Ethernet Port Override Configuration

1. Select Configuration > Devices > Device Overrides from the web UI.
2. Select Interface.
3. Select Ethernet Ports.
   

   Note

   A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click Clear Overrides. This removes all overrides from the device.
4. Refer to the following to review port status and assess whether an override is warranted:

   Name	The name of the physical port reporting runtime data and statistics. Supported ports vary by model.
   Type	The physical port type. Cooper is used on RJ45 Ethernet ports, and Optical materials are used on fiber optic gigabit Ethernet ports.
   Description	An administrator defined description for the port.
   Admin Status	A green check mark means the port is active and currently enabled with the profile. A red "X" means the port is currently disabled and not available for use. The interface status can be modified with the port configuration as needed.
   Mode	The profile's switching mode: either Access or Trunk (as defined in the Ethernet Port Basic Configuration screen). If Access is selected, the port accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the port are expected as untagged and mapped to the native VLAN. If Trunk is selected, the port allows packets from a list of VLANs added to the trunk. The port supports multiple 802.1Q tagged VLANs and one native VLAN which can be tagged or untagged.
   Native VLAN	The VLAN ID (1 - 4094) for the native VLAN. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN over which untagged traffic is directed when using a port in Trunk mode.
   Tag Native VLAN	A green check mark means the native VLAN is tagged. A red "X" means the native VLAN is untagged. When a frame is tagged, the 12-bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12-bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame.
   Allowed VLANs	The VLANs allowed to send packets over the listed port. Allowed VLANs are listed only when the port is in Trunk mode.
   Overrides	If overrides have been applied to the port configuration, click Clear to clear the overrides and revert to the configuration originally defined by the administrator for this interface.

5. To edit or override the configuration of an existing port, select it from among those displayed and click Edit.
   The Ethernet Port Basic Configuration screen displays.
6. Set or override the following Ethernet port Properties:

   Description	Enter a brief description for the port (64 characters maximum).
   Admin Status	Select Enabled to define this port as active to the profile it supports. Select Disabled to disable this physical port in the profile. It can be activated at any time when needed.
   Speed	Select the speed at which the port can receive and transmit data, to establish a 10, 100, or 1000 Mbps data transfer rate for the selected half-duplex or full-duplex transmission. These options are not available if Automatic is selected. Select Automatic to enable the port to automatically exchange information about data transmission speed and duplex capabilities. Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis. Automatic is the default setting.
   Duplex	Select either Half, Full, or Automatic as the duplex option. Select Half duplex to send data over the port, then immediately receive data from the same direction in which the data was transmitted. Like a full-duplex transmission, a half-duplex transmission can carry data in both directions, just not at the same time. Select Full duplex to transmit data to and from the port at the same time. Using full duplex, the port can send data while receiving data as well. Select Automatic to enable to the controller or service platform to dynamically duplex as port performance needs dictate. Automatic is the default setting.

7. Enable or disable the following CDP/LLDP parameters used to configure Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) for this profile‘s Ethernet port configuration:

   Cisco Discovery Protocol Receive	Select this option to allow the Cisco discovery protocol for receiving data on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors.
   Cisco Discovery Protocol Transmit	Select this option to allow the Cisco discovery protocol for transmitting data on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors.
   Link Layer Discovery Protocol Receive	Select this option to allow the Link Layer discovery protocol to be received on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default.
   Link Layer Discovery Protocol Transmit	Select this option to allow the Link Layer discovery protocol to be transmitted on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors.

8. Select Enforce Captive Portal to automatically apply captive portal access permission rules to data transmitted over this specific Ethernet port.

   Select None to prevent access permission rules to be enforced. Select Authentication Failure to apply access permission rules only when user authentication fails. Select Always to enforce access permissions at all times.

   A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals provides authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Once logged into the captive portal, additional Terms and Agreement, Welcome, Fail, and No Service pages provide the administrator with a number of options on captive portal screen flow and user appearance.

   Captive portal enforcement allows wired network users to pass traffic through the captive portal without being redirected to an authentication page. Authentication instead takes place when the RADIUS server is queried against the wired user's MAC address. If the MAC address is in the RADIUS server's user database, the user can pass traffic on the captive portal. If None is selected, captive portal policies are not enforced on the wired interface. If Authentication Failure is selected, captive portal policies are enforced only when RADIUS authentication of the client‘s MAC address is not successful. If Always is selected, captive portal policies are enforced regardless of whether the client's MAC address is in the RADIUS server's user database.

   For information on configuring a captive portal policy, see Configuring Captive Portal Policies.

