Aruba AOS-S Device Profiling

Aruba AOS-S Device Profiling

This post will touch on the Aruba Switch OS (AOS-S) device profiling capability that is available right out of the box.

This feature will enable you, in an all-Aruba environment to profile Aruba APs and Switches to auto-configure the port whenever that device type is plugged in. The switch uses LLDP (Link-Layer Discovery Protocol) to figure what kind of device is connected on the port. Once that is completed it will auto configure items such as POE, Jumbo Frames, and VLAN tagging. I will touch on the basic configuration and then explain some caveats.

device-profile type aruba-ap
enable
exit
device-profile name default-ap-profile
tagged-vlan 105,110
untagged-vlan 100
exit
device-profile type aruba-ap associate default-ap-profile

The first 3 lines enable the profile 'type'. This is used to designate an AP or a Switch, in our case. The next 5 lines are used to set certain configuration items. As you can see, you are able to set the tagged and untagged VLANs. I have found this is typically enough to get by in most situations. This is very useful in a situation where you don't have something like Clearpass to configure the ports automatically. Or, maybe you want to enable the less technical staff to plug and unplug APs when you're not around and not have to worry about static port configuration. There are some caveats that I will touch on later.

device-profile type aruba-switch
enable
exit
device-profile name default-switch-profile
tagged-vlan 100,110,105
untagged-vlan 1
exit
device-profile type aruba-switch associate default-switch-profile

This is essentially the same thing, only it applies to AOS-S switches.

Now on to the caveats.
1. POE Priority is always set to Critical.
This means that any port with a Class 4 device (most modern APs) will always  consume 30W of power. This may exhaust your POE budget on the switch. You can adjust this by adjusting the POE priority under the device-profile name default-ap-profile context. You can also set the poe-allocate-by usage configuration item to 'usage'.

2. It is not very granular as far as per-port configuration.
When you enable device-profiling it will enable it on every port it finds an AP. The only way I have found to stop this is to disable LLDP on the port. lldp admin-status <interface> disable. If you do not use LLDP regularly this may not be an issue for you.

3. Device-Profiling overrides static configuration.
Imagine a scenario where you enable device-profiling on a switch that already has VLANs statically configured with ports assigned. Now the VLAN tagging and untagging (in the Aruba world) could be 'moved' off your switch port. Your configuration will read the same, but device-profiling will be changing the assignment in the background.

Overall I find this feature very useful. In the Manage Services world, it is nice to know that I can enable profiling on a switch that I won't be managing day to day and not worry. It enables my customers to be able to move equipment around without having to contact me to get the configuration updated. I know that pains some people to read, but it is their equipment, after all.