Wired Intelligent Edge

last person joined: 16 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Distributed DHCP (Aruba VPN DHCP Pool) on new Aruba switches

This thread has been viewed 1 times

  • 1.  Distributed DHCP (Aruba VPN DHCP Pool) on new Aruba switches

    Posted May 11, 2018 02:35 PM

    We have several branch locations where we have been running S1500 MAS switches with "Distributed L3 DHCP Scopes", where the branch switch creates a tunnel back to an on-campus controller, and wired clients are handed out an internal IP with DHCP. This is described on page 395 of the ArubaOS 7.4.x User Guide for MAS switches, and it has worked really well for us for small branch deployments. 

     

    The config on the S1500 looked like this:

    #
crypto aruba-vpn
  interface vlan 1
  peer-ip [controller.ip.address]
# 
ip-profile
   route 172.16.0.0 255.240.0.0 ipsec "aruba-vpn" 0
#
ip dhcp aruba-vpn-pool "my-aruba-vpn-pool" 
  domain-name "mydomain.edu"
   lease 1 0 0 0
   dns-server 192.168.10.21
   dns-server 192.168.10.22
   server-type "Distributed,L3"
   ip-range 172.31.254.1 172.31.255.255
   client-count 50
   reserve last 7
#
interface vlan "3"
   aruba-vpn-pool-profile "my-aruba-vpn-pool"
#
interface-profile switching-profile "3"
   access-vlan 3
   native-vlan 3
#
interface gigabitethernet "0/0/0"
   switching-profile "3"
#

    Looking to eventually replace these older switches, I am trying to get the same or similar functionality from a 3810M switch running 16.05.0007 firmware.  I do not see what I am looking for in the documentation.  There is a command "aruba-vpn type..." but this looks like it's more for management of the switch, not for routing of clients.

     

    Can anyone tell me if the "new" Aruba switches support "Distributed DHCP Scopes" or something similar?



  • 2.  RE: Distributed DHCP (Aruba VPN DHCP Pool) on new Aruba switches

    EMPLOYEE
    Posted May 15, 2018 04:52 PM

    Hi, 

     

    Probably the best way to achieve the capability you're looking for is by using the dynamic segmentation feature in our switches, also formally known as tunneled node.  With this, you can tunnel traffic based on a per port or per user basis to a Mobility controller.  

     

    There are externally accessible videos here:

     

    Per user: https://www.youtube.com/watch?v=AadDk48mp58&t=299s

     

    Per Port: https://www.youtube.com/watch?v=6Foxl7xnXNc&t=77s

     

    It's also in the Management and Configuration Guide under chapters 29 and 31.

     

    https://support.hpe.com/hpsc/doc/public/display?docId=a00038741en_us

     

    Regards, 

     

    Justin



  • 3.  RE: Distributed DHCP (Aruba VPN DHCP Pool) on new Aruba switches

    Posted May 15, 2018 05:54 PM

    Thank you Justin. I'm familiar with tunneled node on the MAS switches - we are using it inside our LAN, but have not tried it at branch locations.  Is there any reason not to do the folllowing, using an internet-facing interface on the controller?

     

    switch(config)#tunneled-node-server
switch(tunneled-node-server)# controller-ip <Controller WAN IP>

    In short, are you saying the feature described here is not availble in the "post-MAS" switches?
    Distributed_DHCP_Scope

     



  • 4.  RE: Distributed DHCP (Aruba VPN DHCP Pool) on new Aruba switches
    Best Answer

    EMPLOYEE
    Posted May 15, 2018 06:23 PM

    We don't have a current vpn capability in the Aruba switches and don't have a current solution for a distributed dhcp scope.  We can only establish a IPSec tunnel for Airwave Management.

     

    With regards to the tunneling to a branch, two considerations need to be made.  We don't support tunnels over NAT and Jumbo frames need to be enabled everywhere where the tunnel will traverse.  So over a WAN link, there are potential fragmentation issues.