9. Set or override the following Switching Mode parameters to apply to the Ethernet port configuration:

   Mode	Set the VLAN switching mode over the port: either Access or Trunk. If you select Access, the port accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the port are expected as untagged and mapped to the native VLAN. If you select Trunk, the port allows packets from a list of VLANs you add to the trunk. The port supports multiple 802.1Q tagged VLANs and one native VLAN which can be tagged or untagged. Access is the default mode.
   Native VLAN	Define a VLAN ID (1 - 4094) for the native VLAN. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN over which untagged traffic is directed when using a port in Trunk mode. The default VLAN is 1.
   Tag Native VLAN	Select this option to tag the native VLAN. Controller and service platforms support the IEEE 802.1Q specification for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs. When a frame is tagged, the 12 -bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This feature is disabled by default.
   Allowed VLANs	Selecting Trunk as the mode enables the Allowed VLANs parameter. Add VLANs that exclusively send packets over the listed port.

10. In the Dynamic Link Aggregation (LACP) area, set the following parameters to enable link aggregation on the selected GE port:

    Port Channel	Select to configure the selected port as a member of a link aggregation group (LAG). Link aggregation is supported only on the following platforms: AP 7562, AP 7602, AP 7612, AP 8432, AP 8533, NX 5500, NX 75XX, NX 95XX, NX 9600, and VX 9000. LACP enables combining and managing multiple physical connections like Ethernet ports as a single logical channel as defined in the IEEE 802.1ax standard. LACP provides redundancy and increase in throughput for connections between two peers. It also provides automatic recovery in cases where one or more of the physical links - making up the aggregation - fail. Similarly, LACP also provides a theoretical boost in speed compared to an individual physical link. Note: if enabling LACP, disable or physically disconnect interfaces that do not use spanning tree to prevent loop formation until LACP is fully configured on both the local WiNG device and the remote device.
    Port Mode	Set the port mode as Active or Passive. If setting the port as a LAG member, specify whether the port is an active or passive member within the group. An active member initiates and participates in LACP negotiations. It is the active port that always transmits LACPDU irrespective of the remote device‘s port mode. The passive port only responds to LACPDU received from its corresponding active port. At least one port within a LAG, on either of the two negotiating peers, should be in the active mode. LACP negotiations are not initiated if all LAG member ports are passive. Further, the peer-to-peer LACP negotiations are always initiated by the peer with the lower system-priority value.
    Port Priority	Select the Port Priority check box and set the selected Ethernet Port‘s priority value, within the LAG, from 1-65535. The selected port‘s actual priority within the LAG is determined by the port-priority value specified here along with the port‘s number. Higher the value, lower is the priority. Use this option to manipulate a port‘s priority. For example, in a LAG having five physical ports, four active and one standby, manually increasing the standby port‘s priority ensures that if one of the active port fails, the standby port is included in the LAG during re-negotiation.

11. Click + Add Row and set or override the Fabric Attach parameters. This option enables WiNG devices (access points and controllers) as FA (Fabric Attach) Clients.
    

    Note

    To enable FA Client feature, the Ethernet port‘s switching mode should be set to trunk.

    VLAN

    Set the VLAN from 1 - 4094.

    ISID

    User the spinner control to specify the ISID from 1 - 16777214. This is the ISID (Individual Service Identifier) associated with the VLAN interface specified above. Configuring a VLAN to ISID assignment, enables FA client operation on the selected Ethernet port. The FA Client requests acceptance of the VLAN to ISID mapping from the FAS within the FC (Fabric Connect) network. Once acceptance is achieved, the FC edge switch applies the ISID to the VLAN traffic from the device (AP or controller), and uses this ISID inside the Fabric. Note: A maximum of 94 pairs of I-SID to VLAN mappings can be configured per Ethernet port.

    FA-enabled switches, in the FC network, send out LLDP messages with TLV extensions of Organization-specific TLV with OUI, to discover FA clients and advertise capabilities.

    The FA-enabled client associates with the FAS (FA Server), and obtains provisioning information (management VLAN interface details, and whether the interface is tagged or not) that allows the client to be configured with parameters that allow traffic to flow through the Fabric to the WLAN controller. Use this option to configure the ISID to VLAN mapping that the FA Client uses to negotiate with the FAS.

    You can configure FA Client capability on a device‘s profile as well as device contexts.

12. Optionally select the Port Channel Membership option and define or override a setting from 1 - 8 using the spinner control.
    This sets the channel group for the port.
13. Click OK to save the changes and overrides made to the Ethernet port's basic configuration.
    Click Reset to revert to the last saved configuration.
14. Select the Security tab.
15. Refer to the Access Control field. As part of the Ethernet port‘s security configuration, Inbound IP and MAC address firewall rules are required.

