Initial Configuration of a Master Controller 1) Bootup the controller with a console cable connected to the serial port ArubaOS Version 6.3.1.2 (build 41362 / label #41362) Built by p4build@corsica.arubanetworks.com on 2013-12-18 at 16:43:23 PST (gcc version 3.4.3) Copyright (c) 2002-2013, Aruba Networks, Inc. <<<<< Welcome to Aruba Networks - Aruba A3400-US >>>>> Checking Inventory...OK Performing CompactFlash fast test... Checking for file system... Passed. Performing integrity check on Ancillary partition 1...passed. Watchdog processes Starting ... Watchdog processes running ... Reboot Cause: User reboot. Downloading SOS for A3400... done. Deleting the Databases Restoring the database...done. Tuning IPv4 route cache...done. Generating SSH Keys......done. Initializing TPM and Certificates WARNING: can't open config file: /usr/local/ssl/openssl.cnf WARNING: can't open config file: /usr/local/ssl/openssl.cnf Generating a 2048 bit RSA private key .................................................+++ ..............................+++ writing new private key to '/tmp/tempCertKey/priveKeyGen.pem' ----- WARNING: can't open config file: /usr/local/ssl/openssl.cnf TPM and Certificate Initialization successful. Reading configuration from factory-default.cfg 2) Follow the startup wizard to enter in your system name, timezone, date, time and other details. I accept the defaults for the IP address and mask for vlan 1 as I'll change it later anyway. Once you enter the details it asks for confirmation in case you need to change something. Then it will reboot with the new settings. ***************** Welcome to the Aruba3400 setup dialog ***************** This dialog will help you to set the basic configuration for the switch. These settings, except for the Country Code, can later be changed from the Command Line Interface or Graphical User Interface. Commands: Submit input or use [default value], Help Back, Forward, Line begin, Line end Delete, Delete back, Delete to end of line Previous question Restart beginning Enter System name [Aruba3400]: 3400-col-1 Enter Switch Role (master|local|standalone|remote-node) [master]: Enter VLAN 1 interface IP address [172.16.0.254]: Enter VLAN 1 interface subnet mask [255.255.255.0]: Enter IP Default gateway [none]: 172.16.0.1 This controller is restricted to Country code US for United States, please confirm (yes|no)?: yes Enter Time Zone [PST-8:0]: EST-5:0 Enter Time in UTC [13:13:27]: 13:15:00 Enter Date (MM/DD/YYYY) [3/5/2014]: Enter Password for admin login (up to 32 chars): ************ Re-type Password for admin login: ************ Enter Password for enable mode (up to 15 chars): ************ Re-type Password for enable mode: ************ Do you wish to shutdown all the ports (yes|no)? [no]: Current choices are: System name: 3400-col-1 Switch Role: master VLAN 1 interface IP address: 172.16.0.254 VLAN 1 interface subnet mask: 255.255.255.0 IP Default gateway: 172.16.0.1 Time Zone: EST-5:0 Ports shutdown: no If you accept the changes the switch will restart! Type to go back and change answer for any question Do you wish to accept the changes (yes|no)yes Creating configuration... Done. System will now restart! Shutdown processing started Syncing data...done. Sending SIGKILL to all processes. Please stand by while rebooting the system. 0:<7>ide-disk 0.0: shutdown 0:<0>Restarting system. 0:. 0:<2>Performing hard reset... Reading configuration from default.cfg Retrieving Configuration...will take approximately 1 minute (3400-col-1) User: 3) Log into the controller with a username of admin and the password you set above Then type enable and type in your enable password you set above (3400-col-1) User: admin Password: ************ (3400-col-1) > (3400-col-1) >enable Password:************ (3400-col-1) # 4) If you have licenses you should add them or import them at this time. You can get them from the licensing portal (licensing.arubanetworks.com) and import one at a time using license add xxxxxxxx. Or if you exported them from a previous system you can import them all at once. (3400-col-1) #dir -rw-r--r-- 1 root root 2341 Mar 5 08:07 licenses (this is a file containing licenses from a previous export) -rw-r--r-- 2 root root 11458 Mar 5 08:18 original.cfg drwx------ 2 root root 1024 Mar 5 08:14 tpm (3400-col-1) #show license License Table ------------- Key Installed Expires Flags Service Type --- --------- ------- ----- ------------ License Entries: 0 (3400-col-1) #license import licenses Successfully imported 3 licenses to the license database from licenses; please reload to make licenses take effect (3400-col-1) #show license License Table ------------- Key Installed Expires Flags Service Type --- --------- ------- ----- ------------ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2011-04-08 Never ER Access Points: 16 11:08:39 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2011-04-08 Never ER RF Protect: 16 11:09:02 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2011-04-08 Never ER Next Generation Policy Enforcement Firewall Module: 16 11:09:22 License Entries: 3 Flags: A - auto-generated; E - enabled; R - reboot required to activate 5) Reload the controller after importing the licenses and issue a show license after the reboot to confirm the licenses. 6) Now we need to configure the network portion of the controller to assign IP addresses, vlans, port channels, etc. Here is the network configuration after a reboot - type the following: show running-config | begin interface interface gigabitethernet 1/0 description "GE1/0" trusted trusted vlan 1-4094 ! interface gigabitethernet 1/1 description "GE1/1" trusted trusted vlan 1-4094 ! interface gigabitethernet 1/2 description "GE1/2" trusted trusted vlan 1-4094 ! interface gigabitethernet 1/3 description "GE1/3" trusted trusted vlan 1-4094 ! interface vlan 1 ip address 172.16.0.254 255.255.255.0 ! ip default-gateway 172.16.0.1 7) I like to bond two interfaces together for speed and redundancy to two upstream switches for our corp wifi. Then I do the same for our guest wifi. To do this I create port channels and assign the interfaces to the port channels. If you prefer you can do it without port channels. Just don't configure interface port-channel or the lacp under the interfaces. When complete the first two interfaces are for our corp traffic and the other two for guest traffic. They use different vlans and different subnets and route out our network differently to keep guest traffic off our corporate network as much as possible. I also split up corp users into different vlans and subnets based on AD membership so you will see multiple vlans below. Of course replace the vlan numbers with your preferred vlan numbers and replace the IP addressing with your specific IP's. vlan 110 "int-wifi-dev01" vlan 111 "ext-wifi-guest01" vlan 113 "int-wifi-it01" vlan 115 "int-wifi-std01" vlan 117 "int-wifi-exec01" vlan 118 "int-wifi-devices01" no spanning-tree interface port-channel 0 trusted trusted vlan 110,113,115,117,118 switchport mode trunk switchport trunk allowed vlan 110,113,115,117,118 ! interface port-channel 1 trusted trusted vlan 111 switchport mode trunk switchport trunk allowed vlan 111 interface gigabitethernet 1/0 description "uplink to col01svcsw1 port 0/1 pc0 for corp" trusted trusted vlan 110,113,115,117,118 switchport mode trunk switchport trunk allowed vlan 110,113,115,117,118 no spanning-tree lacp port-priority 32768 lacp group 0 mode active ! interface gigabitethernet 1/1 description "uplink to col01svcsw1 port 0/2 pc0 for corp" trusted trusted vlan 110,113,115,117,118 switchport mode trunk switchport trunk allowed vlan 110,113,115,117,118 no spanning-tree lacp port-priority 32768 lacp group 0 mode active ! interface gigabitethernet 1/2 description "uuplink to col01svcsw1 port 0/3 pc1 for guests" trusted trusted vlan 111 switchport mode trunk switchport trunk allowed vlan 111 no spanning-tree lacp port-priority 32768 lacp group 1 mode active ! interface gigabitethernet 1/3 description "uplink to col01svcsw1 port 0/4 pc1 for guests" trusted trusted vlan 111 switchport mode trunk switchport trunk allowed vlan 111 no spanning-tree lacp port-priority 32768 lacp group 1 mode active ! interface vlan 111 ip address 10.1.82.4 255.255.254.0 ! interface vlan 115 ip address 10.1.84.4 255.255.252.0 ! interface vlan 1 no ip address shutdown exit no ip default-gateway 172.16.0.1 ip default-gateway 10.1.84.1 ! 8) The following is to setup DHCP on the controller for the guest wifi. I exclude some addresses for network devices. Once added then exit out of configuration mode and save the configuration then reload the controller once more. ip dhcp excluded-address 10.1.82.1 10.1.82.9 ip dhcp pool ext-wifi-guest01 default-router 10.1.82.1 dns-server 4.2.2.2 8.8.8.8 lease 1 0 0 0 network 10.1.82.0 255.255.254.0 exit exit write mem reload y 9) The controller can now be plugged into your network and should be reachable via the IP address assigned to vlan 115 for example. You should then proceed to upgrade/downgrade the software to your preferred version through the GUI or cli. Then proceed with configuring the wifi specific aspects such as AP groups, Virtual AP's, AAA profiles, SSID parameters, etc.