This article applies to MAS switch 7.2 and above.
When MAS is integrated. Controllers and wired clients can be in disconnected network. To overcome this, Airgroup support for wired clients is introduced in MAS series. Also this can optimize traffic by stopping unwanted flood of MDNS packets in the vlan.
- Wired vlans for which Airgroup support should be enabled, are extended to the Mobility Controller by creating a L2 GRE tunnel between MAS and Controller.
- mDNS packets in the wired network are tunneled to the Mobility Controller using a stateless access list (interface or user) in MAS.
- ArubaOS for MAS 7.2 has introduced support for L2 GRE tunnel and a new action under stateless ACLs which is “redirect” to a GRE tunnel.
Things to Remember
- Identify the vlans which need to support Aruba Airgroup functionality.
- Create Switching-profile for extending all of them to Mobility controller.
- Add the switching-profile to tunnel interface in switch side. As well as add “tunnel vlan” to tunnel interface in Mobility controller side.
- Create stateless ACL with MDNS redirect in MAS. If the ACL is to be applied in port, create rules for other kinds of traffic too.
- Apply MDNS redirect ACL directly to port or to a user-role.
- If the controller (for AirGroup) and MAS are on the same Layer 2 subnet, then L2 GRE tunnel is not required
- When creating stateless access-list for mDNS redirect rule, be sure to include explicit “permit” rule(s) for any non-mDNS traffic
- Keep the L2 GRE tunnel at the controller-side as “Trusted”
- Enable Airgroup functionality at controller using command “air-group enable”
Typical Environment of clients wants to use airgroup support integration of controller and MAS switch
Network Topology :
- All those vlans which need Airgroup support should be created at Mobility Controller’s side also.
- At MAS side the new switching-profile MDNS-TUNNEL should be used under the GRE tunnel.
- At Mobility Controller side use the command “tunnel vlan” under GRE tunnel to add the Airgroup vlans
- At Mobility Controller side creating GRE tunnel needs the following commands
Create Switching profile for VLAN which needs airgroup support
(ArubaS3500) (config) #interface-profile switching-profile MDNS-TUNNEL
(ArubaS3500) (config) (MDNS-TUNNEL)#switchport-mode trunk
(ArubaS3500) (config) (MDNS-TUNNEL)#trunk allowed vlan <vlan-list>
L2 GRE tunnel between mobility controller and MAS to extend VLAN`s .
(ArubaS3500) (config) #interface tunnel ethernet <tunnel-id>
(ArubaS3500) (tunnel) #source-ip <source-tunnel-ip>
(ArubaS3500) (tunnel) #destination-ip <destination-tunnel-ip>
(ArubaS3500) (tunnel) #switching-profile MDNS-TUNNEL
(ArubaS3500) (tunnel) #keepalive <Tunnel heartbeat interval>
1. Before you apply redirect ACL to a port, you must create explicit allow rules while configuring mDNS redirect ACL to permit non-mDNS traffic.
2. The redirect rule should be placed in the first position so such traffic can be redirected before being matched on other rules.
3. In case user-role is used, the configured user-role then should be added to the AAA profile to take effect.
4. Add the mDNS redirect ACL to position one of the user-role.
Stateless access-list with mDNS redirect rule can be configured as follows.
(ArubaS3500) (config) #ip access-list stateless MDNS-REDIR
(ArubaS3500) (config-MDNS-REDIR)#any any udp 5353 redirect tunnel <L2-GRE tunnel ID>
(ArubaS3500) (config-MDNS-REDIR)#ANY EXPLICIT “PERMIT” RULES FOR NON-mDNS TRAFFIC
(ArubaS3500) (config) #interface gigabitethernet 0/0/10
(ArubaS3500) (gigabitethernet) #ip access-group in MDNS-REDIR
(ArubaS3500) (config) #user-role <role-name>
(ArubaS3500) (config-role) #access-list stateless MDNS-REDIR posistion 1
There can be multiple switches from the same L2 network having L2-GRE tunnel terminating at a single controller. This may generate inter-tunnel flooding resulting in loops within the switch network. To avoid this scenario, disable inter-tunnel flooding in the switch and the controller.
ArubaS3500) (config) #interface tunnel ethernet <tunnel-id>
(ArubaS3500) (tunnel) #no inter-tunnel-flooding
By the above we could verify that airgroup support for MAS switch integrated with controller.
Show interface-profile switching profile MDNS-TUNNEL
Show running-config on MAS and Controller to make sure airgroup is enabled on controller and config on MAS.
PCAP could also be taken mirroring the controller and MAS switch for MDNS packets.
At MAS side
· show acl acl-table
· show acl ace-table acl <ACL#>
· show datapath dpe acl hits <ACL#>
· Show interface tunnel <id>
At Controller side
- Show interface tunnel <id>
- Show airgroup status
- Show airgroup cache entries
Related Links :