My company still uses version 6 on its controllers. We’re looking to migrate of course to version 8 - but this will need some planning.
in the mean time; I have tunnelled mode on my switches (3810) tunnelling traffic to the controller.
I want to make multiple user roles on the controller that receives this tunnelled traffic. So I have one already that handles traffic a certain way, but I want to add hundreds more user roles where I can identify traffic by it’s source MAC address; then Clearpass tells that traffic on the controller to be in a different VLAN. Plan being to physically connect a new link from my controllers to a firewall and force the traffic that way.
I'm thinking keep the layer 3 information on the firewall and tunnel everything to the controller and present it as layer 2 ... so we can control that traffic tightly for onward routing. There will be lots of new user roles to handle new devices that we can only identify by MAC address. Need to lock down this traffic with our controllers and firewall.
Hopefully that makes sense? Not sure if the above is only possible with version 8?
Yes, you will still have that functionality in version 8. Whether you perform MAC-Auth against RADIUS, or you set up some Server-Derived rules on the controller, you should be able to assign roles based on MAC.
Great - thanks
is it something I can expand on in current version 6? I only have one role for current tunnelled node users at present ... I really want to make a new role that puts them in a new VLAN on the controller ... I can then add a physical cable to a firewall and make the cable a member of this new VLAN. So essentially I want hundreds of new roles on this new physical connection, to then let the firewall handle the traffic. Literally get the controller to talk on a new physical link with lots of user roles (defined by MAC address) within this new physical connection?
Yes, you can tie a VLAN or a Pool of VLANS to a user role. Is there a reason why each device will have to have its own role? Is there something that's going to be specific to each device?
Yes I wanted to get a role and identify those users by MAC address. It’s for different departments and some IOT type devices. I need each department to get its own subnet basically. So each one would have its own /24 subnet. I need to have them on individual subnets so it’s easy to handle all the roles and rules from the firewall as to where they can go.
We have a large campus with hundreds of switches to trying to centralise the admin for this task.
tunnelled mode with multiple user roles and new VLANs to a separate firewall seem like the best way to isolate all this traffic?
I would have to agree. Sounds like a good plan.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.