Summary
Tunneled Node is one of the key elements which differentiates the Mobility Access Switch in the Enterprise access switch market. Previously known as MUX in earlier Aruba platforms and releases, the feature had been re-named as Tunneled Node. The Tunneled Node encapsulates incoming packets from end-hosts in GRE packets and forwards them to the Mobility Controller to be processed further. The Mobility Controller, upon receiving the GRE packets, strips the GRE header and further processes the packet for additional purposes such as authentication, stateful firewall, and so on. This is how the Tunneled Node feature enables a centralized security policy, authentication and access control.
To allow additional flexibility, the Tunneled Node feature is enabled per-port basis. Any traffic coming from non-Tunneled Node interfaces will be forwarded “normally” without being tunneled to a Mobility Controller.
Platform Tested
- Mobility Access Switch S2500 version 7.1.3
- Aruba Mobility Controller version 6.2.1.1, 6.3.0.1 (39170)
Configuration Notes
This solution creates configuration codes on the Mobility Access Switch (MAS) as a tunnel node to a Mobility Controller acting as a Tunnel master. The configuration of the "aaa authentication wired" profile and the role assignments are generated with the following assumptions:
- External or internal DHCP server is configured to provide addresses to stations connected to the ports on the Tunnel-Node ports.
- IP addresses, VLANs and relevant route settings are configured and functioning on the Mobility Controller.
- If firewall is present in between the two devices, ensure that GRE (Protocol 47) is allowed.
Software Support
- The minimum Mobility Access Switch AOS version is 7.1
- The minimum Mobility Controller AOS version is 6.1.2.4
- The following Mobility Controllers support Tunneled Nodes:
- 7000 Series Controller.
- 6000 Series Controller (w/M3 Supervisor).
- 3000 Series Controller.
- 600 Series Controller.
Licensing
The Mobility Access Switch itself does not require any licenses however the Mobility Controller does need licenses just like a regular LAN-Connected AP (e.g. WiFi AP).
1 license of each is required per standalone Mobility Access Switch or ArubaStack and installed in a Mobility Controller
- LIC-X-AP (X ranges from 1 to 1024 – see price list for more specifics)
- LIC-PEFNG-X (X ranges from 1 to 1024 – see price list for more specifics)
- LIC-RFP-X (X ranges from 1 to 1024 – see price list for more specifics). *Only required if Mobility Controller has RFProtect enabled WLAN APs.
Alternatively, you can use the LIC-SEC-X bundles for the LIC-PEFNG-X and LIC-RFP-X.
Reminder: Only one license of each is required per ArubaStack so if you have a stack of 5 switches, you only need a quantity of one of each of the following licenses: LIC-1-AP, 1 LIC-PEFNG-1 and 1 LIC-RFP-1.
Network Topology
The following is the lab topology.
References
See Arubapedia for Partner article for details.