Wired Intelligent Edge

last person joined: 18 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Tunnel mode to multiple controllers?

This thread has been viewed 1 times

  • 1.  Tunnel mode to multiple controllers?

    Posted Jan 23, 2020 01:30 PM
    Hi,

    I have some switches doing tunnelled mode for a set of users. I have a requirement to do tunnelled mode for a new set of users - only this time, I want to buy new controllers and have them tunnel to that instead.

    Can I set this within clearpass / the switch (3810) ? Add a new profile / role for this new tunnelled mode to go to a different controller?

    Thanks


  • 2.  RE: Tunnel mode to multiple controllers?
    Best Answer

    EMPLOYEE
    Posted Jan 23, 2020 02:39 PM

    Hi, 

     

    You can only tunnel to a single controller or single cluster from a switch in AOS-Switch. A switch cannot tunnel to multiple, separate controllers or clusters. 

     

    Justin



  • 3.  RE: Tunnel mode to multiple controllers?

    Posted Jan 24, 2020 03:34 AM
    Thanks very much


  • 4.  RE: Tunnel mode to multiple controllers?

    Posted Jan 24, 2020 04:44 PM
    Could I do tunnelled mode with 2 different profiles? So tunnel my guest traffic (what I'm doing currently), then tunnel some other wired traffic to same controller but give it a different role / profile so that traffic is treated differently by the controller?

    Thanks


  • 5.  RE: Tunnel mode to multiple controllers?
    Best Answer

    EMPLOYEE
    Posted Jan 24, 2020 05:10 PM

    Yes, absolutely, that's the idea behind user based tunneling.  Each role has its own unique policy applied to it.  You can even block traffic role to role at the controller.



  • 6.  RE: Tunnel mode to multiple controllers?

    Posted Jan 24, 2020 05:31 PM
    Perfect, so in theory I could do the following (all tunnelled mode from the switch - wired and wireless):

    Guest internet role
    Department 1 role
    Department 2 role
    ....
    Department 100 role

    How would the controller differentiate between the roles? My guest internet is already in place

    But these new departments I want to bring on board and keep separated; I was going to put them all in same AD and use security groups as the differentiator. Maybe up to a 100 of them ... all controlled from my controller pair. Would this work?

    And by default have them not allowed to talk to each other?

    Thanks


  • 7.  RE: Tunnel mode to multiple controllers?
    Best Answer

    EMPLOYEE
    Posted Jan 24, 2020 05:45 PM

    So each wired tunnel has a primary role (switch) and a secondary role (controller).  The controller role is where you would put your policy in to restrict or grant access to other roles.  Each role will have to have policy designed to do so.

     

    For AD, you'd have to tie the user role in the ClearPass Enforcement Policy to the AD user that you would want the specific role applied to.