This article explains the changes that need to be made to a Virtual Controller's template when using it to configure another VC's configuration.
Please note that:
>>This is the standard Aruba Instant Configuration template.
>>DO NOT over-write this file
>>Copy & paste this configuration into a new txt file
>>Edit lines in <> as required
Environment:
In a wireless network deployment one might have several Virtual controllers placed in different location.
Using Airwave we can configure the all the VCs using a standard or default template.
Below is a standard template where the changes to be made are in bold and italics.
Based on the network where the VC is being deployed other changes might also have to be made to accomidate the VC in the network.
But for basic configuration the below template will be useful.
version 6.2.1.0-3.3.0
virtual-controller-country <insert 2 character ISO country code here>
virtual-controller-key %guid%
%if ip_address%
virtual-controller-ip %ip_address%
%endif%
%if organization%
organization %organization%
%endif%
%if syslog_server%
syslog-server %syslog_server%
%endif%
ams-ip %manager_ip_address%
ams-key %password%
%server_cert_checksum%
%ca_cert_checksum%
%cert_psk%
name %hostname%
clock timezone %clock_timezone%
rf-band %rf_band%
dynamic-radius-proxy
ams-identity 844460756981198a0fa95e406bd32caf
allow-new-aps
%allowed_aps%
snmp-server community 52064c5c0147bf3bd859b1b9cebe1fa656029b77855817e1
snmp-server community 1cd0feb0f314c424291fb625124e4914d4c6c49ebf107309
arm
wide-bands 5ghz
a-channels 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,36+,44+,52+,60+,100+,108+,116+,124+,132+
g-channels 1,6,11
min-tx-power 15
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
client-aware
scanning
syslog-level error ap-debug
syslog-level error network
syslog-level error security
syslog-level error system
syslog-level error user
syslog-level error user-debug
syslog-level error wireless
mgmt-user netops kcswitch
wlan access-rule default_wired_port_profile
rule any any match any any any permit
wlan access-rule guestnet
rule any any match any any any permit
wlan access-rule w197330c513592e
rule any any match any any any permit
wlan access-rule wired-instant
rule %ip_address% 255.255.255.255 match tcp 80 80 permit
rule %ip_address% 255.255.255.255 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit
wlan ssid-profile w197330c513592e
! enable
type employee
essid w197330c513592e
opmode wpa2-aes
! opmode wpa-tkip,wpa-aes,wpa2-aes,wpa2-tkip
! use the above opmode only when needing to support handhelds which do not support WPA2-AES
max-authentication-failures 0
vlan 1 <change VLAN number is using VLAN other than 1>
auth-server <primary windows RADIUS server name - must match WLAN auth server in "Primary RADIUS Server" section below>
auth-server <backup windows RADIUS server name - must match WLAN auth server in "Backup RADIUS Server" section below>
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
g-min-tx-rate 5
multicast-rate-optimization
dynamic-multicast-optimization
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
wlan ssid-profile guestnet
! enable
type employee
essid guestnet
opmode opensystem
max-authentication-failures 0
vlan 499 <change if different>
rf-band all
captive-portal disable
hide-ssid
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
g-min-tx-rate 5
multicast-rate-optimization
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
auth-survivability cache-time-out 24
mgmt-auth-server ustccsec2
mgmt-auth-server ustwa010
mgmt-auth-server-local-backup
!This is the Global TACACS server - do not change
wlan auth-server ustccsec2
ip 165.28.96.150
port 1812
acctport 1813
key 5d4f50485e4f50483dd092dc0cb96429addc59f2863b1d3ed3de9ec3cc9bb599
!This is the Global TACACS server - do not change
wlan auth-server ustwa010
ip 165.28.32.146
port 1812
acctport 1813
key 5d4f50485e4f50483dd092dc0cb96429addc59f2863b1d3ed3de9ec3cc9bb599
!This is the Primary RADIUS Server for Enterprise network authentication
wlan auth-server <primary RADIUS server name>
ip <ip address>
port 1812
acctport 1813
key 5d4f50485e4f504817a6a8fe41d1544f918ec7062fa1489c79ab3480af6dbfc1
!This is the Backup RADIUS Server for Enterprise network authentication
wlan auth-server <Backup RADIUS server name>
ip <ip address>
port 1812
acctport 1813
key 5d4f50485e4f504817a6a8fe41d1544f918ec7062fa1489c79ab3480af6dbfc1
wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
blacklist-time 3600
auth-failure-blacklist-time 3600
ids
wireless-containment none
wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan 1,499 <edit allowed VLANs if different>
native-vlan 1 <edit if requirement is different>
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
poe
type employee
captive-portal disable
no dot1x
wired-port-profile wired-instant
access-rule-name wired-instant
allowed-vlan all
captive-portal disable
no dot1x
duplex auto
native-vlan guest
no poe
no shutdown
speed auto
switchport-mode access
type guest
enet0-port-profile default_wired_port_profile
enet1-port-profile default_wired_port_profile
enet2-port-profile default_wired_port_profile
enet3-port-profile wired-instant
enet4-port-profile wired-instant
uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180
airgroup
disable
airgroupservice airplay
disable
description AirPlay
id _airplay._tcp
id _raop._tcp
airgroupservice airprint
disable
description AirPrint
id _ipp._tcp
id _pdl-datastream._tcp
id _printer._tcp
id _scanner._tcp
id _universal._sub._ipp._tcp
id _printer._sub._http._tcp
id _http._tcp
id _http-alt._tcp
id _ipp-tls._tcp
id _fax-ipp._tcp
id _riousbprint._tcp
id _cups._sub._ipp._tcp
id _cups._sub._fax-ipp._tcp
id _ica-networking._tcp
id _ptp._tcp
id _canon-bjnp1._tcp