SD-WAN

 View Only
last person joined: yesterday 

Forum to discuss HPE Aruba EdgeConnect SD-WAN and SD-Branch solutions. This includes SD-WAN Orchestration WAN edge network functions - routing, security, zone-based firewall, segmentation and WAN optimization, micro-branch solutions, best practics, and third-party integrations. All things SD-WAN!
Back to discussions
Expand all | Collapse all

Branch Gateway - Colourless ports without switch

This thread has been viewed 15 times

  • 1.  Branch Gateway - Colourless ports without switch

    Posted Feb 07, 2022 05:38 PM
    Hi Airheads, I'm wondering if it is possible to support the below scenario with a small BGW only deployment (i.e. a 7010 with no switch).

    I'd like to implement 'colorless ports' (wired authentication) - 802.1X with MAC fallback (using CPPM for DHCP profiling) into user roles with different VLAN IDs.

    For example:

    VLAN 10 = Profiling / Quarantine VLAN - ACL to allow DHCP only for profiling
    VLAN 20 = Corporate Wired (allowall ACL)
    VLAN 30 = Printers (allowall ACL)

    As far as I can tell, I can only configure a wired aaa profile on VLAN assigned to an untrusted port, but this does not seem to work.

    I've also tried adding authentication methods to the default wired aaa profile, but this also doesn't seem to work.

    ------------------------------
    Chris Denham
    ------------------------------


  • 2.  RE: Branch Gateway - Colourless ports without switch

    EMPLOYEE
    Posted Feb 07, 2022 06:14 PM
    yes you should be able to this.
    check the Aruba SD-Branch Fundamentals Guide
    on page 66 it describes what you want to do.
    https://help.central.arubanetworks.com/2.5.4/documentation/online_help/content/nms/intro-pages/related-info.htm



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Branch Gateway - Colourless ports without switch

    Posted Feb 07, 2022 08:05 PM
    Thanks Ariya,

    I have attempted the below configuration according to the documentation in  Central, but I cannot see the device in the device table.

    There is a DHCP scope configured for VLAN 10:

     
    interface gigabitethernet 0/0/0
        description DYNAMIC
        switchport access vlan 10
        spanning-tree portfast
        no spanning-tree point-to-point
        poe
        type lan
    !
    vlan 10
        wired aaa-profile colourless_port
    !
    aaa profile "colourless_port"
        initial-role "Profiling"
        authentication-mac "colourless-port"
        mac-default-role "denyall"
        mac-server-group "cppm_radius"
        authentication-dot1x "colourless-port"
        dot1x-default-role "denyall"
        dot1x-server-group "cppm_radius"
        l2-auth-fail-through
        radius-accounting "cppm_radius"
        radius-interim-accounting
        rfc-3576-server "x.x.x.x"
        rfc-3576-server "x.x.x.x"
    !
    user-role Profiling
        access-list session profiling_acl
        vlan 10
    !
    user-role Domain_Computer
        access-list session allowall
        vlan 20
    !
    user-role Printer
        access-list session allowall
        vlan 30
    !
    ip access-list session profiling_acl
        any any svc-dhcp permit


    ------------------------------
    Chris Denham


    ------------------------------

    Original Message


  • 4.  RE: Branch Gateway - Colourless ports without switch

    EMPLOYEE
    Posted Feb 07, 2022 11:09 PM
    for the device to end up in the user table that VLAN or interface should be untrusted or a combination of the two
    you can assign it as shown below



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 5.  RE: Branch Gateway - Colourless ports without switch

    Posted Feb 08, 2022 06:53 PM
    Yes, both the physical interface and VLAN assigned in access mode are configured as un-trusted:

    GE 0/0/0 is up, line protocol is up
    ...
    This port is NOT TRUSTED
    The L3 Port type is LAN

    VLAN  Description  Ports     AAA Profile       Option-82
    ----  -----------  -----     -----------       ---------
    10   VLAN010      GE0/0/0    colourless-port   Disabled


    ------------------------------
    Chris Denham
    ------------------------------

    Original Message


  • 6.  RE: Branch Gateway - Colourless ports without switch
    Best Answer

    EMPLOYEE
    Posted Feb 08, 2022 07:23 PM
    please contact Technical Assistance Centre, they'll sort it out.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message