Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Contributor I

Tunneled-Node for Campus AP

Hi all. 

I have searched for a long time but haven't found anything so I write my own question now. 

 

We have deployed Tunneled-Node (Port-Based) on our 2920 and 2930 access switches. The tunnels terminate to a pair of Mobility Devices and the authentication goes through a pair of Clearpass servers. 

 

Everything works perfect for wired clients. The switch port, connecting to a computer for example, sends an radius request to the Clearpass Cluster and then evaluates through the service section and return a Role to the Mobility Master that sends out the role to the switch port. This works perfectly!

 

Now to the access points (Campus AP). 

Since the access points is "smart" it creates a seperate GRE-tunnel to the Mobility Device per connected wireless client, but I want the access point itself to authenticate but not create a tunnel for itself. If it does, the AP itself creates a tunnel and then tunnel the wireless clients within that tunnel so I get the "Tunnel-in-Tunnel" scenario, which is wrong in my opinion. 

 

If I make a service in clearpass which authenticate the AP and return the user role "Aruba-AP" (Which essentially place the AP in a separate VLAN) the AP connects and work as it should, but a tunnel is now created...

(MD01) *#show tunneled-node state | include 10.208.0.102
10.208.0.102  9c:b6:54:c8:b0:4b  1/39  complete  10    1947    1

I have read an article about a function called "Port-Mode" that authenticate the first client to the port and then automatically passes the rest of the connected devices through, but I think that is what I would use if I have an Instant AP, not a Campus AP. 

 

For ease of use for our technicians in the field, we want every access port to have tunneled-node enabled and not exclude access port for our Campus APs. 

 

Is there a solution out there for this?


Accepted Solutions
Highlighted
Aruba

Re: Tunneled-Node for Campus AP

You have two options:

  1. Enable User Based Tunneling as you mention; selectively deciding what to tunnel and not (Everything but Campus APs)
  2. Enable device profiling for Aruba APs on the switch.   This will allow you to instruct the switch not to tunnel Aruba APs that are profiled as such

Create your Device Profile

 

device-profile name Aruba_APs
no allow-tunneled-node
exit

Associate the aruba-ap device type to your profile and enable it

 

device-profile type aruba-ap
associate Aruba_APs
enable
exit

You can also consider other device-profile settings, such as poe-priority, max power, vlan settings, etc:

 

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/16-01/webhelp/content/ch10.html

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

View solution in original post


All Replies
Highlighted
Aruba

Re: Tunneled-Node for Campus AP

You have two options:

  1. Enable User Based Tunneling as you mention; selectively deciding what to tunnel and not (Everything but Campus APs)
  2. Enable device profiling for Aruba APs on the switch.   This will allow you to instruct the switch not to tunnel Aruba APs that are profiled as such

Create your Device Profile

 

device-profile name Aruba_APs
no allow-tunneled-node
exit

Associate the aruba-ap device type to your profile and enable it

 

device-profile type aruba-ap
associate Aruba_APs
enable
exit

You can also consider other device-profile settings, such as poe-priority, max power, vlan settings, etc:

 

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/16-01/webhelp/content/ch10.html

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

View solution in original post

Highlighted
Contributor I

Re: Tunneled-Node for Campus AP

This worked like a charm! Thank you!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: