Wired Intelligent Edge

last person joined: 20 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

2930M Mirror DHCP for Clearpass

This thread has been viewed 6 times

  • 1.  2930M Mirror DHCP for Clearpass

    Posted Apr 06, 2020 07:05 PM

    My Clearpass integrator wants to use DHCP options to profile traffic. This may seem straight forward but I'm not able to use DHCP relay to provide this traffic to CPPM so I think my only option is to setup a port mirror and for CPPM to use the SPAN port.

     

    Architecture:

    - Fortigate 2500e HA providing all Layer 3 and operating as the DHCP server.  Fortigate firewalls cannot be both a DHCP server & DHCP relay. The specific model of firewall also does not support SPAN.

    - 2930M switch stacks Layer 2 only.  8 VLANs.

    - ClearPass C1000 running 6.8.5.120250. Publisher & Subscriber

    - LACP LAG between the switches and the Fortigate firewalls.

     

    Mirror Port Configuration:

    - I only need to send the DHCP requests from the client to CPPM so I'm planning on mirroring inbound traffic for each of the LACP members to the mirror port.

     

    Questions: 

     

    1. For all 8 vlans, if the physical port is mirrored, is there a way for CPPM to see the traffic for all 8 vlans?

      - Procurve mirroring documentation states that only the traffic for the vlan that the mirror port is in will be shown.  So can the mirror port be a trunk port?

    2. Any other suggestions on how to get the requested information to CPPM for profiling? VLAN mirroring, SNMP-Traps, etc?

     

    Thanks in advance.



  • 2.  RE: 2930M Mirror DHCP for Clearpass

    EMPLOYEE
    Posted Apr 14, 2020 12:27 AM

    Hi CNMatt,

     

    I see two options for you. 

     

    1. You simply add an IP for the 8 VLAN's on the 2930M's and use them to forward the DHCP request to ClearPass. You might disable  routing on the switches to make sure they still act as a L2 switch

     

    2. Look at device-fingerprinting here:

    https://community.arubanetworks.com/aruba/attachments/aruba/CampusSwitching/3714/2/ArubaOS-Switch_16-06_Device-Fingerprinting_v2018-01.pdf

    You can enable this on a per-port basis. 



  • 3.  RE: 2930M Mirror DHCP for Clearpass

    Posted Apr 15, 2020 12:42 PM

    Sorry for the slow response.

     

    setting up DHCP relay on the L2 switch is an out-of-the-box idea I hadn't thought of.  I'm going to give this a try.

     

    The device fingerprinting at the switch I know I read about a while back but completely forgot about.  I'm going through the document you sent now.

     

    Thank you for the info and I'll post as soon as I learn something.



  • 4.  RE: 2930M Mirror DHCP for Clearpass

    Posted Apr 16, 2020 12:53 PM

    The device fingerprinting feature on the switch is the most promising and I'm working with our ClearPass team to get this setup.  I think this is going to solve our issue very elegantly.

     

    I was going through the various options and trying to find explanations for them.

     

    incoming-clients-only option just states it enables the feature for new clients.  I'm not quite clear what that means and not finding any additional information on this feature.

     

    Regards,