Policy Based Automation Auto-vlan support

Feature overview

Policy Based Automation Deployment guide.pdf (792.6 KB)

The PBA Auto-vlan feature enables cnMatrix switch to dynamically learn the vlan id’s advertised by cnPilot Ap’s as part of LLDP control packet. The received LLDP control packets are first authenticated by cnMatrix and then parses the received vlan ids and allows them on the directly connected interface.

This feature is intended to support zero-touch detection of cnPilot access point on cnMatrix switch and dynamically configure the port on which the LLDP packet is received. The support for PBA Auto-vlan feature starts from cnPilot firmware version 4.1 and cnMatrix firmware release 3.1.1-r3

Functional Details about the PBA Auto-vlan

New Cambium vendor-specific LLDP TLVs is introduced to support “pushing vlan ids from Cambium cnPilot to cnMatrix switch.

The PBA TLVs are implemented as an extension to the LLDP standard, using its flexible extension mechanism.

They are implemented as vendor-specific (Cambium OUI: 58-C1-7A) TLVs using TLV type 127 as described in the 802.1ab (LLDP) standard.

Two new TLVs have been defined:

  • PBA Authentication TLV – used by cnMatrix switch to export current authentication-related data and settings for use by attached cnPilot devices
  • PBA Device Settings TLV – used by cnPilot devices leveraging PBA to export required PBA device settings like the vlan id’s to cnMatrix.

By default, the cnMatrix regularly generates LLDP authentication TLV on all the ports. The below criteria decide whether the LLDP PBA Authentication TLV is included in the LLDP packet generated by cnMatrix switch or not.

  • Enable/Disable Port operational status
  • Enabled/Disabled PBA authentication TLV setting on the port. On port execute “no lldp pba-tlv-select authentication”
  • Enabled/Disabled Auto-Attach policy globally. Execute “no auto-attach”. TLV transmission is stopped on all ports when PBA is disabled globally.

Upon receipt of this LLDP authentication tlv, cnPilot AP responds by sending Device setting tlv (which basically includes the list of vlan ids allowed on the trunk interface of the AP). The expectation is the native vlan on the AP’s ethernet interface to be untagged. However, when AP Ethernet is in Trunk Mode with Native VLAN Tagged, then Native VLAN ID must be present in Allowed vlans on the interface so that it is allowed by the switch on the port.

On cnPilot AP, PBA device setting TLV is included in LLDP packet if the ethernet port is in trunk mode. It is not generated if it is in Access mode. LLDP is enabled by default globally on the cnPilot AP. The cnMatrix switch authenticates the received LLDP packet from the cnPilot AP. From the device setting tlv, the switch reads the component (VLAN list, state flags) and creates a dynamic policy that is applied to the port on which the tlv was received.

The policy remains in effect until the LLDP port status changes (e.g., downstream neighbor LLDP data expires, PBA disabled on the port, link-down event), the policy data being pushed by the downstream neighbor changes (e.g., the VLAN list is updated) or a higher precedence PBA is determined to be applicable to the port.

Functional Details about PBA TLV extension.

Cambium PBA Authentication tlv

This is Proprietary tlv generated by cnMatrix to convey authentication related data and setting. If this tlv is included in the LLDP packet, then it notifies the cnPilot devices that PBA based data path configuration is supported by the cnMatrix. If the tlv is absent, then this feature is not supported.

The PBA Authentication TLV exports current authentication-related settings and data that is required to support secure communication between the device generating authenticated PBA TLVs and cnMatrix. It sends the following information in the tlv.

  • Source mac address: mac address of the device generating the tlv
  • Authentication state flag:
    • Flag = 1 : indicates PBA authentication is enabled. The device setting tlv received on this port in ingress direction will be authenticated before processing. If the authentication fails, the packet will be dropped, and no policy will be applied.
    • Flag= 0 : indicates the LLDP packed will not authenticated when processing the tlv.
  • Authentication challenge. The cnPilot uses this information when connecting to cnMatrix to leverage PBA functionality and automatically configure datapath characteristics (e.g., VLAN settings) in a secure communication mode.

Cambium PBA Device setting tlv

This proprietary tlv is generated by the cnPilot Ap’s to update PBA enabled uplink switch about the interface configuration requirement.

It is only generated following the receipt of a PBA Authentication TLV on the interface.

PBA Device Settings TLV data integrity and source validation is supported using the HMAC-SHA256 message authentication algorithm. The HMAC-SHA256 generated digest size is 32 octets and the PBA Device Settings TLV includes a field to support the digest exchange between source and destination parties. Symmetric (shared) private keys are used for digest generation.

The Digest is computed by passing the below data to the HMAC-SHA256.

  • Authentication challenge value: received from most recent incoming lldp packet from switch
  • Source mac address: MAC address of the device formulating the PBA Device Settings TLV
  • Destination mac address: derived from the Source MAC address from the most recently received PBA Authentication TLV
  • Port-id: – derived from the value of the LLDP standard (mandatory) Port ID TLV exported by the upstream cnMatrix device

This data, along with the message authentication key, is passed through the standard HMAC-SHA256 algorithm to produce the associated message digest. The digest is then placed in the HMAC-SHA256 Digest field in the TLV prior to transmission. Upon receipt, the digest is again computed, and the resulting digest is compared against the received digest. If the received digest is the same as the newly computed digest, the TLV is considered authentic and processing can commence. If the comparison fails, the TLV is discarded and processing is terminated.

PBA Device Settings TLV authentication can be bypassed to support Cambium devices that do not support the required authentication procedure. Disabling PBA message authentication means that PBA Device Settings TLV authentication is not performed.

The primary use of the PBA Device Settings TLV is to pass desired VLAN settings from the source to the destination device to facilitate automatic configuration of datapath settings. This effectively pushes policy action data from the source downstream device to the destination upstream device. Settings are applied to the port through which the TLV was received (i.e., the ingress port). The following VLAN settings can be specified.

  • Native VLAN – native vlan is always send as “0”. This is to avoid cnMatrix from updating the port based on received tlv from cnPilot.
  • VLAN List – identifies a list of VLANs that are to be created and applied to the ingress port of the switch. The VLAN list specified is either comma separated or range ( 5-10). A maximum of 20 VLANs may be specified on the ethernet port.

Topology Diagram

LLDP Work Flow

LLDP packet capture

Configuration on cnMatrix switch

By default, Auto-Attach policy is enabled by default on cnMatrix Switch.

Configuration on cnPilot Access point

LLDP is enabled by default on cnPilot AP.

Stats command on cnMatrix switch

To check the LLDP neighbors


To check the vlan’s learned from LLDP neighbors

To view the Auto-Attach policy Attached


To view the policy applied on the interface


To view the Auto Attach policy applied on the interface from cli

To view the status of TLV processed or Failed


To view the policy statics on the port

To view the LLDP counters globally


To change the Authentication key on cnMatrix and cnPIlot

If the user wants to change the default shared authentication key, then can use the below cli on cnMatrix and cnPilot . Ensure it is same on both the devices, else the authentication of lldp packet will fail.

On cnPilot:

On cnMatrix:

1 Like

This feature works between cnPilot AP and cnMatrix switches and enables zero touch deployment of cnPilot APs to be deployed with cnMatrix w.r.to VLAN configuration.