Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Port Profiles

Port profiles provide a convenient way to manually or automatically provision switch interfaces. Mist supports the following types of port profiles:

  • System-defined port profiles—System-defined Port Profiles are port profiles that are built into the Mist portal and are available for you to use if you do not want to configure your own port profiles. These are preconfigured for you, so there is no configuration required in order for you to be able to use them. The system-defined port profiles provided by Mist include the following: ap, iot, uplink, default, and disabled.

  • User-defined port profiles—You can create these custom profiles based on your use case if the system-defined profiles do not meet your requirements.

At a high level, port profile configuration involves the following two steps: defining port profiles and assigning them to switch ports.

Define Port Profiles

You can define port profiles at the switch template level or at the individual switch level.

To define a port profile:

  1. Go to Organization > Switch Templates and the select the appropriate switch template.
    If you wish to define a port profile at the switch level, navigate to the switch details page (Switches > switch-name).
    Note:

    Before creating a port profile, ensure that you have created the required networks from the Networks tile. In a switch template, you can find this tile in the Shared Elements section. On a switch details page, you can find this tile in the Networks & Port Profiles section.
  2. Navigate to the Port Profile tile.
    In a switch template, you can find this tile in the Shared Elements section. On a switch details page (for switch-level action), you can find this tile in the Networks & Port Profiles section.
  3. On the Port Profile tile, click Add Profile.
    The New Port Profile window appears.
  4. Specify the profile settings as described in Table 4.
  5. After specifying the settings, click the check mark (✓) on the upper right of the New Port Profile window.
  6. Click Save on the upper right of the template or switch details page to confirm and save the changes.

Assign Port Profiles to Switch Ports

Based on how a profile is assigned to a switch port, Mist supports the following types of port profiles:

  • Static port profiles—A static port profile is the profile that is manually assigned to a specific switch port. These profiles are used for static provisioning of switch ports.

  • Dynamic port profiles—Dynamic port profiles help the switch port detect the device connected to it by using the port assignment rules configured and assign a matching profile to the port dynamically. Dynamic port profiles are used for autoprovisioning of switch ports (colorless ports).

Assign Port Profiles Manually

After you define a port profile, you can assign it manually to a specific switch port from the Port Config tab in the Select Switches section of the switch template, or from the Port Configuration section on the switch details page.

To manually assign a port profile to a port via a switch template:

  1. Go to Organization > Wired > Switch Templates and then click a template to open it.
  2. Navigate to the Select Switches Configuration section.
  3. Click an existing rule to open it.
    If you want to create a new rule with port assignment settings, click Add Rule on the upper right of the section.
  4. Go to the Port Config tab of the rule.
  5. Click Add Port Configuration.
    The New Port Configuration window appears.
  6. Specify the ports in the Port IDs field.
  7. From the Configuration Profile drop-down list, select a port profile which you want to assign to the specified ports.
  8. Specify other settings as required and then click the check mark (✓) on the upper right of the New Port Configuration window.
  9. To apply the changes made to the rule, click the check mark (✓) on the upper right of the rule window.
  10. Click Save on the upper right of the template to confirm and save the changes.

You can also assign port profiles to switch ports at the switch level. You can do that from the Port tile in the Device section on the switch details page. Click Add Port Configuration on the Port tile and specify the settings. Watch the following video for more information:

Port profiles provide a convenient way to manually or automatically provision EX switch interfaces. Going into the EX4300, we'll first create VLANs. We'll make a camera network with VLAN ID 30 and an IoT network with VLAN ID 29.

You can create as many networks as needed. You can create the profiles, for example, a camera, and map it to the camera network that we just created. Customize the settings as desired, such as PoE and STP.

We'll repeat this process to create profiles for a corporate device enabling 802.1x authentication, an IoT device configured with PoE, and an access point configured as a trunk port. It's very simple to modify profiles to meet your specific requirements. Then we go into the port configuration section to associate the configurations with port profiles.

Here we map ports 1 through 5 to be with an AP profile, ports 6 through 10 with a corporate device profile, ports 11 through 15 with IoT profiles, and ports 16 to 20 with the camera profile. This is how to create port profiles. We can also create port aggregation uplinks to be associated with the appropriate profiles.

When you save all of your changes, this pushes the configuration to the particular switch. This covers how EX switches are manually provisioned with port profiles from the Juniper MIST Cloud.

