Wired Intelligent Edge

last person joined: 17 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Tunneled node switch model support

This thread has been viewed 7 times

  • 1.  Tunneled node switch model support

    EMPLOYEE
    Posted Aug 21, 2018 03:18 AM

    A customer likes our tunneled node concept for unified policy but unfortunately is running a mix of HPE/Aruba/Cisco switches (Qty 3000+) out of which only a handful are 2920 switches. He would finally migrate but only in phase-wise manner.

     

    Is there a workaround or alternative way to achieve unified policy for wired and wireless for the rest of the Aruba 2530's/HP ProCurve/Cisco Catalyst switches? Or are we limited to traditional AAA authentication on CPPM?

     

    I am ok for a workaround as well which is on a nearby roadmap.

     

    Many thanks in advance.



  • 2.  RE: Tunneled node switch model support

    EMPLOYEE
    Posted Aug 21, 2018 04:23 AM

    Hi,

     

    This is what is supported on the various MobileFirst Campus switches as of release 16.05. An alternative for getting the tunneled node to work is to connect the edge switches to a switch that supports UBT or PBT. You then basically stretch the VLAN's to the Mobility Controller. I understand that it is not a very clean solution, but it does the job. For UBT you require an Authentication mechanism (802.1x/MAC) on the access port. If you use an intermediate switch (3810 or 5400R with V3 modules), you can achieve that by authenticating the MAC addresses. 

     

    image.png

    Hope this helps.

     

    Kind regards,

     

    Dik



  • 3.  RE: Tunneled node switch model support

    EMPLOYEE
    Posted Aug 21, 2018 04:33 AM

    One additional remark. PBT is supported on the 2920. This means that you can do the authentication enforcement on the mobility controller. The Cisco switches that you have probably do not support GRE tunneling so these switches would not support any tunneling function anyway.

     

    Kind regards,

     

    Dik



  • 4.  RE: Tunneled node switch model support

    EMPLOYEE
    Posted Aug 22, 2018 08:35 AM

    Hello Dik,

     

    Many thanks for the response. Just to clarify since I'm new on this, we would require to setup PUTN only right? Say we plug-in new 5400/2930s switches at every location and connect the older edge switches to these on uplink ports - to be able to define per user policy we can't opt for PPTN since I would have more than one users being uplinked on a single port of the compatible switches. And I believe wouldn't the uplink ports need to be trunked to allow them various VLAN communications depending on the role assigned to the end user? Is my understanding correct?

     

    And do I need to be aware of anything assuming my actual users hook on to older switches other than the fact that tunnel capacity to be kept in mind?

     

    Cheers!!



  • 5.  RE: Tunneled node switch model support

    EMPLOYEE
    Posted Aug 22, 2018 05:20 PM

    Hi Manish, 

     

    please be aware that the 802.1x functions will not work, it is likely only to work with MacAuth. The 802.1x supplicant function on the aggregation switch will only work with a single client. In addition, there is also a max number of MAC clients that will be supported on the secured port, which is 32. This means that if you have more than 32 MAC addresses connecting to that port, the additional MAC's that you are connecting will fail authentication. 

    So, although this is a solution that can work, there are still some restrictions here which might result in this not being the best alternative. At the end of the day, the best solution is to use hardware that supports the feature.

     

    Hope this helps.

     

    Kind regards,

     

    Dik