Aruba Solution Exchange

Configuring tunnel node on Mobility Access Switch (MAS) to Mobility Controller

Configuring tunnel node on Mobility Access Switch (MAS) to Mobility Controller

 

Summary

Tunneled Node is one of the key elements which differentiates the Mobility Access Switch in the Enterprise access switch market. Previously known as MUX in earlier Aruba platforms and releases, the feature had been re-named as Tunneled Node. The Tunneled Node encapsulates incoming packets from end-hosts in GRE packets and forwards them to the Mobility Controller to be processed further. The Mobility Controller, upon receiving the GRE packets, strips the GRE header and further processes the packet for additional purposes such as authentication, stateful firewall, and so on. This is how the Tunneled Node feature enables a centralized security policy, authentication and access control.

To allow additional flexibility, the Tunneled Node feature is enabled per-port basis. Any traffic coming from non-Tunneled Node interfaces will be forwarded “normally” without being tunneled to a Mobility Controller.

 

Platform Tested

  • Mobility Access Switch S2500 version 7.1.3
  • Aruba Mobility Controller version 6.2.1.1, 6.3.0.1 (39170)

Configuration Notes

This solution creates configuration codes on the Mobility Access Switch (MAS) as a tunnel node to a Mobility Controller acting as a Tunnel master. The configuration of the "aaa authentication wired" profile and the role assignments are generated with the following assumptions:

  • External or internal DHCP server is configured to provide addresses to stations connected to the ports on the Tunnel-Node ports.
  • IP addresses, VLANs and relevant route settings are configured and functioning on the Mobility Controller.
  • If firewall is present in between the two devices, ensure that GRE (Protocol 47) is allowed.

Software Support

  • The minimum Mobility Access Switch AOS version is 7.1
  • The minimum Mobility Controller AOS version is 6.1.2.4
  • The following Mobility Controllers support Tunneled Nodes:
    • 7000 Series Controller.
    • 6000 Series Controller (w/M3 Supervisor).
    • 3000 Series Controller.
    • 600 Series Controller.

Licensing

The Mobility Access Switch itself does not require any licenses however the Mobility Controller does need licenses just like a regular LAN-Connected AP (e.g. WiFi AP).

1 license of each is required per standalone Mobility Access Switch or ArubaStack and installed in a Mobility Controller

  • LIC-X-AP (X ranges from 1 to 1024 – see price list for more specifics)
  • LIC-PEFNG-X (X ranges from 1 to 1024 – see price list for more specifics)
  • LIC-RFP-X (X ranges from 1 to 1024 – see price list for more specifics). *Only required if Mobility Controller has RFProtect enabled WLAN APs.

Alternatively, you can use the LIC-SEC-X bundles for the LIC-PEFNG-X and LIC-RFP-X.

Reminder: Only one license of each is required per ArubaStack so if you have a stack of 5 switches, you only need a quantity of one of each of the following licenses: LIC-1-AP, 1 LIC-PEFNG-1 and 1 LIC-RFP-1.

 

Network Topology

The following is the lab topology.

 

References

See Arubapedia for Partner article for details.

 

Version History
Revision #:
1 of 1
Last update:
‎09-17-2014 02:07 PM
Updated by:
 
Labels (2)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.