Configure Dynamic Port Profile Assignment

Use the steps in this section to configure rules to assign port profiles to an interface dynamically. When a user connects a client device to a switch port with dynamic profile configuration, the switch identifies the device and assigns a suitable port profile to the port. Dynamic port profiling utilizes a set of device properties of the client device to automatically associate a preconfigured port and network setting to the interface. You can configure a dynamic port profile based on the various parameters such as LLDP name and MAC address.

You can configure dynamic port profile assignment at the template level or at the switch level.

To set up dynamic assignment of port profiles at the template level:

  1. Go to Organization > Wired > Switch Templates and then click a template to open it.
  2. Navigate to the Dynamic Port Configuration tile in the Shared Elements section.
  3. On the Dynamic Port Configuration tile, click Add Rule.
    The New Rule window appears.
  4. Set up dynamic port configuration (DPC) rules for automatically assigning port profiles. Here's an example of a rule that automatically assigns the port profile 'AP' to a Mist AP. As per this rule, when the port identifies a device with a chassis ID that starts with D4:20:B0 or D4:21:B1, it assigns the 'AP' profile to the connected device.

    For more information, refer to the Dynamic Port Configuration row in Table 3 on the Switch Configuration Options page.

    Note: If you use multiple values in the If text starts with field in a DPC rule, separate them with commas and ensure that they all have the same length. If any value differs in length, you must create a separate rule for it.
  5. To apply the changes, click the check mark (✓) on the upper right of the New Rule window.
  6. Navigate to the Select Switches Configuration section.
  7. Click an existing rule to open it.
    If you want to create a new rule with dynamic port assignment settings, click Add Rule on the upper right of the section.
  8. Go to the Port Config tab of the rule.
  9. Click Add Port Configuration.
    The New Port Configuration window appears.
  10. Specify the ports in the Port IDs field.
  11. From the Configuration Profile drop-down list, select a port profile. This profile is applied to ports when the connected device does not meet the dynamic assignment rules.

    We recommend that you create a restricted network profile that can be assigned to unknown devices when connected to the switch ports enabled with dynamic port configuration. In the above example, the port is enabled with dynamic port configuration and is assigned with a restricted VLAN. In this case, if the connected device does not match the dynamic profiling attributes, it will be placed into a restricted VLAN such as a non-routable VLAN or a guest VLAN.

  12. Select the Enable Dynamic Configuration check box.

    For more information, refer to the Enable Dynamic Port Configuration row in Table 6 on the Switch Configuration Options page.

  13. Specify other settings as required and then click the check mark (✓) on the upper right of the New Port Configuration window.
  14. To apply the changes made to the rule, click the check mark (✓) on the upper right of the rule window.
  15. Click Save on the upper right of the template to confirm and save the changes.

You can also set up dynamic port profile assignment at the switch level. You can do that from the switch details page. Watch the following video for more information:

Wired Assurance offers dynamic port profiles, so you can simply plug in your device and it will automatically be assigned the appropriate profile. This is also referred to as the provisioning of colorless ports. In this example, we have a Juniper AP assigned to port 5. We also created a port profile called Minimal Access that has access to a guest network on VLAN 99.

Based on what the devices identify themselves as, we can create rules to assign profiles. We'll use the LLDP chassis ID to identify the device, and if it starts with the octet D420B0, it will be given the AP12 profile. So what we just did is set the dynamic profile assignment for port 5. If the wired device does not register as an AP12, then it will get the Minimal Access profile.

If it shows as an AP12, then it gets the AP12 profile. To verify that the port was assigned the right profile, take a look at the switch events log. You can see that the AP12 profile was correctly identified and automatically applied to port 5. Dynamic port profiles are not just limited to Juniper devices alone.

Anything based on LLDP or RADIUS name also falls under the domain of dynamic port profiles. This means that the days of manually assigning profiles to ports or even a range of ports are no longer necessary.
Note:

  • Ensure that the default or restricted VLAN used in dynamic port configuration does not have an active DHCP server running. Otherwise, you might encounter stale IP address issue on certain legacy devices.

  • A switch with port-based network access control (NAC) authentication does not require dynamic port configuration as VLAN assignments are handled by the RADIUS server. Also, we do not recommend using dynamic port profiles when RADIUS server with MAC Authentication Bypass (MAB) is used.

