Working on setting up my first Branch controller. AOS 6.4.3.7 with the Zero touch configuration. 7210 at the hub to a 7010 at the branch. I am using statically assigned subnets. Using NAT-T I have it so the branch is getting the configuration of the master. But I am unsure how to get the routing working. I can not ping anythting other then controller management IP of the master from the branch. Is NAT-T all I need or do I have to set up the VPN in the smart config with ISAKMP and ESP?
From my corp network I have routing of the VLAN124, 125 working to the master 7210 controller. How do I get thos routes to the branch and the branch to route everything 0.0.0.0 back to the master?
Smart config below.
(FLRRG01-ArubaMRAP2) #show switches
All Switches
------------
IP Address Name Location Type Model Version Status Configuration State Config Sync Time (sec) Config ID
---------- ---- -------- ---- ----- ------- ------ ------------------- ---------------------- ---------
10.50.94.10 FLRRG01-ArubaMRAP2 Raleigh.NC master Aruba7210 6.4.3.7_53990 up UPDATE SUCCESSFUL 0 233
10.50.124.5 FLRZZ99-Aruba01 Building1.floor1 branch Aruba7010 6.4.3.7_53990 up UPDATE SUCCESSFUL 2 233
Total Switches:2
(FLRRG01-ArubaMRAP2) #
(FLRRG01-ArubaMRAP2) #
(FLRRG01-ArubaMRAP2) #
(FLRRG01-ArubaMRAP2) #show branch config name FLRZZ99-Aruba01
full-config-branch-config
controller-ip vlan 124
vlan 124
interface vlan 124
interface vlan 124 ip address 10.50.124.5 255.255.255.0
vlan 125
interface vlan 125
interface vlan 125 ip address 10.50.125.5 255.255.255.0
vlan 2199
interface vlan 2199
interface vlan 2199 ip address 10.50.126.5 255.255.255.0
service dhcp
ip dhcp excluded-address 10.50.124.1 10.50.124.16
ip dhcp excluded-address 10.50.124.250 10.50.124.254
ip dhcp pool ZZ99-BoC-Data-VLAN124
ip dhcp pool ZZ99-BoC-Data-VLAN124 default-router 10.x.x.x.
ip dhcp pool ZZ99-BoC-Data-VLAN124 dns-server 10.x.x.x
ip dhcp pool ZZ99-BoC-Data-VLAN124 domain-name domain.com
ip dhcp pool ZZ99-BoC-Data-VLAN124 network 10.50.124.0 255.255.255.0
ip dhcp excluded-address 10.50.125.1 10.50.125.16
ip dhcp excluded-address 10.50.125.250 10.50.125.254
ip dhcp pool ZZ99-BoC-Voice-VLAN125
ip dhcp pool ZZ99-BoC-Voice-VLAN125 default-router 10.x.x.x
ip dhcp pool ZZ99-BoC-Voice-VLAN125 dns-server 10.x.x.x.
ip dhcp pool ZZ99-BoC-Voice-VLAN125 domain-name doamin.com
ip dhcp pool ZZ99-BoC-Voice-VLAN125 network 10.50.125.0 255.255.255.0
ip dhcp excluded-address 10.50.126.1 10.50.126.16
ip dhcp excluded-address 10.50.126.250 10.50.126.254
ip dhcp pool ZZ99-BoC-NLAW101-VLAN2199
ip dhcp pool ZZ99-BoC-NLAW101-VLAN2199 default-router 10.x.x.x
ip dhcp pool ZZ99-BoC-NLAW101-VLAN2199 dns-server 10.x.x.x
ip dhcp pool ZZ99-BoC-NLAW101-VLAN2199 domain-name domain.com
ip dhcp pool ZZ99-BoC-NLAW101-VLAN2199 network 10.50.126.0 255.255.255.0
snmp-server community "****************"
syscontact "Alan Scott"
snmp-server host "10.x.x.x" version 2c "BoC-Test" udp-port "162"
vlan "RG01-ZZ99-BoC-Data-VLAN124" "124"
vlan "RG01-ZZ99-BoC-Voice-VLAN125" "125"
vlan "RG01-ZZ99-BoC-NLAW101-VLAN2199" "2199"
interface vlan 125
interface vlan 125 ip helper-address 10.x.x.x
interface vlan 125 description "RG01-ZZ99-BoC-Voice-VLAN125"
interface vlan 125 operstate up
interface vlan 2199
interface vlan 2199 ip helper-address 10.x.x.x
interface vlan 2199 description "RG01-ZZ99-BoC-NLAW101-VLAN2199"
interface vlan 2199 operstate up
interface vlan 124
interface vlan 124 ip helper-address 10.8.28.100
interface vlan 124 description "RG01-ZZ99-BoC-Data-VLAN124"
interface vlan 124 operstate up
ip route 10.0.0.0 255.0.0.0 10.50.124.10
interface gigabitethernet "0/0/0"
interface gigabitethernet "0/0/0" speed auto
interface gigabitethernet "0/0/0" duplex auto
interface gigabitethernet "0/0/0" switchport mode access
interface gigabitethernet "0/0/0" switchport access vlan 124
interface gigabitethernet "0/0/0" description "Data VLAN 124"
interface gigabitethernet "0/0/0" trusted
interface gigabitethernet "0/0/1"
interface gigabitethernet "0/0/1" speed auto
interface gigabitethernet "0/0/1" duplex auto
interface gigabitethernet "0/0/1" switchport mode access
interface gigabitethernet "0/0/1" switchport access vlan 125
interface gigabitethernet "0/0/1" description "Voice VLAN 125"
interface gigabitethernet "0/0/1" trusted
no ip route 10.0.0.0 255.0.0.0 ipsec "BoC-Test"
ip route 10.0.0.0 255.0.0.0 ipsec "default-boc-bm-ipsecmap"
ip radius source-interface vlan "124"
mgmt-server type amp primary-server 10.50.19.217 profile "default-amp"
crypto-local isakmp key "******" address 0.0.0.0 netmask 255.255.255.255
crypto-local isakmp key "********" address 5.5.5.5 netmask 255.255.255.255
crypto-local ipsec-map "BoC-Test" 100
crypto-local ipsec-map "BoC-Test" 100 no disable
crypto-local ipsec-map "BoC-Test" 100 pre-connect disable
crypto-local ipsec-map "BoC-Test" 100 trusted enable
crypto-local ipsec-map "BoC-Test" 100 force-natt disable
crypto-local ipsec-map "BoC-Test" 100 peer-ip 5.5.5.5 <<< The outside publicly route IP of my 7210
crypto-local ipsec-map "BoC-Test" 100 dst-net 10.0.0.0 255.0.0.0 <<< I want all 10. traffic to the 7210 hub.
crypto-local ipsec-map "BoC-Test" 100 src-net 10.50.124.0 255.255.254.0 <<covers 2 of the 3 subnets at branch
crypto-local ipsec-map "BoC-Test" 100 set transform-set "default-boc-bm-transform"
crypto-local ipsec-map "BoC-Test" 100 no set ca-certificate
crypto-local ipsec-map "BoC-Test" 100 no set server-certificate
ip domain-name "domain.com"
ip name-server 10.x.x.x
logging level warnings network
logging level warnings security
logging level warnings system
logging level warnings user
logging level warnings wireless
logging 10.50.19.3
mgmt-user "admin" "root" "******************************"
firewall dpi
branch config-id 24