Aruba Switch Configuration

AirWave lets you push configurations to HPE Aruba Networking switches using zero touch provisioning (ZTP) and configuration templates.

AirWave 8.2.0.x-.8.2.2.x included support for a delta configuration push, where AirWave would compare a device configuration to an AirWave template, and push CLI commands to resolve any differences. This feature has been replaced in AirWave 8.2.3 or later with snippets and variables.

Provisioning Devices with Zero Touch Provisioning (ZTP)

Zero Touch Provisioning (ZTP) for Aruba switches can be delivered through AirWave via a DHCP server.

To use ZTP, you need to:

All subsequent devices that join the network will be automatically provisioned with the golden configuration.

Some Aruba switches support commands that allow you to view current AirWave settings or manually configure that switch to associate to anAirWave server via the switch command-line interface. For details on these switch commands, including amp-server and show amp, refer to the documentation for that switch.

You must enable TLS 1.0 and TLS 1.1 if you are doing ZTP with AirWave with switch firmware 16.01 and 16.02. Go to AMP Setup > General > Additional AMP services and set the "Disable TLS 1.0 and TLS 1.1" option to “No".

Configure the DHCP Server

The DHCP discovery message must include a NTP server address (Option 42), DHCP vendor-specific information (Option 43), and DHCP vendor class identifier (Option 60).

To configure these options on your Windows-based DHCP server:

  1. Add a DHCP server role.
  2. From the Add Roles Wizard window, select Server Roles > DHCP Server, as shown in Figure 1.

    Figure 1  Add a DHCP Server Role

  3. Click Next.
  4. From the Server Manager window, select Roles > DHCP Server > the desired domain DHCP Server > IPv4 and then right-click Scope Options and select Configure Option.
  5. Select 042 NTP Servers and type the IP address of the NTP Server. For example, type 10.140.1.3 as shown in Figure 2.

    Figure 2  Configure Option 42

  6. Click Add.
  7. Right click Scope Options again and select Configure Options.
  8.  Select 043 Vendor Specific Info and type the following AirWave configuration parameters in the ASCII field:

    <Group>:<Topfolder>:<folder1>,<AMP IP>,<shared secret>

    For example, type Net1410;TFTPopt:10.32.202.111,aruba234, as shown in Figure 3.

    Figure 3  Configure Option 43

  9.   Click OK.
  10.  Right click Scope Options again and select Configure Options.
  11.   Select option 060 and type ArubaInstantAP in the String Value field, as shown in Figure 4.

    Figure 4  Configure Option 60

  12.  Click OK.

Manually Provision the First Device with a Golden Configuration

To configure the first device with a golden configuration :

  1. Add the first device to create the initial configuration, also called the golden configuration. You can do this by using DHCP, or by running the following command on the switch: amp-server ip <ip_addr> group <group_name> folder <folder_name> secret <shared_secret>
  2. When the device status is 'Up" on AirWave, go to Devices > Manage > Device Communication, enter the Telnet/SSH user name and password, then confirm the password.

    Before proceeding, verify that your configuration is in a good state.

    1. Navigate to the Devices > List page.
    2. Right-click the device in the Devices List table, then select the blue Config link to open Devices > Device Configuration page for that device.
    3. Click the blue Template link to open the Golden Config template (see Figure 5) . AirWave redirects you to the Groups > Templates page.

    Figure 5  Selecting the Golden Config Template


  3. Scroll down to the Credentials section, then set the Change credentials AMP uses to contact devices after successful config push option to Yes.
  4. In the credential fields that become available, you can enter a new Telnet/SSH user name and password to change the credentials AirWave uses to contact the devices (see Figure 6).

    Figure 6  Changing the Telnet/SSH Credentials

  5. Click Save to apply the changes.
  6. Go to AMP Setup > General, then scroll down to the Automatic Authorization section and set the Automatically Authorized Switch Mode option to Manage Read/Write (see Figure 7).

    Figure 7  Enabling the Automatic Authorized Switch Mode Option

  7. Click Save to apply the changes. When switches with a factory-default configuration become active on the network, match the group, and have the shared secret key, the AirWave server automatically authorizes switch provisioning. The devices reboot and come online with their configuration in a good state.

Configuring Devices with Templates

AirWave can push a complete set of configuration changes to Aruba switches, and to Aruba/HPE Switches that are in factory-default state, using configuration templates. The configuration push occurs only when the management mode for all the devices in the group are set to Manage Read/Write.

Configuring Devices running Firmware Version 16.01-16.04

If you are doing a configuration push from AirWave to Aruba/HPE switches with firmware version less than 16.05, you must enable full template configuration. Go to Group > List, select a switch group, select Basic from the navigation menu, and set the Push full template configuration option to Factory-default only. (see Figure 8). This setting allows AirWave to push a full template configuration to new factory-default devices only, while the yes option will also push a full configuration and require a reboot for existing devices with non-factory-default settings.

Figure 8  Full Template Configuration Option

Configuring Devices running Firmware Version 16.05 or Later

If the Force Switch Reboot setting on the Group > List page is set to Yes, when a configuration requiring a reboot is pushed to a switch running firmware 16.05 or later, the configuration update is pushed using the copy command, and the switch will reboot after the config update. If the configuration change does not require a reboot, the configuration will not be pushed.

