Hello Ayman and community,
1) Hi checked fundamentals guide and well documented for SD-WAN but in 229 pages only two to SD-Branch !!!!
It mentions "The configuration requirements for port-based tunneling in the branch is provided in a separate tech note that includes the details for configuring the ArubaOS switches, gateways, and the policies in Aruba ClearPass"
1.1) Where is this document? Any document detailing the full configuration on the Wifi side for the sd-branch?
1.2) For the switch side and port tunnel or user tunnel and with clearpass i see some documents and info but for the wifi side on the branch cant find a clear document with the full design architecture and recommendation? Also, there are additional challenges like stateful dot1x to intercept clearpass roles for the wifi side... Is there any document documenting the full architecture and example and configuration and best practices? I can't find it and for me seems urgent to document it and share it. Anyone?
https://www.arubanetworks.com/en-gb/resources/webinars/register/?commid=389048
1.3) For the SD-Branch and having ClearPass centrally i believe that user-based tunneling is always preferred but for the ports where we have APs connected, again my doubt on recommendation and config?
4) Ok. I agree to connect to BGW but in many cases, we have small branches where we put the 4x ports 9400 BGW and customers with Aruba APs and unmanaged switch or other switches that don't support port tunneling. Also, BGW 9400 4x ports don't have PoE...
In that case, i would like to at least have some control and/or visibility on the Wireless side and what is connected.
4.1) Can i configure the APs like IP-VPN or similar so all wifi traffic tunneled to the BGW and overlay and put the policies there?
4.2) Also we have 32x sessions possible in port switches and maybe on BGW. Can we use it in some way to get the result? Limitations?
4.3) At least, in the end, i would say that we can give visibility/fingerprint to devices connected behind an unmanaged switch, if nothing else? Ideas in what we can do at this level and in such a scenario?
Thanks