    The configuration can be overridden if needed.

    1. Use the MAC Inbound Firewall Rules drop-down menus to select the firewall rules to apply to this profile‘s Ethernet port configuration.
       The firewall inspects MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances.
    2. Use the IPv4 Inbound Firewall Rules drop-down menu to select the IPv4 specific firewall rules to apply to this profile‘s Ethernet port configuration.
       IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity.

       For more information on creating IPv4 firewall rules, see Configuring IP Firewall Rules.

    3. Use the IPv6 Inbound Firewall Rules drop-down menu to select the IPv6 specific firewall rules to apply to this profile‘s Ethernet port configuration.
       IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
    4. If no firewall rules meet the data protection needs of the target port configuration, select the Create icon to define a new firewall rule or the Edit icon to modify an existing firewall rule.
       For more information, see Configuring IP Firewall Rules or Wireless Firewall.
16. Refer to the Trust field to define or override the following:

    Trust ARP Responses	Select this option to enable ARP trust on this port. ARP packets received on this port are considered trusted, and the information from these packets is used to identify rogue devices within the network. This option is disabled by default.
    Trust DHCP Responses	Select this option to enable DHCP trust on this port. If enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default.
    ARP Header Mismatch Validation	Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet header. This option is enabled by default.
    Trust 802.1p COS values	Select this option to enable 802.1p COS values on this port. This option is enabled by default.
    Trust IP DSCP	Select this option to enable IP DSCP values on this port. This option is enabled by default.

    

    Note

    Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MAC and inner ARP SMAC as VRRP MAC. If this configuration is enabled, a packet is allowed, even when a conflict exists.
17. Set the following IPv6 Settings:

    Trust ND Requests	Select this option to enable the trust of neighbor discovery requests required on an IPv6 network on this Ethernet port. This option is disabled by default.
    Trust DHCPv6 Responses	Select this option to trust all DHCPv6 responses on this Ethernet port. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes, or other configuration attributes required on an IPv6 network. This option is enabled by default.
    ND Header Mismatch Validation	Select this option to enable a mismatch check for the source MAC within the ND header and Link Layer Option. This option is disabled by default.
    RA Guard	Select this option to enable router advertisements or ICMPv6 redirects from this Ethernet port. This option is disabled by default.

18. Set the following 802.1X Settings:

    Host Mode	Select the port mode for 802.1X authentication. Select single-host to bridge traffic from a single authenticated host. Select multi-host to bridge traffic from any host to this port.
    Guest VLAN	Set the Guest VLAN on which traffic is bridged from a wired port when the selected port is considered unauthorized.
    Port Control	Set the way in which the port bridges traffic. Select one of the following options: Automatic – The port is set to the state as received from the authentication server. force-authorized – Any traffic on the port is considered authenticated and is bridged as configured. force-unauthorized – Any traffic on the port is considered unauthenticated and is not bridged.
    Reauthenticate	Select this option to enable or disable reauthentication. Reauthentication is primarily used to refresh the current state of the selected port. When enabled the device is forced to reauthenticate. When this happens, the port is still considered authenticated. If reauthentication fails, the port is considered unauthorized and devices using the port are denied access.
    Max Reauthenticate Count	Set the number of reauthentication attempts (1-10) when a port tries to reauthenticate and fails. Once this count exceeds, the port is considered unauthorized.
    Quiet Period	Set the duration in seconds where no attempt is made to reauthenticate a controlled port. Set a value from 0 - 65535 seconds.
    Reauthenticate Period	Set the duration after which a controlled port is forced to reauthenticate. Set a value from 0 - 65535 seconds.
    Port MAC Authentication	When enabled, a port‘s MAC address is authenticated, as only one MAC address is supported per wired port. When successfully authenticated, packets from the source are processed. Packets from all other sources are dropped. Port MAC authentication is supported on RFS 4000 model controllers. Port MAC authentication may be enabled on ports in conjunction with Wired 802.1x settings for a MAC Authentication AAA policy.

19. In the 802.1x supplicant (client) feature field, click Enable to enable a username and password pair used when authenticating users on this port.
    Click Show to expose the characters in the Password field.
20. Click OK to save the changes and overrides made to the Ethernet port's security configuration.
    Click Reset to revert to the last saved configuration.
21. Select Spanning Tree.

    Spanning Tree Protocol (STP) (IEEE 802.1D standard) configures a meshed network for robustness by eliminating loops within the network and calculating and storing alternate paths to provide fault tolerance.

