Security

Hello,

In our DCs, we have two aggregation switches which we use to so we can have redundant connections to devices. I'm aware that for most applications, it is suggested to use just the management port, however we need the use of both NICs. I'm also aware there are certain services that are tied to data vs mgmt. However, what we would want to do is utilize both ports for connections from cppm servers to the switches.

What is the recommended setup for this type of scenario? And if we say lose the connect that is on the MGMT, will data flow to through the data port or will that device drop from the cluster?

Scenario #1:
- Configure both the MGMT an​ DATA on the same subnet, configure access ports to each port and MLAG them (This is an arista setup)

Scenario #2:
- Configure MGMT and DATA in different subnets and configure access ports to each port. Do not configure MLAG

Scenario #3:
- Configure MGMT and ​DATA in different subnets and configure ports as routed interfaces.

We are looking to do this for our DMZ clusters which service RAPs, captive portals and onboarding. We are also looking to do this for our internal clusters which do RADIUS and TACACS. My feeling is scenario #2 is the best way to go, but #3 would be good as well to keep everything routed.

Thoughts?

Thanks.​​

------------------------------
Max Turpin
------------------------------

Hi,

it is  about port of Clearpass ?

it is not possible to configure the same subnet/network on MGMT and DATA interface...

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message:
Sent: Mar 12, 2021 12:38 PM
From: Max Turpin
Subject: Data and management port design questions

Hello,

In our DCs, we have two aggregation switches which we use to so we can have redundant connections to devices. I'm aware that for most applications, it is suggested to use just the management port, however we need the use of both NICs. I'm also aware there are certain services that are tied to data vs mgmt. However, what we would want to do is utilize both ports for connections from cppm servers to the switches.

What is the recommended setup for this type of scenario? And if we say lose the connect that is on the MGMT, will data flow to through the data port or will that device drop from the cluster?

Scenario #1:
- Configure both the MGMT an​ DATA on the same subnet, configure access ports to each port and MLAG them (This is an arista setup)

Scenario #2:
- Configure MGMT and DATA in different subnets and configure access ports to each port. Do not configure MLAG

Scenario #3:
- Configure MGMT and ​DATA in different subnets and configure ports as routed interfaces.

We are looking to do this for our DMZ clusters which service RAPs, captive portals and onboarding. We are also looking to do this for our internal clusters which do RADIUS and TACACS. My feeling is scenario #2 is the best way to go, but #3 would be good as well to keep everything routed.

Thoughts?

Thanks.​​

------------------------------
Max Turpin
------------------------------

Adding to Alexis... no support for LAG in CPPM, the feature request has been their for ~8-years... suggest you contact your Aruba SE and push for that separately.

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Mar 12, 2021 12:47 PM
From: Alexis La Goutte
Subject: Data and management port design questions

Hi,

it is  about port of Clearpass ?

it is not possible to configure the same subnet/network on MGMT and DATA interface...

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Mar 12, 2021 12:38 PM
From: Max Turpin
Subject: Data and management port design questions

Hello,

In our DCs, we have two aggregation switches which we use to so we can have redundant connections to devices. I'm aware that for most applications, it is suggested to use just the management port, however we need the use of both NICs. I'm also aware there are certain services that are tied to data vs mgmt. However, what we would want to do is utilize both ports for connections from cppm servers to the switches.

What is the recommended setup for this type of scenario? And if we say lose the connect that is on the MGMT, will data flow to through the data port or will that device drop from the cluster?

Scenario #1:
- Configure both the MGMT an​ DATA on the same subnet, configure access ports to each port and MLAG them (This is an arista setup)

Scenario #2:
- Configure MGMT and DATA in different subnets and configure access ports to each port. Do not configure MLAG

Scenario #3:
- Configure MGMT and ​DATA in different subnets and configure ports as routed interfaces.

We are looking to do this for our DMZ clusters which service RAPs, captive portals and onboarding. We are also looking to do this for our internal clusters which do RADIUS and TACACS. My feeling is scenario #2 is the best way to go, but #3 would be good as well to keep everything routed.

Thoughts?

Thanks.​​

------------------------------
Max Turpin
------------------------------

So then, we'll just configure either L2 or L3 ports to the mgmt and data ports.

Should the RADIUS servers on the controllers be pointing to both data and management of all the members in the cluster? What is best practice?

Really too bad LAG is not supported.