  • Prefer LLDP-based matching over MAC-based matching when the device supports LLDP.

  • Do not use MAC-based matching on ports enabled with 802.1X authentication.

  • Avoid using Filter-ID attributes. When 802.1X is enabled on the ports, VLAN assignment should be handled via RADIUS without relying on Filter-ID.

Dynamic port configuration on a switch is meant for establishing connection to IoT devices, APs, and user port endpoints. You should not use it to create connection between switches, switches and routers, and switches and firewalls. You should not enable Dynamic Port Configuration on the uplink port.

When a port profile is assigned to a switch port dynamically based on the connected device, this event is displayed in the Switch Events section on the Switch Insights page. You can also see the dynamic port profile details on a switch port by hovering over the port in the Front Panel section on the switch details page.

Note:

Junos requires that each interface-range in a port profile contains at least one member interface. When dynamic port configuration is enabled, Junos includes a dummy interface (ge-168/5/X) as a placeholder in the port profile configuration so that the configuration remains valid even when it is not assigned to an actual interface. For instance, if an interface is currently assigned to Port Profile A, but Port Profile B is expected to be dynamically applied later, a placeholder like ge-168/5/0 is used to keep Profile B's interface-range valid.

You can also configure and verify the dynamic port configuration details using the below API:

Modify Port Profiles

You can modify port profiles at both the switch template level and the individual switch level.

Note:

  • You can modify the system defined port profiles only from switch templates. However, Mist does not allow modification of the following system-defined port profiles: default and disabled.

  • If you modify a system-defined port profile from a switch template, that modified version of the profile is available only to that template.

To modify a port profile:

  1. Go to Organization > Switch Templates and the select the appropriate Switch Template.
    If you wish to modify a port profile defined at the switch level, navigate to the switch details page (Switches > switch-name).
  2. Navigate to the Port Profile tile.
    In a switch template, you can find this tile in the Shared Elements section. On a switch details page, you can find this tile in the Networks & Port Profiles section.
  3. Select the port profile you wish to modify.
  4. Make the required changes to the settings as described in Table 4.
  5. After specifying the settings, click the check mark (✓) on the upper right of the New Port Profile window.
  6. Click Save on the upper right of the template or switch details page to confirm and save the changes.

Delete Port Profiles

You can delete port profiles at the template level or the individual switch level.

To delete a port profile:

  1. Go to Organization > Switch Templates and the select the appropriate Switch Template.
    If you wish to delete a port profile defined at the switch level, navigate to the switch details page (Switches > switch-name).
    Note:

    • You can delete the system defined port profiles only from switch templates. However, you cannot delete the following system-defined port profiles: default and disabled.

    • From a switch details page, you can only delete the profiles defined at the switch level.
  2. Navigate to the Port Profile tile.
    In the switch template, you can find this tile in the Shared Elements section. On a switch details page, you can find this tile in the Networks & Port Profiles section.
  3. Select the port profile you wish to delete.
  4. Click the trashcan icon in the top left corner of the Edit Port Profile configuration.
  5. A warning will appear letting you know that the delete action is permanent. You will not be able to recover the port profile once deleted. Enter the name of the port profile, then click Delete.
    Note:

    • If you delete the ap, iot, or uplink system-defined port profiles, any reference to these profiles at the Site or device level will revert to the default profile (port configurations or Dynamic Port profiles).

    • If you were to create your own port profile and name it “ap”, “iot”, or “uplink” (after having deleted the system-defined port profiles) it will be treated as any other user-defined port profile.
  6. Click Save on the upper right of the template to confirm and save the changes.

Best Practices in Port Configuration

Here are a few recommendations for your switch ports to work seamlessly with the Mist APs:

  • On a trunk port, prune all the unwanted VLANs. Only the required VLANs (based on the WLAN configuration) should be on the port. Since the APs do not save the configuration by default, APs should be able to get the IP address on the native VLAN to get connected to the cloud and get configured.

  • We do not recommend port security (MAC address limit), except in the case where all WLANs are tunneled.

  • Feel free to enable BPDU guard, as BPDUs are typically not bridged from wireless to wired connection on an AP unless it is a mesh base. BPDUs are data messages that are exchanged across the switches within an extended LAN that uses a spanning tree protocol topology. BPDU packets contain information on ports, addresses, priorities, and costs and ensure that the data ends up where it was intended to go.