Wireless Access

Reply
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Tunneled Node Configuration

Hello All,

 

Just wanted to confirm the Tunneled Node Configuration on the MAS.

 

If I have the Aruba MAS Switches on the Access/Distribution Layer and also on the Core Layer of which the Aruba Controller terminates on the Core MAS, can I assume that the Tunneled Node Profile configuration will be done on the MAS Switches on the Access/Distribution Layer? Then have that applied to the Physical Interfaces. Nothing built on the MAS Core.

 

And then just have the aaa authentication wired profile configured on the Aruba Controller?

 

And if I have APs terminating on the Access/Distribution Layer MAS Switches, is it okay for me to create a VLAN for Employees and also a VLAN for APs? That is what I considered doing. But then have the Server derivation policy push the VLAN for Employees after successful authentication.

 

Look forward to hearing from you.

 

 

 

 

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Tunneled Node Configuration

[ Edited ]

Yes, you would only enable tunneled-node on the access-layer ports.

 

Yes, you would use the aaa authentication wired profile on the controller.

 

No, you cannot have the APs connected to a tunneled-node port because that would create a tunnel within a tunnel situation which the Mobility Controller cannot support at this time.

 

Best regards,

 

Madani

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Tunneled Node Configuration


madjali wrote:

Yes, you would only enable tunneled-node on the access-layer ports.

 

Yes, you would use the aaa authentication wired profile on the controller.

 

No, you can have the APs connected to a tunneled-node port because that would create a tunnel within a tunnel situation which the Mobility Controller cannot support at this time.

 

Best regards,

 

Madani


 

Hi Madani,

 

Thanks for your response.

 

So you are saying that I just need to create one Access VLAN applied to the Tunneled-Node Ports and then have the APs terminating on those Ports? Didn't quite understand your last comment.

 

How does that work? The idea was to have Laptops terminating on those Tunneled-Node Ports. isn't it?

 

 

 

 

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Tunneled Node Configuration

Aruba APs establish a GRE tunnel between themselves and their Mobility Controller in the same way that the Mobility Access Switch establishes a GRE tunnel to the Mobility Controller for Tunneled-Node. This creates a problem for when an AP is on a port configured for Tunneled Node. Basically the AP wants to create a GRE tunnel to get to the Mobility Controller and when that traffic hits the Tunneled-Node port, the Mobility Access Switch puts the payload in another GRE tunnel which creates a tunnel within a tunnel.

 

So for your APs, you need to use a regular access port as opposed to a tunneled-node port.

 

Best regards,

 

Madani

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Tunneled Node Configuration

Oh yes for sure. That's the plan.

 

Sorry for the confusion.

 

What I intended to say was to create an Access VLAN for the Laptops/Users and then associate that VLAN to the Tunneled-Node Ports. But then have a separate VLAN for APs and have a Trusted Port applied to the Physical Interfaces of which the APs will be terminated on. Is this a correct design considertaion or best practice?

 

Secondly, the Tunneled-Node Ports have to have a Switching-Profile of "No Trusted Port". Correct?

 

 

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Tunneled Node Configuration


eosuorah wrote:

Oh yes for sure. That's the plan.

 

Sorry for the confusion.

 

What I intended to say was to create an Access VLAN for the Laptops/Users and then associate that VLAN to the Tunneled-Node Ports. But then have a separate VLAN for APs and have a Trusted Port applied to the Physical Interfaces of which the APs will be terminated on. Is this a correct design considertaion or best practice?

 

Secondly, the Tunneled-Node Ports have to have a Switching-Profile of "No Trusted Port". Correct?

 

 


Hi Madani,

 

Can you respond to my above quote/statement?

 

Thanks!

 

Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Tunneled Node Configuration

I've commented inline:

 

What I intended to say was to create an Access VLAN for the Laptops/Users and then associate that VLAN to the Tunneled-Node Ports. But then have a separate VLAN for APs and have a Trusted Port applied to the Physical Interfaces of which the APs will be terminated on. Is this a correct design considertaion or best practice?

 

MA> The short answer is yes. The vlan defined in the switching-profile, which ultimately is passed up via Tunneled-Node, must match a VLAN on the Mobility Controller. With respect to best practise, some customers just use the switching-profile VLAN as a landing VLAN if you will but AAA on the Mobility Controller side moves the user over to a different VLAN. Either way is fine. 

Secondly, the Tunneled-Node Ports have to have a Switching-Profile of "No Trusted Port". Correct?


MA> The "[no] trusted port" command only applies to native AAA enabled ports on the Mobility Access Switch. When you are using tunneled-node, all AAA is performed by the Mobility Controller so "no trusted port" has no effect.

 

Out of curiosity, what is your use case for tunneled-node ports versus native AAA functionality. Centralized security at the controller?

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Tunneled Node Configuration


madjali wrote:

I've commented inline:

 

What I intended to say was to create an Access VLAN for the Laptops/Users and then associate that VLAN to the Tunneled-Node Ports. But then have a separate VLAN for APs and have a Trusted Port applied to the Physical Interfaces of which the APs will be terminated on. Is this a correct design considertaion or best practice?

 

MA> The short answer is yes. The vlan defined in the switching-profile, which ultimately is passed up via Tunneled-Node, must match a VLAN on the Mobility Controller. With respect to best practise, some customers just use the switching-profile VLAN as a landing VLAN if you will but AAA on the Mobility Controller side moves the user over to a different VLAN. Either way is fine. 

Secondly, the Tunneled-Node Ports have to have a Switching-Profile of "No Trusted Port". Correct?


MA> The "[no] trusted port" command only applies to native AAA enabled ports on the Mobility Access Switch. When you are using tunneled-node, all AAA is performed by the Mobility Controller so "no trusted port" has no effect.

 

Out of curiosity, what is your use case for tunneled-node ports versus native AAA functionality. Centralized security at the controller?


 

Exactly that. The Customer wants to use centralized security via the Controller.

 

 

Aruba Employee
Posts: 148
Registered: ‎11-25-2009

Re: Tunneled Node Configuration

In that case, you can use the tunneled ports for the users pc/laptops and for the APs please use non-tunnelled  ports

 

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Tunneled Node Configuration

Thanks guys!

Search Airheads
Showing results for 
Search instead for 
Did you mean: