Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Tunneled device connectivity through an unmanaged switch

This thread has been viewed 19 times
  • 1.  Tunneled device connectivity through an unmanaged switch

    Posted Aug 22, 2022 10:59 AM
    I've recently upgraded my network to use 6200F switches which are configured to do MAC auth and download user roles from ClearPass.  The downloaded role can either assign a UBT role or a local vlan.   For the most part everything is working great but I've run into a scenario that I'm having a hard time troubleshooting.  If an unmanaged switch is connected to a port on the 6200F and multiple devices on that unmanaged switch receive the same UBT role they intermittently lose connectivity.  I haven't been able to verify it completely but it seems like if the devices ever try to talk to each other it breaks connectivity for both of them.  My theory is that the unmanaged switch is forwarding traffic between them directly and something about that is corrupting ARP tables on the 6200F.  Has anyone else experienced this issue or does anyone have ideas of things to try?   Again, if there's only one device connected to the port OR if each device connected to the unmanaged switch receives a different role then everything works perfectly.  Thanks!

    Here's an excerpt from my switch config:
    ubt-client-vlan 1000
    ubt zone gc vrf default
        primary-controller ip 192.168.102.13
        backup-controller ip 192.168.102.14
        sac-heartbeat-interval 5
        uac-keepalive-interval 5
        enable
    interface 1/1/1
        no shutdown
        lldp med location elin-addr GC
        no routing
        vlan access 44
        loop-protect
        aaa authentication port-access client-limit 32
        port-access allow-flood-traffic enable
        aaa authentication port-access mac-auth
            enable
    ​

    And here's a sample of a UBT role from ClearPass:
    CX_DUR_TUN_GC-3043-15
    port-access role Tunneled-Role
    gateway-zone zone gc gateway-role TUN_GC
    vlan access 1000​


  • 2.  RE: Tunneled device connectivity through an unmanaged switch
    Best Answer

    EMPLOYEE
    Posted Aug 22, 2022 12:19 PM
    Your scenario seems unsupported: https://www.arubanetworks.com/techdocs/AOS-CX/10.09/HTML/fundamentals_6300-6400/Content/Chp_Dyn_Seg/use-bas-tun-10.-fl-ml.htm

    • PC behind an IP phone

      You should not have a PC and phone on the same VLAN on the same port when the PC is a UBT client and the phone is a non-UBT client. If you do, UBT clients broadcast/multicast packets will return to the same port and corrupt the phone MAC table.

    • Clients behind an L2 switch on the same VLAN

      You should not have clients behind an L2 switch in a UBT environment. If UBT and non-UBT clients are behind an L2 switch on the same VLAN, this will cause duplicate packets. Broadcast/multicast packets will be copied to the tunnel and locally, causing the client to receive duplicate packets and network instability.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Tunneled device connectivity through an unmanaged switch

    Posted Aug 22, 2022 01:09 PM
    Oh, boy.  That's going to cause me a TON of problems.  I don't know how I missed that detail the first time I read through it.  What are my options if I need to have multiple clients on the same vlan behind an L2 switch?

    Would VLAN-extended mode make any difference here?  From what I can tell, all bcast/mcast traffic in extended mode is basically just L2 traffic on the access switch and only ucast traffic is forwarded over the UAC tunnel.  In my testing with local vlans that seems to work pretty well.  I can work on a test setup for extended mode to see if it makes any difference.

    I could do VxLAN to tunnel all of the vlans to my edge switches and use DUR for local vlan assignments.  Doing that would require a TON of extra setup and I would lose a bunch of the advantages of UBT that I was counting on (like mDNS management and L3 uplink redundancy)

    In AOS-S switches there was an option for per-port tunneled node which wouldn't be ideal but could be an option.  Does AOS-CX have anything similar?

    Are there other options I'm missing?

    Thanks!


  • 4.  RE: Tunneled device connectivity through an unmanaged switch

    EMPLOYEE
    Posted Aug 23, 2022 03:07 AM
    Maybe good to work with your Aruba partner, Local Aruba SE, or Aruba Support to evaluate your options. Bringing this up may also help in getting it addressed in future versions.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Tunneled device connectivity through an unmanaged switch

    Posted Aug 23, 2022 11:04 AM
    When I ran into this issue I was in enough of a panic that I started this discussion, opened a TAC case, and reached out to my local SE all at the same time.

    What I've discovered through tests in my lab is that Extended VLAN mode seems to solve these issues.  According to the document you sent Aruba doesn't want you to use L2 switches in a UBT environment regardless of the mode used.  I don't really care what the document says, though, because it works and I don't have any other good options.  I'll work with my local SE to push for this to be a supported configuration in the future.

    For anyone reading this in the future, here's how I changed my setup to move from Local VLAN mode to Extended VLAN mode.  First, the switch config:
    vlan 1,102,160
    ubt-mode vlan-extend
    ubt zone gc vrf default
        primary-controller ip 192.168.102.13
        backup-controller ip 192.168.102.14
        sac-heartbeat-interval 5
        uac-keepalive-interval 5
        enable
    interface 1/1/1
        no shutdown
        no routing
        vlan access 44
        loop-protect
        aaa authentication port-access client-limit 32
        port-access allow-flood-traffic enable
        aaa authentication port-access mac-auth
            enable​
    And also the role from ClearPass
    CX_DUR_TUN_GC_X10-3070-2
    port-access role Tunneled-Role
    gateway-zone zone gc gateway-role TUN_GC
    vlan access 160​

    The two big changes are 1) Any VLANs that clients will be on need to exist on the switch but they should NOT be included on any uplinks. and 2) The role from ClearPass must assign the client vlan on the switch itself.

    Doing Extended VLAN mode like this allows the edge switch to handle all the bcast/mcast traffic locally which allows it to not duplicate packets when a L2 switch is involved.  That seems to solve the instability issues.