------------------------------
Max Turpin
------------------------------

Original Message:
Sent: Mar 12, 2021 12:47 PM
From: Alexis La Goutte
Subject: Data and management port design questions

Hi,

it is  about port of Clearpass ?

it is not possible to configure the same subnet/network on MGMT and DATA interface...

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Mar 12, 2021 12:38 PM
From: Max Turpin
Subject: Data and management port design questions

Hello,

In our DCs, we have two aggregation switches which we use to so we can have redundant connections to devices. I'm aware that for most applications, it is suggested to use just the management port, however we need the use of both NICs. I'm also aware there are certain services that are tied to data vs mgmt. However, what we would want to do is utilize both ports for connections from cppm servers to the switches.

What is the recommended setup for this type of scenario? And if we say lose the connect that is on the MGMT, will data flow to through the data port or will that device drop from the cluster?

Scenario #1:
- Configure both the MGMT an​ DATA on the same subnet, configure access ports to each port and MLAG them (This is an arista setup)

Scenario #2:
- Configure MGMT and DATA in different subnets and configure access ports to each port. Do not configure MLAG

Scenario #3:
- Configure MGMT and ​DATA in different subnets and configure ports as routed interfaces.

We are looking to do this for our DMZ clusters which service RAPs, captive portals and onboarding. We are also looking to do this for our internal clusters which do RADIUS and TACACS. My feeling is scenario #2 is the best way to go, but #3 would be good as well to keep everything routed.

Thoughts?

Thanks.​​

------------------------------
Max Turpin
------------------------------

Best-practice is to not use the data port as you already mentioned.

For VMs you can get interface redundancy on the hypervisor layer. With hardware appliances, you can add appliances which you probably should do anyway because in different failure scenarios you can lose the complete appliance instead of an interface or switch.

If you need redundancy, the most flexible method is to put a network load-balancer in front of your ClearPasses, or less advanced use the Virtual-IP on the ClearPass, and you can even point your switches/APs/controllers to the IP of your ClearPasses. Which is the best is somewhat dependent on what you think is good enough, and also on personal preference.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 12, 2021 06:43 PM
From: Max Turpin
Subject: Data and management port design questions

So then, we'll just configure either L2 or L3 ports to the mgmt and data ports.

Should the RADIUS servers on the controllers be pointing to both data and management of all the members in the cluster? What is best practice?

Really too bad LAG is not supported.

------------------------------
Max Turpin

Original Message:
Sent: Mar 12, 2021 12:47 PM
From: Alexis La Goutte
Subject: Data and management port design questions

Hi,

it is  about port of Clearpass ?

it is not possible to configure the same subnet/network on MGMT and DATA interface...

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Mar 12, 2021 12:38 PM
From: Max Turpin
Subject: Data and management port design questions

Hello,

In our DCs, we have two aggregation switches which we use to so we can have redundant connections to devices. I'm aware that for most applications, it is suggested to use just the management port, however we need the use of both NICs. I'm also aware there are certain services that are tied to data vs mgmt. However, what we would want to do is utilize both ports for connections from cppm servers to the switches.

What is the recommended setup for this type of scenario? And if we say lose the connect that is on the MGMT, will data flow to through the data port or will that device drop from the cluster?

Scenario #1:
- Configure both the MGMT an​ DATA on the same subnet, configure access ports to each port and MLAG them (This is an arista setup)

Scenario #2:
- Configure MGMT and DATA in different subnets and configure access ports to each port. Do not configure MLAG

Scenario #3:
- Configure MGMT and ​DATA in different subnets and configure ports as routed interfaces.

We are looking to do this for our DMZ clusters which service RAPs, captive portals and onboarding. We are also looking to do this for our internal clusters which do RADIUS and TACACS. My feeling is scenario #2 is the best way to go, but #3 would be good as well to keep everything routed.

Thoughts?

Thanks.​​

------------------------------
Max Turpin
------------------------------

Thanks Herman. Apologies on the duplicate thread, my new account seemed to not post, but it looks like airheads has changed.

We are not going to be using VMs for our main cluster, as the requirements are too much and appliances make no sense in terms of that. We have been using F5 load balancers for our guest clusters but had not done it for our internal clusters. I'm not sure we're going to go in that direction but are looking right now mainly at how we can supply redundancy at an appliance level via the management and data ports.

If using both, what is the best practice for data/mgmt port in terms of how you configure your RADIUS server list on the controllers? Put both data and management IPs?

