The tutorial was by: istong
Video Tutorial by: Jamie E
In this tutorial I will show you how to build a master controller from scratch as well as how to build a local controller from scratch and then how to link them together. I know I had a lot of questions on how to build a local controller initially so hope this helps. The first part shows how to build a master (steps 1-9) and the second part below that shows how to build a local controller.
As a side note it also shows you have to build port channels to bond interfaces together for HA and performance reasons. Please kudo if you found this helpful.
Initial Configuration of a Master Controller
1) Bootup the controller with a console cable connected to the serial port
ArubaOS Version 126.96.36.199 (build 41362 / label #41362)Built by firstname.lastname@example.org on 2013-12-18 at 16:43:23 PST (gcc version 3.4.3)Copyright (c) 2002-2013, Aruba Networks, Inc.
<<<<< Welcome to Aruba Networks - Aruba A3400-US >>>>>
Checking Inventory...OKPerforming CompactFlash fast test... Checking for file system...Passed.Performing integrity check on Ancillary partition 1...passed.Watchdog processes Starting ...Watchdog processes running ...Reboot Cause: User reboot.Downloading SOS for A3400... done.Deleting the DatabasesRestoring the database...done.Tuning IPv4 route cache...done.Generating SSH Keys......done.Initializing TPM and CertificatesWARNING: can't open config file: /usr/local/ssl/openssl.cnfWARNING: can't open config file: /usr/local/ssl/openssl.cnfGenerating a 2048 bit RSA private key.................................................+++..............................+++writing new private key to '/tmp/tempCertKey/priveKeyGen.pem'-----WARNING: can't open config file: /usr/local/ssl/openssl.cnfTPM and Certificate Initialization successful.Reading configuration from factory-default.cfg
2) Follow the startup wizard to enter in your system name, timezone, date, time and other details.
I accept the defaults for the IP address and mask for vlan 1 as I'll change it later anyway.Once you enter the details it asks for confirmation in case you need to change something.Then it will reboot with the new settings.
***************** Welcome to the Aruba3400 setup dialog *****************This dialog will help you to set the basic configuration for the switch.These settings, except for the Country Code, can later be changed from theCommand Line Interface or Graphical User Interface.
Commands: <Enter> Submit input or use [default value], <ctrl-I> Help<ctrl-B> Back, <ctrl-F> Forward, <ctrl-A> Line begin, <ctrl-E> Line end<ctrl-D> Delete, <BackSpace> Delete back, <ctrl-K> Delete to end of line<ctrl-P> Previous question <ctrl-X> Restart beginning
Enter System name [Aruba3400]: 3400-col-1Enter Switch Role (master|local|standalone|remote-node) [master]:Enter VLAN 1 interface IP address [172.16.0.254]:Enter VLAN 1 interface subnet mask [255.255.255.0]:Enter IP Default gateway [none]: 172.16.0.1This controller is restricted to Country code US for United States, please confirm (yes|no)?: yesEnter Time Zone [PST-8:0]: EST-5:0Enter Time in UTC [13:13:27]: 13:15:00Enter Date (MM/DD/YYYY) [3/5/2014]:Enter Password for admin login (up to 32 chars): ************Re-type Password for admin login: ************Enter Password for enable mode (up to 15 chars): ************Re-type Password for enable mode: ************Do you wish to shutdown all the ports (yes|no)? [no]:
Current choices are:
System name: 3400-col-1Switch Role: masterVLAN 1 interface IP address: 172.16.0.254VLAN 1 interface subnet mask: 255.255.255.0IP Default gateway: 172.16.0.1Time Zone: EST-5:0Ports shutdown: no
If you accept the changes the switch will restart!Type <ctrl-P> to go back and change answer for any questionDo you wish to accept the changes (yes|no)yesCreating configuration... Done.
System will now restart!
Shutdown processing startedSyncing data...done.Sending SIGKILL to all processes.Please stand by while rebooting the system.0:<7>ide-disk 0.0: shutdown0:<0>Restarting system.0:.0:<2>Performing hard reset...Reading configuration from default.cfgRetrieving Configuration...will take approximately 1 minute(3400-col-1)User:
3) Log into the controller with a username of admin and the password you set above
Then type enable and type in your enable password you set above
(3400-col-1)User: adminPassword: ************(3400-col-1) >
(3400-col-1) >enablePassword:************(3400-col-1) #
4) If you have licenses you should add them or import them at this time. You can get them from thelicensing portal (licensing.arubanetworks.com) and import one at a time using license add xxxxxxxx.Or if you exported them from a previous system you can import them all at once.
(3400-col-1) #dir-rw-r--r-- 1 root root 2341 Mar 5 08:07 licenses (this is a file containing licenses from a previous export)-rw-r--r-- 2 root root 11458 Mar 5 08:18 original.cfgdrwx------ 2 root root 1024 Mar 5 08:14 tpm
(3400-col-1) #show license
License Table-------------Key Installed Expires Flags Service Type--- --------- ------- ----- ------------
License Entries: 0
(3400-col-1) #license import licensesSuccessfully imported 3 licenses to the license database from licenses; please reload to make licenses take effect
License Table-------------Key Installed Expires Flags Service Type--- --------- ------- ----- ------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2011-04-08 Never ER Access Points: 1611:08:39xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2011-04-08 Never ER RF Protect: 1611:09:02xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2011-04-08 Never ER Next Generation Policy Enforcement Firewall Module: 1611:09:22License Entries: 3
Flags: A - auto-generated; E - enabled; R - reboot required to activate
5) Reload the controller after importing the licenses and issue a show license after the reboot to confirm the licenses.
