Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Wired Access Point

This thread has been viewed 4 times

  • 1.  Wired Access Point

    Posted Oct 08, 2013 02:15 PM

    Hi - we're in the middle of a POC with Aruba Networks wireless equipment.  We also have a need to begin replacing our closet switches.  We're intrigued by Aruba's concept of the wired ap.  Essentially a switch is linked to a mobility controller as though it were an ap.  Traffic from the switch is tunneled back to the controller, and policy is applied centrally.

     

    I'm investigating whether or not this solution would scale to allow me to have ALL of my closet switches (if I went Aruba) tunnel ALL traffic back to a central controller - thus allowing for centralized management of user traffic. 

     

    My questions: is anybody currently doing this (or has anybody tried doing this) in a fairly large scale deployment?  What are the catches?

     

    Thanks for the help!  



  • 2.  RE: Wired Access Point
    Best Answer

    EMPLOYEE
    Posted Oct 08, 2013 02:21 PM

    We use all Aruba switches on our edge network (about 325 switches, 95 stacks), however we use tunneled-node on only a few ports (where we need a public IP for a device, but don't have a public subnet in the building).

     

    With Aruba's user centric model and new ClearPass functionality, you can get very granular on the switch without tunneling all of the traffic. For example, you can create the same roles on the switch as you would on the controllers and return the role from ClearPass so the users have the same access no matter where they are or how they connect. Even if the appropriate access controls do not exist on the switch, ClearPass can push the appropriate access controls down dynamically in real time.



  • 3.  RE: Wired Access Point

    Posted Oct 08, 2013 02:33 PM

    Thanks for the information, it's greatly appreciated!

     

    So essentially all of the access controls, role definition, etc exists on ClearPass...and ClearPass then pushes that down to the switch based upon authentication/authorization/etc?  How do you guys handle ports where printers are connected?

     

    Are you guys using Aruba (s3500 w/sfp ports?) at the distribution layer? 

     

    Thanks again.



  • 4.  RE: Wired Access Point

    EMPLOYEE
    Posted Oct 08, 2013 02:49 PM

    We have some generic ACLs that exist on all of the switches that apply everywhere on campus, but we push down custom roles for more specific roles.

     

    We currently use MAC Auth on the wired side. If the device is registered as a printer, ClearPass will return a printer role which only allows access from our Class B address space (to stop spammers from off campus).

     

    We have 4 Cisco 6500s in two VSS pairs on our distribution layer and route at the edge. We will be considering the all fiber S3500 switch for the next upgrade cycle.

     

     

    Printer Example:

     

    user-table_printers.png

     

    Role Config Example:

     

    printer-role-b.PNG

     

     

    Access Request from ClearPass returning the printer role based on attributes from our registration system:

     

    cp-printer-input.png

     

    RADIUS response back to the switch:

     

    cp-printer-output.png