Campus Switching and Routing

Guest Blogger

Tunneled-node and connectivity loss

Maybe somebody can help me with a tunneled-node configuration between an Aruba 7005 controller and an AOS 2930F switch. I configured the switch for tunneled-node.


interface 5
   name "FOSCAM IP CAM"
vlan 20
   name "TUNNEL-VLAN"
   untagged 4
   no ip address

I configured the controller, which is running AOS with an aaa profile to use MAC authentication against ClearPass. The relevant configuration of the controller is displayed below.

aaa authentication wired
    profile "aaa-tunneled-node"
aaa profile "aaa-tunneled-node"
    authentication-mac "default"
    mac-server-group "grp-cppm"

The concept of tunnel-node is working perfectly. The device connects to the switch is authenticated by ClearPass and connected to the correct VLAN. However, I have one problem. The connected device is a Foscam IP camera. The device is connected to the switch and is managed and stores recordings on a Synology NAS. The Synology NAS is connected to a different switch. 


The problem is that the IP camera is getting disconnected on the Synology, so I cannot use the "live view" or check recordings or snapshots from detected movements. When I enable tunneled-node on the switch port connected to the Foscam, the camera works a few minutes and then gets disconnected. 


I cannot find the reason why. I can still access the IP cam by IP address from the Synology and I can access the web interface from any device in the network. I was thinking about broadcasts being blocked, but I cannot find anything. The camera gets back online as soon as I disable tunneled-node on the switch port and set the correct access VLAN.


Below the user-table information of the Foscam IP cam on the controller. 


Who knows the answer?? ;-)


    IP           MAC            Name         Role           Age(d:h:m)  Auth  VPN link  AP name    Roaming  Essid/Bssid/Phy                Profile            Forward mode  Type  Host Name  User Type
----------  ------------       ------        ----           ----------  ----  --------  -------    -------  ---------------                -------            ------------  ----  ---------  ---------   c4:d6:55:3d:ca:5a  c4d6553dca5a  authenticated  00:00:00    MAC             tunnel 12  Wired  aaa-tunneled-node  tunnel                         WIRED


Name: c4d6553dca5a, IP:, MAC: c4:d6:55:3d:ca:5a, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_MBA_VSA), ACL: 78/0
Authentication: Yes, status: successful, method: MAC, protocol: PAP, server: CPPM
Authentication Servers: dot1x authserver: , mac authserver: CPPM
Bandwidth = No Limit
Bandwidth = No Limit
VLAN Derivation: MBA Aruba VSA
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wired, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=0
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: Wired, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 1
Vlan default: 20, Assigned: 1, Current: 1 vlan-how: 11 DP assigned vlan:1
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0xc, Port=0x1000c (tunnel 12)
Essid:, Bssid: b0:5a:da:98:67:30 AP name/group: / Phy-type: Wired Forward Mode: tunnel
RadAcct sessionID:n/a
RadAcct Traffic In 1156/479326 Out 1333/210075 (0:1156/0:0:7:20574,0:1333/0:0:3:13467)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:aaa-tunneled-node, dot1x:, mac:default CP:n/a def-role:'logon' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 0
IP Born: 1515348432 (Sun Jan  7 19:07:12 2018)
Core User Born: 1515348432 (Sun Jan  7 19:07:12 2018)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String:
L3-Auth Session Timeout from RADIUS: 0
Mac-Auth Session Timeout Value from RADIUS: 0
Dot1x Session Timeout Value from RADIUS: 0
Dot1x Session Term-Action Value from RADIUS: Default
CaptivePortal Login-Page URL from RADIUS: N/A
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: CPPM, dot1x auth server: N/A
Address is from DHCP: no
Per-user-log pointer 0x141ae04 (id 71), num logs 4
RTTS disabled: rtts_throughput 0 rtts_discard 0 rtts_reest 0 rtts_keepalive 0
User added to cluster bucket-map: No
@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog
Super Contributor II

Re: Tunneled-node and connectivity loss

What role and policies are given to the camera in tunneled node?


Have you tied it with a wide open (allow all) role? JW :-)


Sean Rynearson
Guest Blogger

Re: Tunneled-node and connectivity loss

The device gets the authenticated role, which has the allow-all statement.
@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog
Super Contributor II

Re: Tunneled-node and connectivity loss

Tunneled node vs not in tunnel node mode, same vlan?
Sean Rynearson
Guru Elite

Re: Tunneled-node and connectivity loss

Per-port or per-user?
Do you have an L3 boundary between the controller and edge switch?

Tim Cappalli | Aruba Security TME
@timcappalli | | ACMX #367 / ACCX #480
Guest Blogger

Re: Tunneled-node and connectivity loss

Tunneled-port is in VLAN 20. Client is placed in VLAN 1 via CPPM. All other ports (non tunneled-node) are in VLAN 1.

I am using per port tunneled-node. Controller and switch are in the same VLAN (VLAN 1). Tunneled-node VLAN is only local L2 on switch and controller and is not allowed on uplinks between both.
@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog
Search Airheads
Showing results for 
Search instead for 
Did you mean: