When I ran into this issue I was in enough of a panic that I started this discussion, opened a TAC case, and reached out to my local SE all at the same time.
What I've discovered through tests in my lab is that Extended VLAN mode seems to solve these issues. According to the document you sent Aruba doesn't want you to use L2 switches in a UBT environment regardless of the mode used. I don't really care what the document says, though, because it works and I don't have any other good options. I'll work with my local SE to push for this to be a supported configuration in the future.
For anyone reading this in the future, here's how I changed my setup to move from Local VLAN mode to Extended VLAN mode. First, the switch config:
vlan 1,102,160
ubt-mode vlan-extend
ubt zone gc vrf default
primary-controller ip 192.168.102.13
backup-controller ip 192.168.102.14
sac-heartbeat-interval 5
uac-keepalive-interval 5
enable
interface 1/1/1
no shutdown
no routing
vlan access 44
loop-protect
aaa authentication port-access client-limit 32
port-access allow-flood-traffic enable
aaa authentication port-access mac-auth
enable
And also the role from ClearPass
CX_DUR_TUN_GC_X10-3070-2
port-access role Tunneled-Role
gateway-zone zone gc gateway-role TUN_GC
vlan access 160
The two big changes are 1) Any VLANs that clients will be on need to exist on the switch but they should NOT be included on any uplinks. and 2) The role from ClearPass must assign the client vlan on the switch itself.
Doing Extended VLAN mode like this allows the edge switch to handle all the bcast/mcast traffic locally which allows it to not duplicate packets when a L2 switch is involved. That seems to solve the instability issues.
Original Message:
Sent: Aug 23, 2022 03:06 AM
From: Herman Robers
Subject: Tunneled device connectivity through an unmanaged switch
Maybe good to work with your Aruba partner, Local Aruba SE, or Aruba Support to evaluate your options. Bringing this up may also help in getting it addressed in future versions.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 22, 2022 01:08 PM
From: David King
Subject: Tunneled device connectivity through an unmanaged switch
Oh, boy. That's going to cause me a TON of problems. I don't know how I missed that detail the first time I read through it. What are my options if I need to have multiple clients on the same vlan behind an L2 switch?
Would VLAN-extended mode make any difference here? From what I can tell, all bcast/mcast traffic in extended mode is basically just L2 traffic on the access switch and only ucast traffic is forwarded over the UAC tunnel. In my testing with local vlans that seems to work pretty well. I can work on a test setup for extended mode to see if it makes any difference.
I could do VxLAN to tunnel all of the vlans to my edge switches and use DUR for local vlan assignments. Doing that would require a TON of extra setup and I would lose a bunch of the advantages of UBT that I was counting on (like mDNS management and L3 uplink redundancy)
In AOS-S switches there was an option for per-port tunneled node which wouldn't be ideal but could be an option. Does AOS-CX have anything similar?
Are there other options I'm missing?
Thanks!
Original Message:
Sent: Aug 22, 2022 12:18 PM
From: Herman Robers
Subject: Tunneled device connectivity through an unmanaged switch
Your scenario seems unsupported: https://www.arubanetworks.com/techdocs/AOS-CX/10.09/HTML/fundamentals_6300-6400/Content/Chp_Dyn_Seg/use-bas-tun-10.-fl-ml.htm
- PC behind an IP phone
You should not have a PC and phone on the same VLAN on the same port when the PC is a UBT client and the phone is a non-UBT client. If you do, UBT clients broadcast/multicast packets will return to the same port and corrupt the phone MAC table.
- Clients behind an L2 switch on the same VLAN
You should not have clients behind an L2 switch in a UBT environment. If UBT and non-UBT clients are behind an L2 switch on the same VLAN, this will cause duplicate packets. Broadcast/multicast packets will be copied to the tunnel and locally, causing the client to receive duplicate packets and network instability.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 22, 2022 10:59 AM
From: David King
Subject: Tunneled device connectivity through an unmanaged switch
I've recently upgraded my network to use 6200F switches which are configured to do MAC auth and download user roles from ClearPass. The downloaded role can either assign a UBT role or a local vlan. For the most part everything is working great but I've run into a scenario that I'm having a hard time troubleshooting. If an unmanaged switch is connected to a port on the 6200F and multiple devices on that unmanaged switch receive the same UBT role they intermittently lose connectivity. I haven't been able to verify it completely but it seems like if the devices ever try to talk to each other it breaks connectivity for both of them. My theory is that the unmanaged switch is forwarding traffic between them directly and something about that is corrupting ARP tables on the 6200F. Has anyone else experienced this issue or does anyone have ideas of things to try? Again, if there's only one device connected to the port OR if each device connected to the unmanaged switch receives a different role then everything works perfectly. Thanks!
Here's an excerpt from my switch config:
ubt-client-vlan 1000ubt zone gc vrf default primary-controller ip 192.168.102.13 backup-controller ip 192.168.102.14 sac-heartbeat-interval 5 uac-keepalive-interval 5 enableinterface 1/1/1 no shutdown lldp med location elin-addr GC no routing vlan access 44 loop-protect aaa authentication port-access client-limit 32 port-access allow-flood-traffic enable aaa authentication port-access mac-auth enable
And here's a sample of a UBT role from ClearPass:
CX_DUR_TUN_GC-3043-15port-access role Tunneled-Rolegateway-zone zone gc gateway-role TUN_GCvlan access 1000