Security

Reply
Frequent Contributor II

Questions about Aruba tunneled node

Hi community,

 

I have some questions regarding Aruba tunneled node feature, which is still not very clear to me even after reading some documents about it:

 

1) In per-port tunneled node (PPTN), why do we need to configure an end-user port to access a transport vlan? The document said that the vlan is used locally inside GRE tunnel, but for what purpose? Is there any advantage/disadvantage when we configure these ports to access the same/different vlans?

 

2) In per-user tunneled node (PUTN), the following sample configuration on the switch was given in Wired Policy Enforcement Solution Guide:

Capture.PNG

As far as I understand, the vlan which will be assigned to user is 604, and their traffic will be tunneled to the controller for processing (in role "quarantine"). The part that I'm not clear is that what if there's a vlan definition in "quarantine" role, say vlan 605? Then user will be assigned vlan 604 or 605?

 

Any help would be appreciated.

 

Thank you,

Guru Elite

Re: Questions about Aruba tunneled node

In a PPTN scenario, the ports themselves should be set to the “transit” VLAN as part of the tunneling.

For PUTN, the VLAN ID defined in the user role is the VLAN the user traffic will be assigned on the controller.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Questions about Aruba tunneled node

Hi Tim,

 

So, in PUTN, in case I made a mistake and assign a vlan in the role defined on the controller, the vlan configured in "primary" role on the switch will still be applied. Correct?

Guru Elite

Re: Questions about Aruba tunneled node

Correct

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Questions about Aruba tunneled node

Hi Tim,

 

About the transport vlan in PPTN, is there any specific requirement for it? I think as long as we have connectivity between the switch and controller, this vlan is not important. I'm still not sure why we need to assign switch interfaces to this vlan?

Guru Elite

Re: Questions about Aruba tunneled node

It should be a dead end VLAN that only exists on both sides but is not tagged through the network.

PUTN is recommended over PPTN.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Questions about Aruba tunneled node

Hi Tim,

 

I have some more questions regarding PUTN scenario:

 

1) The switch will always do AAA functions. Correct?

2) Is there an option to deny peer-to-peer traffic between clients in both scenarios: traffic being tunneled to the controller and being locally processed by the switch?

Guru Elite

Re: Questions about Aruba tunneled node

1) No, with PUTN, the switch handles all AAA.

2) Not today.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Questions about Aruba tunneled node

So, there's currently no support to deny P2P traffic in both PPTN and PUTN? Because the reason I'd like to deploy tunneled node is to let the controller deny P2P traffic between wired clients just like with the wireless ones.

Guru Elite

Re: Questions about Aruba tunneled node

Globally enabling it in the firewall may work, but not something I’ve tested.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: