Auto Attach on an Access Port


I have a range of ports configured as access ports (switchport access vlan 11), which work fine. However, if I configure auto attach on those same ports (auto-attach script cnPilot vlan 10,11,12 pvid 10), then create a WLAN on a cnPilot using VLAN 11, the devices connecting to that WLAN won't be able to pass any data (No DHCP lease received). I can see the MAC address of the WiFi device connecting to that WLAN in the Switch's forwarding database, but it doesn't pull an IP.

Any suggestions?


Since port's pvid is 10 (dynamically assigned by auto-attach script), all untagged traffic ingressing this port will be received in vlan 10. Please make sure you enable egress tagging for VLAN 11 on the cnPilot in order for the switch to process traffic from cnPilot in the correct VLAN.

What vlan is the device's MAC learned when you display the switch's FDB?



The learned VLAN for that MAC is the correct VLAN (11). I didn't have to change anything for VLAN 12 to work.

Please attach the output of the following CLIs:

show system info

show auto-attach interface

show vlan

show vlan port interface giga 0/<port-number>, where port-number is the port of which device is connected

show running-config

Also, indicate which port is connected to the dhcp server.


Please check the port connecting to dhcp server is also a member of vlan 11. If this port is a 'hybrid' type, you have to manually add it to auto-attach created VLANs. In 2.1 there is a new configurable action 'trunk' port in auto-attach that will automatically place the port into all auto-attached VLANs. This port is removed from auto-attached VLANs when device gets disconnected.


VLAN 11 works fine when using it through one of the access ports on the same switch. Attached devices get an IP from the router's DHCP server right away. The ports were set to access, if I recall I was having issues adding VLANs to access ports because of the mode (I guess only Hybrid works for this?).

When I take a look at it tomorrow, I will try a few more things and if I'm still having issues, I can send the results of those commands to your email.

In troubleshooting, I attempted to erase the config on the switch but noticed some parts of the config were still leftover (Device name, password). Is this intentional? If so, is there another command to truely factory default the switch?


CLI command 'boot default' restores the factory default.


We just decided not to use the auto attach feature in this deployment because it wasn't working as intended. 

The switch config was very simple. I even did a factory default to be sure. I created 3 VLANs: 10,11,12 and did not assign them to any ports. Port 1 had "switchport mode trunk", the other ports had "switchport mode access" set with the PVID of 11. When auto attach was enabled, it correctly changed the PVID on the cnPilot-connected port to VLAN 10 and assigned tagged VLANs for 10,11,12. Client devices connecting to the cnPilot's WLAN on VLAN 12 worked perfectly but the WLAN on VLAN 11 did not work. When a client device is hardwired into one of the access ports on VLAN 11, they get network access just fine.

To me, that seems like the simplest possible implementation of auto attach. Maybe we'll try it again in another deployment after Cambium comes out with a few more software updates...


Sorry to hear you are having problem with cnMatrix. Can you please share cnMatrix's full config by typing the command 'show running-config'. We will try to reproduce the issue in our lab, and let you know our findings..