------------------------------
Max Turpin
------------------------------

Original Message:
Sent: Mar 15, 2021 03:44 AM
From: Herman Robers
Subject: Data and management port design questions

Best-practice is to not use the data port as you already mentioned.

For VMs you can get interface redundancy on the hypervisor layer. With hardware appliances, you can add appliances which you probably should do anyway because in different failure scenarios you can lose the complete appliance instead of an interface or switch.

If you need redundancy, the most flexible method is to put a network load-balancer in front of your ClearPasses, or less advanced use the Virtual-IP on the ClearPass, and you can even point your switches/APs/controllers to the IP of your ClearPasses. Which is the best is somewhat dependent on what you think is good enough, and also on personal preference.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 12, 2021 06:43 PM
From: Max Turpin
Subject: Data and management port design questions

So then, we'll just configure either L2 or L3 ports to the mgmt and data ports.

Should the RADIUS servers on the controllers be pointing to both data and management of all the members in the cluster? What is best practice?

Really too bad LAG is not supported.

------------------------------
Max Turpin

Original Message:
Sent: Mar 12, 2021 12:47 PM
From: Alexis La Goutte
Subject: Data and management port design questions

Hi,

it is  about port of Clearpass ?

it is not possible to configure the same subnet/network on MGMT and DATA interface...

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Mar 12, 2021 12:38 PM
From: Max Turpin
Subject: Data and management port design questions

Hello,

In our DCs, we have two aggregation switches which we use to so we can have redundant connections to devices. I'm aware that for most applications, it is suggested to use just the management port, however we need the use of both NICs. I'm also aware there are certain services that are tied to data vs mgmt. However, what we would want to do is utilize both ports for connections from cppm servers to the switches.

What is the recommended setup for this type of scenario? And if we say lose the connect that is on the MGMT, will data flow to through the data port or will that device drop from the cluster?

Scenario #1:
- Configure both the MGMT an​ DATA on the same subnet, configure access ports to each port and MLAG them (This is an arista setup)

Scenario #2:
- Configure MGMT and DATA in different subnets and configure access ports to each port. Do not configure MLAG

Scenario #3:
- Configure MGMT and ​DATA in different subnets and configure ports as routed interfaces.

We are looking to do this for our DMZ clusters which service RAPs, captive portals and onboarding. We are also looking to do this for our internal clusters which do RADIUS and TACACS. My feeling is scenario #2 is the best way to go, but #3 would be good as well to keep everything routed.

Thoughts?

Thanks.​​

------------------------------
Max Turpin
------------------------------

Let me once more repeat that using data + mgmt port is not recommended, so it is hard to answer that question as it is not best-practice.

I would not recommend pointing the same controller to the same ClearPass on different interfaces, that does not make any sense. The fewer radius servers you configure, the better. That is also why a load-balancer is a good idea as you can create a very high available ClearPass IP that in the back will take care of load-balancing and redundancy.

Where both ports are used, that typically is in case of a challenging routing design which in that case results in only one of the interfaces accessible for your devices and the reachable interface is the only option. Please be aware that if you lose the interface that is reaching out to your authentication sources/authorization sources/other systems that ClearPass is dependent on, you will lose the service anyway as there is no backend service available anymore.

Please reach out to your local Aruba SE to raise attention with the Product Management Team to support link aggregation on the hardware appliance and that seems to be a more suitable solution.

If you really want to continue on this path, please work with Aruba TAC support to validate this approach and be sure that you are something that is supported.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 15, 2021 10:21 AM
From: Max Turpin
Subject: Data and management port design questions

Thanks Herman. Apologies on the duplicate thread, my new account seemed to not post, but it looks like airheads has changed.

We are not going to be using VMs for our main cluster, as the requirements are too much and appliances make no sense in terms of that. We have been using F5 load balancers for our guest clusters but had not done it for our internal clusters. I'm not sure we're going to go in that direction but are looking right now mainly at how we can supply redundancy at an appliance level via the management and data ports.

If using both, what is the best practice for data/mgmt port in terms of how you configure your RADIUS server list on the controllers? Put both data and management IPs?

------------------------------
Max Turpin

Original Message:
Sent: Mar 15, 2021 03:44 AM
From: Herman Robers
Subject: Data and management port design questions

Best-practice is to not use the data port as you already mentioned.

For VMs you can get interface redundancy on the hypervisor layer. With hardware appliances, you can add appliances which you probably should do anyway because in different failure scenarios you can lose the complete appliance instead of an interface or switch.

If you need redundancy, the most flexible method is to put a network load-balancer in front of your ClearPasses, or less advanced use the Virtual-IP on the ClearPass, and you can even point your switches/APs/controllers to the IP of your ClearPasses. Which is the best is somewhat dependent on what you think is good enough, and also on personal preference.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 12, 2021 06:43 PM
From: Max Turpin
Subject: Data and management port design questions

So then, we'll just configure either L2 or L3 ports to the mgmt and data ports.

Should the RADIUS servers on the controllers be pointing to both data and management of all the members in the cluster? What is best practice?

Really too bad LAG is not supported.

------------------------------
Max Turpin

Original Message:
Sent: Mar 12, 2021 12:47 PM
From: Alexis La Goutte
Subject: Data and management port design questions

Hi,

it is  about port of Clearpass ?

it is not possible to configure the same subnet/network on MGMT and DATA interface...

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Mar 12, 2021 12:38 PM
From: Max Turpin
Subject: Data and management port design questions

Hello,

In our DCs, we have two aggregation switches which we use to so we can have redundant connections to devices. I'm aware that for most applications, it is suggested to use just the management port, however we need the use of both NICs. I'm also aware there are certain services that are tied to data vs mgmt. However, what we would want to do is utilize both ports for connections from cppm servers to the switches.

What is the recommended setup for this type of scenario? And if we say lose the connect that is on the MGMT, will data flow to through the data port or will that device drop from the cluster?

Scenario #1:
- Configure both the MGMT an​ DATA on the same subnet, configure access ports to each port and MLAG them (This is an arista setup)

Scenario #2:
- Configure MGMT and DATA in different subnets and configure access ports to each port. Do not configure MLAG

Scenario #3:
- Configure MGMT and ​DATA in different subnets and configure ports as routed interfaces.

We are looking to do this for our DMZ clusters which service RAPs, captive portals and onboarding. We are also looking to do this for our internal clusters which do RADIUS and TACACS. My feeling is scenario #2 is the best way to go, but #3 would be good as well to keep everything routed.

Thoughts?

Thanks.​​

------------------------------
Max Turpin
------------------------------

Hello Herman,

is there any official documentation where it is noted that the use of data port is not recommended? I am trying to find it out in the web but with no success.

Kind regards

Alessandro

Not explicitly as far as I'm aware. There is a Service Routing Guide that explains how it works if you use two interfaces but there is no claim on any security benefits, which are not there. Most people use data & management port because it sounds secure, but in practice it's two interfaces into the same system which eliminates any security benefit as far as I can see. My personal opinion that you should not use multiple interfaces in any application server if those interfaces are connected in different security zones, because if you have a compromise of the system in one zone, an attacker can have access to the other zone. The name data & management port suggest that there is a hard separation, which is not there. The use of data & management port brings in additional complexity (see service routing guide). For security my suggestion is to keep things as simple as possible, and data + management brings in additional complexity, and does double your attack surface instead of reducing it. Exceptions are always there, but it's just easier not to go that direction unless you absolutely need it and are fully aware of the additional risks. Using the data interface for guest traffic may save money but at the cost of reduced security. If you would do a NAT for guest traffic to a single interface ClearPass that sits inside your network, you have the security equivalent of ClearPass with mgmt port internal and dataport in the DMZ. Most organizations won't even consider NATting guest traffic to the internal network, but would isolate that in the DMZ. If you won't allow NAT to a single interface, then don't use the data interface. I have seen a few situations with service providers where there is a customer routing domain and one for the management by the service provider, but both interfaces were firewalled, data by customer, mgmt by the service provider. To solve routing challenges, using multiple interfaces can be a good solution. Just not with the intention of additional security (in most cases as explained).

Note that for me it is generic security practice to not cross any device over multiple security zones, except for firewalls that are designed specifically for that and don't do anything else.

Also, ClearPass is actively tested and kept up to date for potential security vulnerabilities, but if you don't need to take the risk, I just would avoid it.

Hope this explanation helps in the understanding and optimizing your design. As always, exceptions do exist, just take care of your evaluation of functionality vs risk with the proper data.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Mar 03, 2023 05:20 AM
From: afedeli
Subject: Data and management port design questions

Hello Herman,

is there any official documentation where it is noted that the use of data port is not recommended? I am trying to find it out in the web but with no success.

Kind regards

Alessandro