6) Now we need to configure the network portion of the controller to assign IP addresses, vlans, port channels, etc.
Here is the network configuration after a reboot - type the following: show running-config | begin interface
interface gigabitethernet 1/0description "GE1/0"trustedtrusted vlan 1-4094!interface gigabitethernet 1/1description "GE1/1"trustedtrusted vlan 1-4094!interface gigabitethernet 1/2description "GE1/2"trustedtrusted vlan 1-4094!interface gigabitethernet 1/3description "GE1/3"trustedtrusted vlan 1-4094!interface vlan 1ip address 172.16.0.254 255.255.255.0!ip default-gateway 172.16.0.1
7) I like to bond two interfaces together for speed and redundancy to two upstream switches for our corp wifi. Then I dothe same for our guest wifi. To do this I create port channels and assign the interfaces to the port channels.If you prefer you can do it without port channels. Just don't configure interface port-channel or the lacp under the interfaces.When complete the first two interfaces are for our corp traffic and the other two for guest traffic. They use different vlansand different subnets and route out our network differently to keep guest traffic off our corporate network as much as possible.I also split up corp users into different vlans and subnets based on AD membership so you will see multiple vlans below.Of course replace the vlan numbers with your preferred vlan numbers and replace the IP addressing with your specific IP's.
vlan 110 "int-wifi-dev01"vlan 111 "ext-wifi-guest01"vlan 113 "int-wifi-it01"vlan 115 "int-wifi-std01"vlan 117 "int-wifi-exec01"vlan 118 "int-wifi-devices01"
interface port-channel 0trustedtrusted vlan 110,113,115,117,118switchport mode trunkswitchport trunk allowed vlan 110,113,115,117,118!interface port-channel 1trustedtrusted vlan 111switchport mode trunkswitchport trunk allowed vlan 111interface gigabitethernet 1/0description "uplink to col01svcsw1 port 0/1 pc0 for corp"trustedtrusted vlan 110,113,115,117,118switchport mode trunkswitchport trunk allowed vlan 110,113,115,117,118no spanning-treelacp port-priority 32768lacp group 0 mode active!
interface gigabitethernet 1/1description "uplink to col01svcsw1 port 0/2 pc0 for corp"trustedtrusted vlan 110,113,115,117,118switchport mode trunkswitchport trunk allowed vlan 110,113,115,117,118no spanning-treelacp port-priority 32768lacp group 0 mode active!
interface gigabitethernet 1/2description "uuplink to col01svcsw1 port 0/3 pc1 for guests"trustedtrusted vlan 111switchport mode trunkswitchport trunk allowed vlan 111no spanning-treelacp port-priority 32768lacp group 1 mode active!
interface gigabitethernet 1/3description "uplink to col01svcsw1 port 0/4 pc1 for guests"trustedtrusted vlan 111switchport mode trunkswitchport trunk allowed vlan 111no spanning-treelacp port-priority 32768lacp group 1 mode active!interface vlan 111ip address 10.1.82.4 255.255.254.0!interface vlan 115ip address 10.1.84.4 255.255.252.0!interface vlan 1no ip addressshutdownexitno ip default-gateway 172.16.0.1ip default-gateway 10.1.84.1!
8) The following is to setup DHCP on the controller for the guest wifi. I exclude some addresses for network devices.Once added then exit out of configuration mode and save the configuration then reload the controller once more.
ip dhcp excluded-address 10.1.82.1 10.1.82.9
ip dhcp pool ext-wifi-guest01default-router 10.1.82.1dns-server 188.8.131.52 184.108.40.206lease 1 0 0 0network 10.1.82.0 255.255.254.0
9) The controller can now be plugged into your network and should be reachable via the IP address assigned to vlan 115 for example. You should then proceed to upgrade/downgrade the software to your preferred version through the GUI or cli. Then proceed with configuring the wifi specific aspects such as AP groups, Virtual AP's, AAA profiles, SSID parameters, etc.
This section is for building a local controller
Creating a Local Controller (Converting a Master to a Local)
1) Take a new controller and build it as a master controller initially (reference the how to for building a master controller)
2) Ensure the code version is the same between the new temporary master and your production master controller.
3) Verify IP connectivity between the new temporary master and your production master controller (ping for example)Also ensure your firewall is configured to allow traffic between the two controllers (papi udp 8211, tcp 4500, etc.
4) On the new temporary master type the following to point to the IP of the production master controller. Note you can usea preshared key or a certificate based solution.
conf tmasterip 220.127.116.11 ipsec keytexthereexitwrite mem
5) on the production master controller type the following to point to the IP of the new local controller. Note you can usea preshared key or a certificate based solution.
conf tlocalip 18.104.22.168 ipsec keytexthereexitwrite mem
6) To verify they have synced up, issue the following and ensure it says update successful. Also you can look at the configon the local controller and you should see lots of extra configuration pushed down from the master to the local.
(7210-hq-1) # show switches
All Switches------------IP Address Name Location Type Model Version Status Configuration State Config Sync Time (sec) Config ID---------- ---- -------- ---- ----- ------- ------ ------------------- ---------------------- ---------10.9.0.4 7210-hq-1 3rd Floor DC master Aruba7210 22.214.171.124_41362 up UPDATE SUCCESSFUL 0 53172.17.36.4 3600-sd-1 San Diego Local Controller local Aruba3600 126.96.36.199_41362 up UPDATE SUCCESSFUL 10 53
7) Now you can reconfigure your AP profiles for your AP's to point to the IP of the local controller for the primary LMSand the AP's will build their tunnel to the local controller versus the master.
If you found this helpful please give kudos - thanks.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.