Question- What is the purpose of iap trusted-branch-db?
Why locally managed IAPs are unable to form tunnel to controller?
Environment- This feature was tested with ArubaOS 6.4.2.4 and Aruba Instant 4.1.1.1 version.
Answer-
With controller running 6.4, there is additional security option of "iap trusted-branch-db" to prevent any rogue device forming tunnels to the controller.
Note :: This feature is in addition to "rap whitelist-db" entry which is mandatory.
Below are the possible scenarios ::
1. When IAP is configured by external management box i.e. Central / Airwave, it can be assured that the device is coming up due to network admin's config (and not any rogue device). In this case, there is no need to have trusted-branch-db entry for the device on controller as they are automatically whitelisted.
(Aruba7220) #show whitelist-db rap
AP-entry Details
----------------
Name AP-Group AP-Name Full-Name Authen-Username Revoke-Text AP_Authenticated Description Date-Added Enabled Remote-IP
---- -------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- ---------
9c:1c:12:c5:b7:f4 default 9c:1c:12:c5:b7:f4 Provisioned Tue Feb 24 00:13:34 2015 Yes 0.0.0.0
AP Entries: 1
(Aruba7220) #show vpdn l2tp local pool
IP addresses used in pool 1.1.1.1
1.1.1.100
Total:-
1 IPs used - 0 IPs free - 1 IPs configured
IP pool allocations / de-allocations - L2TP: 0/0 IKE: 19/0
(Aruba7220) #show iap trusted-branch-db
Trusted Branch Validation: Enabled
IAP Trusted Branch Table
------------------------
(empty)
------- <--- No entry present
(Aruba7220) #show iap table long
Trusted Branch Validation: Disabled
IAP Branch Table
----------------
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan Key Bid(Subnet Name) Tunnel End Points
---- -------------- ------ -------- --------------- ------------- --- ---------------- -----------------
MyLab 9c:1c:12:c5:b7:f4 UP 1.1.1.100 1e7902250106bbedc3b81fe62a665eb8aea1b7e2a47459cca8 10.29.163.30
Total No of UP Branches : 1
Total No of DOWN Branches : 0
Total No of Branches : 1
2. When the IAP is locally managed i.e. configured directly by IAP UI / CLI, there is possibility that a rogue device can setup tunnel to controller. Hence, we need an entry of the device on "iap trusted-branch-db" or (have allow-all enabled).
With the same IAP switched to local managed mode::
(Aruba7220) #show log errorlog 4
Feb 24 01:03:34 <Process 342001> <ERRS> |IAP manager Pro| !!! Not a trusted branch - '9c1c12c5b7f4';remove this entry from white-list !!! <-- The auto-whitelist entry is removed.
(Aruba7220) #show iap table long
Trusted Branch Validation: Enabled
IAP Branch Table
----------------
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan Key Bid(Subnet Name) Tunnel End Points
---- -------------- ------ -------- --------------- ------------- --- ---------------- -----------------
MyLab 9c:1c:12:c5:b7:f4 DOWN 0.0.0.0 1e7902250106bbedc3b81fe62a665eb8aea1b7e2a47459cca8
After adding whitelist entry.
(Aruba7220) #show iap trusted-branch-db
Trusted Branch Validation: Disabled
IAP Trusted Branch Table
------------------------
Branch MAC
----------
(allow all as trusted branch)
(Aruba7220) #show iap table long
Trusted Branch Validation: Disabled
IAP Branch Table
----------------
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan Key Bid(Subnet Name) Tunnel End Points
---- -------------- ------ -------- --------------- ------------- --- ---------------- -----------------
MyLab 9c:1c:12:c5:b7:f4 UP 1.1.1.100 1e7902250106bbedc3b81fe62a665eb8aea1b7e2a47459cca8 10.29.163.30
Total No of UP Branches : 1
Total No of DOWN Branches : 0
Total No of Branches : 1