Question: Why on WebUI interface under All Access Point under IPSEC section for CPSec AP it says disable however for RAPs it's enable?
Under controller WebUI interface we have option to check "All Access Points" and under that we have IPSEC section (below screen shot)
As above highlighted with red box; we can see IPSEC option is enable when it comes to RAP’s however when it comes to Campus AP with CPSEC enable it does not says enable.Question: What RAP and AP with CPSEC does?Answer: With RAP we secure both control traffic and GRE traffic however with CPSEC it’s only to secure control traffic not GRE.Now Aruba execute sql query for displaying values in this page.For IPSec, we read “strap” value from global_ap_table. If strap is 0 (zero) we show it as disabled and if it is 1 we show it as enabled.Question: What is "global_ap_table"?Answer: Is database table which maintain the AP information#show ap databaseQuestion: What is strap?Answer: Strap is flag stored in global_ap_table which identifies the AP is RAP (Remote AP) or CAP (Campus AP)Question: What is flag?Answer: The flag will be set/filled when AP contacts the controller (i.e is sends a Hello Message to controller SAPM module) with Remote AP flag set to 1 "R" and for Campus AP its is always 0 (with or without CPSec)Below command from controller CLI will confirm/explain that with CPSec enable how we can verify the IPSec enable.(Aruba) #show ap database status up AP Database-----------Name Group AP Type IP Address Status Flags Switch IP---- ----- ------- ---------- ------ ----- ---------ArubaAP test123 105 10.10.10.2 Up 12m:7s 2 10.10.10.1 Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed I = Inactive; D = Dirty or no config; E = Regulatory Domain Mismatch X = Maintenance Mode; P = PPPoE AP; B = Built-in AP R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP; c = CERT-based RAP; 1 = 802.1x authenticated AP; 2 = Using IKE version 2 u = Custom-Cert RAP M = Mesh node; Y = Mesh Recovery Total APs:1 (Aruba) #show control-plane-security Control Plane Security Profile------------------------------Parameter Value--------- -----Control Plane Security EnabledAuto Cert Provisioning EnabledAuto Cert Allow All EnabledAuto Cert Allowed Addresses N/A (Aruba) #show datapath session table 10.10.10.2 Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----1.3.5.7 10.10.10.2 17 3555 1144 0/0 0 0 1 1/0 1f 0 0 FY10.10.10.2 1.3.5.7 17 1144 3555 0/0 0 0 0 1/0 1f 1 60 FC1.2.3.4 10.10.10.2 17 5353 1144 0/0 0 0 0 1/0 a 0 0 FY10.10.10.1 10.10.10.2 47 0 0 0/0 0 0 0 1/0 2a2 351 30888 F10.10.10.2 10.10.10.1 47 0 0 0/0 0 0 0 1/0 2a2 383 33704 FC10.10.10.1 10.10.10.2 17 4500 4500 0/0 0 0 15 1/0 112 0 0 F10.10.10.2 10.10.10.1 17 4500 4500 0/0 0 0 0 1/0 112 151 182304 FC10.10.10.2 1.2.3.4 17 1144 5353 0/0 0 0 0 1/0 a 1 64 FCI10.10.10.2 10.10.10.1 17 8209 8209 0/0 0 0 0 tunnel 11 9 13 13720 FCI10.10.10.1 10.10.10.2 17 8222 8211 0/0 0 0 1 local 14 0 0 FCI(Aruba) #show crypto ipsec sa IPSEC SA (V2) Active Session Information----------------------------------------Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP------------ ------------ ---------------- ----- --------------- --------10.10.10.2 10.10.10.1 2ace0000/b2cd6600 UT2 Jul 8 21:28:50 10.10.10.2 Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2 Total IPSEC SAs: 1
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.