Wired Intelligent Edge

Hello

1-If i got a swithc on tunnel mode so i can admin it from the controller

What happens if the controller dies? what would happen to the equipments connected to that switch? it would be work like a stand alone switch? or what would happen?

As far i know you can make the switch be controlled by the aruba controller like if it was one more AP so you can send rules and everything from the arubacontroller to the switches.

2-The other question is regarding the firmware, does it autoupdate the firmware? when it connect to the controller?

3-Is the minimum to have the swithc managed by the controller is the 6.1.2.4?

4-What would be the recommended mode of configuring this switch? Tunneled or not?

Im still trying my boss get me an arubaswitch to answer my own quetions, but he still dont aprove me the money for it

*sigh*

Cheers

Carlos

Carlos,

With respect to question 1:

• When a port is in Tunneled Node, you are able to administer the security policies of that port from the Mobility Controller (MC). Things like IP connectivity between the Mobility Access Switch (MAS) and the Mobility Controller (MC) still have to be administered on each device individually. If the MC dies, then the Tunneled Node port assigned to it also goes with it. It does not fallback to local switching which is why we recommend either pointing Tunneled Node ports at two MCs using VRRP or configure a backup MC if it is on a different L3 segment from the primary.

With respect to question 2:

• Firmware is not controlled by the MC for the MAS. You need to manage the firmware of the MAS directly or via Airwave.

With respect to question 3:

• Again, the MAS is not managed per say by the MC. Only security policies for Tunneled Node ports are maintained/managed at the MC. The minimum software version to support Tunneled Node on the MC is 6.1.2.4.

With respect to question 4:

• It depends on the application. Since the MAS supports captive portal natively as of 7.2, it is able to handle the same authentication methods as the MC. Prior to that, Tunneled Node was required for Wired Captive portal amongst other things. The benefits of Tunneled Node is flexibility to deploy specific L2 networks down to the edge that is not natively present on the MAS via it's uplink, support for stateful polices versus stateless and centralizing your polices in one place. The benefits of the native AAA features are that you aren't tunneling traffic back to the MC meaning the switch can natively handle the forwarding without increasing load on the MC, no licenses required and forwarding independence in the event of an MC failure.

I hope that helps.

Madani

So the only thing that i can configure centrally is the AAA profiles

I cannot configure the ports remotely? on the wireless controller? like i do it with an AP93H?

Cheers

Carlos

No, you cannot. You could use AMP however.

Then how do i set the profiles on the Aruba sWtich for each port?

Cheers

Carlos

Okay

Let say i got  a 24 switch aruba one

I want to set 802.1x to the 12 first port but not to the next 12 ports

OR another example

Let say i want to set a different initial roles to the first 12 ports and another initial role to the 12 lastest ports

Cheers

Carlos

Whats is the  main page of this solution exchange????

Is it somewhere in the partner site??

https://ase.arubanetworks.com

You can apply different configurations to groups of ports by using the interface-group command and applying profiles to it. Then add the ports to the interface-group (apply-to add gigabitEthernet 0/0/0 , etc)

Yeah but from the controller

Not from the switch

It is possible?

Carlos,

For your two examples, you would create two different aaa-profiles and either group the ports together as Tim said or on each port set which aaa-profile you would want used.

Best regards,

Madani

so i create those group of ports on the controller?+

remenber im taking not doing it on stand alone, i mean doing that through the Mobility controller

Anything related to access controls (AAA, firewall rules, etc) is configured on the controller.

Anything related to switchport interface configurations are done on the switch.

Here's an example of the configurations:

SWITCH

interface-profile tunneled-node-profile "tpl-tunnel-profile-1"
  controller-ip 10.1.1.1
  mtu 1300
  exit
 
vlan 100

interface-profile switching-profile "tpl-100"
  access-vlan 100
  native-vlan 100
  exit
 
interface-group gigabitethernet "tpl-100"
  apply-to 0/0/1 - 0/0/14
  tunneled-node-profile "tpl-tunnel-profile-1"
  switching-profile "tpl-100"
  end

MOBILITY CONTROLLER

ip access-list session tpl-tunnel-profile-1-deny-client-as-dhcp-server
  user any udp 68 deny
  exit
 
ip access-list session "tpl-tunnel-profile-1-allowall"
  any any any permit
  exit

user-role "tpl-tunnel-profile-1"
  session-acl tpl-tunnel-profile-1-deny-client-as-dhcp-server
  session-acl "tpl-tunnel-profile-1-allowall"
  exit

aaa profile "tpl-tunnel-profile-1"
  initial-role "tpl-tunnel-profile-1"
  exit

aaa authentication wired
  profile "tpl-tunnel-profile-1"
  exit
end

Okay Got it

So the only thing that will be send to the Aruba Switch are the AAA profiles but i still need to go to the Switch to put that profile on the ports manually?

Cheers

Carlos

Yes, or you can use AirWave.

Thanks man!

All the traffic of those ports are tunneled to the controller and on the controller it will use the Statefull firewall to do what you configured on the AAA profiles on the controller?

Ill take the class of the ArubaSwitches too bad i have to wait until december.... but we are about to sell some of these guys and if we sucefully sell them i want to be sure what im doing :)

Cheers

Carlos

Correct. If you have user IP space on the switch and don't need stateful firewall processing, it makes sense to use standard switching.

If you don't have user IP space on the switch, need stateful firewall processing (PCI, HIPPA, etc) and/or just need centralized security policy, authentication and access control, then it makes sense to use tunnel-node and AAA is performed at the controller level.

We only use tunneled-node for one-off, special use cases. For example, we don't have public IP space in our dorms since they are only APs and phones. If we needed to provide a device a public IP address (an AT&T Femtocell for example), we use the tunneled-node feature.

Another note. Be sure that your controller can handle the tunnel count. Each tunneled port uses 1 tunnel.

Note that in Aruba Solution Exchange (ASE), the prefix of "tpl" is editable. You can rename it.

Carlos,

Could you be more specific what you mean by "set the profiles" for each port? What are you trying to setup/accomplish?

Best regards,

Madani