10-08-2013 11:15 AM
Hi - we're in the middle of a POC with Aruba Networks wireless equipment. We also have a need to begin replacing our closet switches. We're intrigued by Aruba's concept of the wired ap. Essentially a switch is linked to a mobility controller as though it were an ap. Traffic from the switch is tunneled back to the controller, and policy is applied centrally.
I'm investigating whether or not this solution would scale to allow me to have ALL of my closet switches (if I went Aruba) tunnel ALL traffic back to a central controller - thus allowing for centralized management of user traffic.
My questions: is anybody currently doing this (or has anybody tried doing this) in a fairly large scale deployment? What are the catches?
Thanks for the help!
Solved! Go to Solution.
10-08-2013 11:20 AM - edited 10-08-2013 05:38 PM
We use all Aruba switches on our edge network (about 325 switches, 95 stacks), however we use tunneled-node on only a few ports (where we need a public IP for a device, but don't have a public subnet in the building).
With Aruba's user centric model and new ClearPass functionality, you can get very granular on the switch without tunneling all of the traffic. For example, you can create the same roles on the switch as you would on the controllers and return the role from ClearPass so the users have the same access no matter where they are or how they connect. Even if the appropriate access controls do not exist on the switch, ClearPass can push the appropriate access controls down dynamically in real time.
Re: Wired Access Point
10-08-2013 11:32 AM
Thanks for the information, it's greatly appreciated!
So essentially all of the access controls, role definition, etc exists on ClearPass...and ClearPass then pushes that down to the switch based upon authentication/authorization/etc? How do you guys handle ports where printers are connected?
Are you guys using Aruba (s3500 w/sfp ports?) at the distribution layer?
Re: Wired Access Point
10-08-2013 11:48 AM - edited 10-08-2013 03:00 PM
We have some generic ACLs that exist on all of the switches that apply everywhere on campus, but we push down custom roles for more specific roles.
We currently use MAC Auth on the wired side. If the device is registered as a printer, ClearPass will return a printer role which only allows access from our Class B address space (to stop spammers from off campus).
We have 4 Cisco 6500s in two VSS pairs on our distribution layer and route at the edge. We will be considering the all fiber S3500 switch for the next upgrade cycle.
Role Config Example:
Access Request from ClearPass returning the printer role based on attributes from our registration system:
RADIUS response back to the switch: