule, when the port identifies a device with a chassis ID that starts with D4:20:B0, it assigns the 'AP' profile to the connected device.

    For more information, see the Dynamic Port Configuration step in Configure Switches.

  2. Specify the ports that you want to function as dynamic ports. You can do this by selecting the Enable Dynamic Configuration check box on the Port Config tab in the Select Switches section of the switch template. You can also do this at the switch level, from the Port Configuration section on the switch details page.

We recommend that you create a restricted network profile that can be assigned to unknown devices when connected to the switch ports enabled with dynamic port configuration. In the above example, the port is enabled with dynamic port configuration and is assigned with a restricted VLAN. In this case, if the connected device doesn't match the dynamic profiling attributes, it will be placed into a restricted VLAN such as a non-routable VLAN or a guest VLAN.

Note:

Ensure that the default or restricted VLAN used in dynamic port configuration does not have an active DHCP server running. Otherwise, you might encounter stale IP address issue on certain legacy devices.

See Configure Switches for more information on how to configure port profiles.

Wired Assurance offers dynamic port profiles, so you can simply plug in your device and it will automatically be assigned the appropriate profile. This is also referred to as the provisioning of colorless ports. In this example, we have a Juniper AP assigned to port 5. We also created a port profile called Minimal Access that has access to a guest network on VLAN 99.

Based on what the devices identify themselves as, we can create rules to assign profiles. We'll use the LLDP chassis ID to identify the device, and if it starts with the octet D420B0, it will be given the AP12 profile. So what we just did is set the dynamic profile assignment for port 5. If the wired device does not register as an AP12, then it will get the Minimal Access profile.

If it shows as an AP12, then it gets the AP12 profile. To verify that the port was assigned the right profile, take a look at the switch events log. You can see that the AP12 profile was correctly identified and automatically applied to port 5. Dynamic port profiles are not just limited to Juniper devices alone.

Anything based on LLDP or RADIUS name also falls under the domain of dynamic port profiles. This means that the days of manually assigning profiles to ports or even a range of ports are no longer necessary.

Best Practices in Port Configuration

Here are a few recommendations for your switch ports to work seamlessly with the Mist APs:

  • On a trunk port, prune all the unwanted VLANs. Only the required VLANs (based on the WLAN configuration) should be on the port. Since the APs do not save the configuration by default, APs should be able to get the IP address on the native VLAN to get connected to the cloud and get configured.

  • We do not recommend port security (MAC address limit), except in the case where all WLANs are tunneled.

  • Feel free to enable BPDU guard, as BPDUs are typically not bridged from wireless to wired connection on an AP unless it is a mesh base. BPDUs are data messages that are exchanged across the switches within an extended LAN that uses a spanning tree protocol topology. BPDU packets contain information on ports, addresses, priorities, and costs and ensure that the data ends up where it was intended to go.

Here is a sample port configuration for a Juniper EX Series switch. This configuration assumes the existence of a dedicated management VLAN, a staff VLAN, and a guest VLAN.

The following example shows how to set an IP address on the management VLAN of a switch (10.10.100.50/24) to be accessible from other networks (gateway of 10.10.100.1).

Note:

For Juniper EX switches, we recommend that you include your switch’s management address in the LLDP configuration.

In this example, the VLAN 100 is used for management, and the same is advertised over LLDP.

The following sample configuration is shown in set mode.