Merge branch '517' into stage

cumulusAnia · cumulusAnia · commit ea650cbb3aab · 2026-02-27T15:38:05.000-08:00
diff --git a/content/cumulus-linux-517/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-517/Layer-1-and-Switch-Ports/802.1X-Interfaces.md
@@ -952,6 +952,61 @@ If you do not want to notify the supplicant of the deauthentication, you can add
 ```
 cumulus@switch:~$ nv action deauthenticate interface swp1 dot1x authorized-sessions 00:55:00:00:00:09 silent
 ```
+
+## LLDP on 802.1X Unauthenticated Ports
+
+By default, Cumulus Linux blocks LLDP packets on unauthorized ports. You can configure the switch to allow LLDP packets on unauthorized ports on ingress, egress, or both.
+
+{{%notice note%}}
+This feature only affects the ports in the pre-authentication stage. The authenticated ports are not affected.
+{{%/notice%}}
+
+{{< tabs "TabID960 ">}}
+{{< tab "NVUE Commands ">}}
+
+The following example allows LLDP packets on unauthorized ports on ingress:
+
+```
+cumulus@switch:~$ nv set system dot1x pre-auth allow-protocol lldp ingress
+```
+
+The following example allows LLDP packets on unauthorized ports on egress:
+
+```
+cumulus@switch:~$ nv set system dot1x pre-auth allow-protocol lldp egress
+```
+
+The following example allows LLDP packets on unauthorized ports on both ingress and egress:
+
+```
+cumulus@switch:~$ nv set system dot1x pre-auth allow-protocol lldp both
+```
+
+To revert to the default setting of blocking LLDP packets on unauthorized ports, run the `nv unset system dot1x pre-auth allow-protocol lldp` commands. For example:
+- To block LLDP packets on unauthorized ports on ingress, run the `nv unset system dot1x pre-auth allow-protocol lldp ingress` command.
+- To block LLDP packets on unauthorized ports on egress, run the `nv unset system dot1x pre-auth allow-protocol lldp egress` command.
+- To block LLDP packets on unauthorized ports on both ingress and egress, run the `nv unset system dot1x pre-auth allow-protocol lldp both` command.
+
+{{< /tab >}}
+{{< tab "Linux Commands ">}}
+
+Edit the `/etc/hostapd.conf` file to add the `preauth_ingress_allow_protocol=lldp` option and, or the `preauth_egress_allow_protocol=lldp` option, then reload the `hostapd` service.
+
+```
+cumulus@switch:~$ sudo nano /etc/hostapd.conf
+...
+preauth_ingress_allow_protocol=lldp
+preauth_egress_allow_protocol=lldp 
+...
+```
+
+```
+cumulus@switch:~$ sudo systemctl reload hostapd
+```
+
+{{< /tab >}}
+{{< /tabs >}}
+
 <!--
 ### Dynamic VRF Assignment
 
diff --git a/content/cumulus-linux-517/Whats-New/_index.md b/content/cumulus-linux-517/Whats-New/_index.md
@@ -18,6 +18,7 @@ Cumulus Linux 5.17 contains new features and improvements, and provides bug fixe
 - {{<link url="Quality-of-Service/#lossless-headroom-based-on-small-packet-probability" text="Lossless headroom size based on small packet probability">}} (Beta)
 - {{<link url="Quality-of-Service/#dynamic-ecn" text="Dynamic ECN">}} (Beta)
 - {{<link url="Installing-a-New-Cumulus-Linux-Image-with-ONIE/#show-secure-boot-details" text="NVUE command to show secure boot status and details">}}
+- {{<link url="802.1X-Interfaces/#lldp-on-802.1x-unauthenticated-ports" text="Allow LLDP on 802.1X unauthenticated ports">}}
 - Instant Retransmission System (Beta)
 - LLDP BGP Route Redistribution Extension (Beta)
 - Open Telemetry  Granular metric selection (Beta)
@@ -27,7 +28,6 @@ Cumulus Linux 5.17 contains new features and improvements, and provides bug fixe
 - Security - Alert in the event of an audit processing failure\
 - Security - Support organizational requirements to conduct backups of information system documentation
 - Support SSD-SED disable in BIOS (Spectrum-6)
-- Allow LLDP to work on 802.1X unauthenticated ports 
 - Routing Convergence Enhancement for full connectivity loss (all links Up/restart)
 - BER monitoring | GSHUT and port down due to error disabled
 - Security - Support "sudo" validation when TACACS server is connected to the default VRF 