    As the port comes up and STP calculation takes place, the port is set to Blocked state. In this state, no traffic can pass through the port. Since STP calculations take up to a minute to complete, the port is not operational thereby effecting the network behind the port. When the STP calculation is complete, the port‘s state is changed to Forwarding and traffic is allowed.

    Rapid Spanning Tree Protocol (RSTP) (IEEE 802.1w standard) is an evolution over the standard STP. The primary aim is to reduce the time taken to respond to topology changes while being backward compatible with STP. PortFast enables quickly changing the state of a port from Blocked to Forwarding to enable the port to allow traffic while the STP calculation happens.

    Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness of VLANs. MSTOP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology.

    If there is only one VLAN in the access point managed network, a single spanning tree works fine. However, if the network contains more than one VLAN, the network topology defined by single STP would work, but it is possible to make better use of the alternate paths available by using an alternate spanning tree for different VLANs or groups of VLANs.

    An MSTP supported deployment uses multiple MST regions with multiple MST instances (MSTI). Multiple regions and other STP bridges are interconnected using one single common spanning tree (CST). MSTP includes all of its spanning tree information in a single Bridge Protocol Data Unit (BPDU) format. BPDUs are used to exchange information bridge IDs and root path costs. Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN, but it also ensures backward compatibility with RSTP.

    MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages. Each MSTI messages conveys spanning tree information for each instance. Each instance can be assigned a number of configured VLANs. The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region. To avoid conveying their entire VLAN to spanning tree mapping in each BPDU, the access point encodes an MD5 digest of their VLAN to an instance table in the MSTP BPDU. This digest is used by other MSTP supported devices to determine if the neighboring device is in the same MST region as itself.

22. Set the following MSTP Configuration settings:

    Link Type	Select either Point-to-Point or Shared. When Point-to-Point is selected, the port is treated as connected to a point-to-point link. When Shared is selected, the port is shared between multiple devices. Similarly, an example for a Point-to-Point connection would be when the port is connected to an access point. An example of a Point-to-Point connection is a port that is connected to an access point. An example of a Shared connection is a port that is connected to a hub.
    Cisco MSTP Interoperability	Enable or Disable interoperability with Cisco‘s version of MSTP over the port. Cisco's version of MSTP is incompatible with standard MSTP.
    Force Protocol Version	Select STP to use the standard Spanning Tree Protocol. Select RSTP to use Rapid Spanning Tree Protocol. Select MSTP to use Multiple Spanning Tree Protocol.. Select Not Supported to disable spanning tree protocol for this interface.
    Guard	Select Root radio to enable root guard – a mechanism to prevent election of roots other than those designated as roots in a network. When this port receives a better (superior) BPDU, the port state becomes Blocked. It retains this state till the port no longer receives the better (superior) BPDU and then the state is changed to Forwarding. Select Root to enable this feature. Select None to disable this feature.
    Enable PortFast	Select this option to enable PortFast, a feature that can reduce the time taken for a port to complete the MSTP state changes from Blocked to Forward. Enable PortFast only on ports on the wireless controller which are directly connected to a server/workstation and not to another hub or controller. PortFast can be left unconfigured on an access point.
    Enable PortFast BPDU Filter	Select this option to invoke a BPDU filter for this PortFast enabled port. MSTP BPDUs are messages that are exchanged when controllers gather information about the network topology. When enabled, PortFast enabled ports do not transmit BPDU messages. When this value is set to Default, the BPDU Filter value is set to the bridge's BPDU filter value.
    Enable PortFast BPDU Guard	Select this option to invoke a BPDU guard for this PortFast enabled port. MSTP BPDUs are messages that are exchanged when controllers gather information about the network topology. When enabled, PortFast enabled ports are forced to shut down when they receive BPDU messages. When this value is set to Default, the PortFast BPDU Guard value is set to the bridge's BPDU guard value.

23. Refer to the Spanning Tree Port Cost table.
    Define or override an Instance Index using the spinner control, and set its corresponding cost in the Cost column.

    This is the cost for a packet to traverse the current network segment. The cost of a path is the sum of all costs of traversal from the source to the destination. The default rule for the cost of a network segment is, the faster the media, the lower the cost.

    Select + Add Row as needed to include additional indexes.

24. Refer to the Spanning Tree Port Priority table.
    Define or override an Instance Index using the spinner control, and set its corresponding priority in the Priority column.

    This is the priority for this port becoming a designated root. The default rule is, the lower this value, the higher the chance that the port is assigned as a designated root.

    Select + Add Row as needed to include additional indexes.

25. Click OK to save the changes and overrides made to the Ethernet port's Spanning Tree configuration.
    Click Reset to revert to the last saved configuration.