Instant Trusted Branch DB

Question- What is the purpose of iap trusted-branch-db?
Why locally managed IAPs are unable to form tunnel to controller?

Environment- This feature was tested with ArubaOS 6.4.2.4 and Aruba Instant 4.1.1.1 version.

Answer- 

With controller running 6.4, there is additional security option of "iap trusted-branch-db" to prevent any rogue device forming tunnels to the controller.

Note :: This feature is in addition to "rap whitelist-db" entry which is mandatory.

Below are the possible scenarios ::

1. When IAP is configured by external management box i.e. Central / Airwave, it can be assured that the device is coming up due to network admin's config (and not any rogue device). In this case, there is no need to have trusted-branch-db entry for the device on controller as they are automatically whitelisted.


(Aruba7220) #show whitelist-db rap

AP-entry Details
----------------
Name AP-Group AP-Name Full-Name Authen-Username Revoke-Text AP_Authenticated Description Date-Added Enabled Remote-IP
---- -------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- ---------
9c:1c:12:c5:b7:f4 default 9c:1c:12:c5:b7:f4 Provisioned Tue Feb 24 00:13:34 2015 Yes 0.0.0.0

AP Entries: 1

(Aruba7220) #show vpdn l2tp local pool

IP addresses used in pool 1.1.1.1
1.1.1.100

Total:-
1 IPs used - 0 IPs free - 1 IPs configured
IP pool allocations / de-allocations - L2TP: 0/0 IKE: 19/0


(Aruba7220) #show iap trusted-branch-db

Trusted Branch Validation: Enabled
IAP Trusted Branch Table
------------------------
(empty)
------- <--- No entry present

 

(Aruba7220) #show iap table long

Trusted Branch Validation: Disabled
IAP Branch Table
----------------
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan Key Bid(Subnet Name) Tunnel End Points
---- -------------- ------ -------- --------------- ------------- --- ---------------- -----------------
MyLab 9c:1c:12:c5:b7:f4 UP 1.1.1.100 1e7902250106bbedc3b81fe62a665eb8aea1b7e2a47459cca8 10.29.163.30

Total No of UP Branches : 1
Total No of DOWN Branches : 0
Total No of Branches : 1


2. When the IAP is locally managed i.e. configured directly by IAP UI / CLI, there is possibility that a rogue device can setup tunnel to controller. Hence, we need an entry of the device on "iap trusted-branch-db" or (have allow-all enabled).

With the same IAP switched to local managed mode::

(Aruba7220) #show log errorlog 4

Feb 24 01:03:34 <Process 342001> <ERRS> |IAP manager Pro| !!! Not a trusted branch - '9c1c12c5b7f4';remove this entry from white-list !!! <-- The auto-whitelist entry is removed.

(Aruba7220) #show iap table long

Trusted Branch Validation: Enabled
IAP Branch Table
----------------
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan Key Bid(Subnet Name) Tunnel End Points
---- -------------- ------ -------- --------------- ------------- --- ---------------- -----------------
MyLab 9c:1c:12:c5:b7:f4 DOWN 0.0.0.0 1e7902250106bbedc3b81fe62a665eb8aea1b7e2a47459cca8


After adding whitelist entry.

(Aruba7220) #show iap trusted-branch-db

Trusted Branch Validation: Disabled
IAP Trusted Branch Table
------------------------
Branch MAC
----------
(allow all as trusted branch)

 

(Aruba7220) #show iap table long

Trusted Branch Validation: Disabled
IAP Branch Table
----------------
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan Key Bid(Subnet Name) Tunnel End Points
---- -------------- ------ -------- --------------- ------------- --- ---------------- -----------------
MyLab 9c:1c:12:c5:b7:f4 UP 1.1.1.100 1e7902250106bbedc3b81fe62a665eb8aea1b7e2a47459cca8 10.29.163.30

Total No of UP Branches : 1
Total No of DOWN Branches : 0
Total No of Branches : 1

 

Version History
Revision #:
1 of 1
Last update:
‎04-05-2015 09:43 PM
Updated by:
 
Contributors
Comments

How do we disable the allow-all function of this this command?

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.