Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Regular Contributor I

Securing GRE tunnels in tunnelled mode?

Hi all,

I’m looking to get some 7210 controllers and then use tunnelled mode from ports on my 3810 switches.

I understand by default these create GRE tunnels back to the controller. My question is, how can I secure these GRE tunnels? Can I add MACSEC to them or something similar?

The traffic I tunnel from these ports; I want to encrypt to protect the traffic from other users on the switch.

Thanks

Accepted Solutions
Guru Elite

Re: Securing GRE tunnels in tunnelled mode?

You certainly can do that.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post


All Replies
Highlighted
MVP Guru Elite

Re: Securing GRE tunnels in tunnelled mode?

Hi,

 

Why encrypt ? because other use on the switch we don't see the traffic...



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Regular Contributor I

Re: Securing GRE tunnels in tunnelled mode?

I’d like to other assurance that these networks are in separate encryption domains.

Ideally I’d like users in different departments to authenticate with dot1x using certs ... then Clearpass looks at their AD group membership and gives them a role / ACL based on that. Each switch port uses an encrypted tunnel back to the controller much like you find on wireless.

On wireless you get your own encrypted tunnel back to the controller then a role. I would like the same for wired if possible?

Thanks
Highlighted
Guru Elite

Re: Securing GRE tunnels in tunnelled mode?


@redford1980 wrote:
I’d like to other assurance that these networks are in separate encryption domains.
Tunneled Node operates over GRE, so it tunnels.  It does not encrypt traffic.
Ideally I’d like users in different departments to authenticate with dot1x using certs ... then Clearpass looks at their AD group membership and gives them a role / ACL based on that.
You can definitely do that on a switchport.  That is separate from tunneled node.
Each switch port uses an encrypted tunnel back to the controller much like you find on wireless.
Tunneled node is GRE so it does not provide that.  It is a transport that extends your wired network out further.

On wireless you get your own encrypted tunnel back to the controller then a role. I would like the same for wired if possible?  On wireless, encryption is provided by the client.  Most client application traffic nowadays is encrypted, so encrypting it further would add overhead and complexity.  Even clients in the same VLAN would only be able to see broadcast/multicast traffic from other clients, anyways...similar to a wired network.  If someone was tapping into your wired network and looking at your traffic, that would mean that you do not have the uplinks on your switch infrastructure physically secured.  Again..most applications nowadays are encrypted.

Thanks

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Regular Contributor I

Re: Securing GRE tunnels in tunnelled mode?

Thanks - appreciate the detailed response.

How about this:

1. wireless - make one SSID and segregate out lots of individual access with roles tied to an AD security group. So we can connect up lots of departments on one SSID, but individually they have their own role / ACL

2. On wired; give these laptop the VIA client, they tunnel through the LAN with this encryption back to a controller with same role derivation. Essentially VPN with their own encryption to the controller.

Would these work? Can I use the same controllers (2x7240’s) for both wireless and vpn concentrator?

Thanks
Guru Elite

Re: Securing GRE tunnels in tunnelled mode?

You certainly can do that.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: