Wireless Access

Hi all,

Just wanted to check my logic as it’s the first time I’ve played with tunnelled node. 

I will use a 5400 switch and 7008 controller. 

On the 5400 switch; I will:

- Enabled tunnelled node at global level and point to management IP of the controller 

- At interface level, set to tunnelled node port and assign a VLAN (2000)

On the 7008 controller; I will:

- Make VLAN 2000 And assign whatever security I need around this VLAN

Questions:

1. Do I need to tick an option on the controller to make this work? Feels like I should enable this feature on the controller like I’m doing on the switch?

2. Will telling the interface on the switch transpose into the controller? So users will just present on the same VLAN as the switch when they land in the controller?

3. I have a firewall between the switch and controller. Does tunnelled node use the management IP of the switch as it’s source? Is it just GRE traffic?

4. I feel like I’m missing some fundamentals above or is it this easy?

I’m manually configuring certain ports for tunnelled node; trying to avoid getting Clearpass involved etc

many thanks 

Can anyone comment on this one?

Please take a look at this:

https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/How-to-do-Tunneled-Node-Configuration-on-Aruba-Switches/ta-p/511342

And here is a great guide for AOSv8. Even has the same controller as you  

https://www.youtube.com/watch?v=gVLVuiiGmRE

Great video talk through - thanks very much 

The only unknown part for me now is having a firewall in between this switch and controller. 

Do you know what source IP the tunnelled node will pick to route this traffic? The only layer 3 address on this switch is the OOBM interface at present. 

thanks 

The only unknown part for me now is having a firewall in between this switch and controller. 

Do you know what source IP the tunnelled node will pick to route this traffic? The only layer 3 address on this switch is the OOBM interface at present. 

It will be sourced from the switch IP as a tunnel is created between the switch and the controller. You can see what IP on the switch is being used in the "show user-table" output on the controller under Essid/Bssid/Phy. Should be the first part of the address.

Just to clarify - switch IP; is this the OOBM address? So the management address? This is the only layer 3 address on the switch basically ... all other traffic goes through a layer 2 trunk to a core switch 

Someone would have to chime in here as far as the source IP of the GRE tunnel, and if and how you can change that. That particular video had just one L3 address on it. If I had to guess, it would be the Highest IP with reachability. But I would be guessing at the moment.

Ok so I’ve tried to get this up and running but it shows the error “controller unreachable” ... I’m looking on the firewall but can’t see any traffic trying to hit the controller. 

does anyone know how it will source its traffic by default? Anyway to force this over the OOBM interface? 

Also make sure your 7008 controller IP is the first one traffic hits coming from 5400. This issue was supposed to be fixed in 8.5.0.10 but haven't yet verified. So for example using loopback IP address will not work

Ok thanks

In terms of traffic flow; there is

5400 switch (access layer)

8320 switch (core switch)

firewall

7008 controller

Guessing this is a non starter going off your comments? Do I need to put layer 2 through to the controller from the switch? 

It works over a routed network no problems there, or over a firewall. But for example if you have GE 0/0/0 as the interface towards the switch network you need to configure the IP ont GE 0/0/0 as controller IP and the one switch connects to form a tunnel.

Just downloaded 8.5.0.10 so I'll have to check if they have fixed this

That makes sense - yes I have that setup 

My issue is the switch says “controller unreachable” ... the switch has layer 2 only as all the VLANs trunk up to a 8320 core switch. The core switch then connects to a firewall which protects the controller. 

im wondering if the switch is layer 2 only, it has no way of routing the tunnelled node traffic. It does have a OOBM interface configured with an IP for its management traffic - guessing tunnelled node cannot traverse the management interface?

Should I add a layer 3 address to the switch? I can’t see a way to force tunnelled node over a specific source address?

Thanks 

Have you checked the debug logs, with debug destination session + debug usertn? If I would have to guess I'd say OOBM would not work for tunneled node