Figure 9  Force Switch Reboot Option

Alternatively, if the if the Force Switch Reboot setting is set to No, AirWave will not push a configuration update to an existing switch if that update that requires a reboot, and the switch will appear in a mismatched state. If the configuration update does not require a reboot, the behavior of the AirWave server depends upon the version of AirWave.

  • With the Force Switch Reboot setting set to No, AirWave 8.2.11.0 and earlier releases will still push a configuration update that does not require a reboot to an existing switch.
  • With the Force Switch Reboot setting set to No, AirWave 8.2.11.1 and later releases will not push any configuration to an existing switch, regardless of whether that configuration change would require a reboot.

Note that all versions of AirWave will push a configuration to a factory-default device and allow that device to reboot, regardless of the Force Reboot Setting, which is not enforced for factory-default devices.

Auditing and Updating a Switch Configuration

You can choose to audit and update the configurations of groups of devices using either the Baseline Config option, or the Group Template option. When you select the Baseline Configuration option, the configuration template for the group is pushed to factory-default devices, and devices with non-factory-default settings are set to the baseline config. For more information on setting the Baseline Config or Group Template options, see Changing the Audit Configuration Setting. For details on creating a baseline config, see Devices > Device Configuration Page.

Table 1: Group Configuration Options

Audit
Setting

Factory-Default Devices

Devices with Non-Factory Settings

Group Templates

The group template assigned to the device is pushed to the device.

The group template assigned to the device is pushed to the device

Baseline Config

The group template assigned to the device is pushed to the device

If a baseline configuration has been defined , it is pushed to the device. Otherwise, the current device configuration is defined as the new baseline config.

Creating Configuration Templates

You can quickly build a configuration template by using a template and modifying it.

To create a configuration template:

  1. Go to the Groups > List, and select a device group.
  2. From the AirWave navigation pane, select Templates.
  3. In the Templates page, click Add (see Figure 10).

    Figure 10  Adding a Template for a Group of Aruba Switches

  4. Enter a name for the template.
  5. Select the device type.
  6. Enter the firmware version.
  7. If you want to search for a device to fetch a template, enter a device name and click Search. If AirWave finds matching devices, the Fetch template from device drop-down automatically lists them.
  8. Select a device from the drop-down and click Fetch. AirWave retrieves the configuration from the template and applies the configuration to the new template.
  9. Check the Template field, confirming the order of the command lines and variables used in the template.
  10. Modify the Template field, as needed, then click Add.

Adding Dynamic Variables to Group Templates

While creating or modifying a configuration template, you can add variables defined at the device or configuration level.

Follow these steps to configure default values for dynamic variables and add them to group templates:

  1. Go to the Groups > List, and select a switch group.
  2. From the navigation bar, click Templates, then scroll down the Groups Templates Config page to the Template Variables section.
  3. Click Add, then enter the variable name and default value. The variable value can include more than one line of text. You can't use spaces, periods, or non-alphanumeric characters. . If you want to create additional variables, repeat this step for each variable.
  4. Click Save.

Figure 11  Adding Dynamic Template Variables

Adding Dynamic Variables from Group Templates on the Device Manage Page

When you create a group template using dynamic variables, you can use the same dynamic variables to manage the configuration for a single device.

Follow these steps to add dynamic variables at the device-level:

  1. Go to the Device > List, and select a device.
  2. From the navigation bar, click Manage, then scroll down the Manage page for the device to the Dynamic Variables section.
  3. Click Add, then enter the variable name and default value. The variable value can include more than one line of text. You can't use spaces, periods, or non-alphanumeric characters. . If you want to create additional variables, repeat this step for each variable.
  4. Click Save and Apply.

Example Device-Level Variables

In the following example, hostname, gateway,and snmpv3_engineid are variables defined at the device level for each device receiving the template.

hostname "%hostname%"

include-credentials

ip default-gateway %gateway%

snmp-server community "public" unrestricted

snmp-server host 10.22.156.101 community "public"

snmpv3 engineid "%snmpv3_engineid%"

Example Conditional Statement

AirWave also supports conditional statements inside a template. The following example uses use_dhcp as a variable in an if statement, which allows the ip address dhcp-bootp command to be applied only to devices where the use_dhcpparameter is set to 1.

%if use_dhcp=1%

ip address dhcp-bootp

%endif%

For more information on adding variables to a configuration template, refer to the Modify or Add Template Variables section of the AirWave API Guide.

Using Snippets

You can use snippets in your config and audit jobs, or create your own snippets in a few steps. You can also use predefined snippets to build config jobs even quicker. These snippets appear in the Snippets tab, as shown in Figure 12.

Localization is not available for the Snippets tab. Buttons, menus, and tabs display in English.

AirWave pushes the snippet to a device in monitor-only mode without the need to change the management mode of the device.

The configuration jobs are executed in batch of devices parallelly instead of sequential execution depending on the value entered in AMP Setup > General > Performance > Minimum number of devices to parallelize config snippet jobs.

Figure 12  Snippets Tab

Create Snippets

In the Add Snippets page, you can choose from "Config" or "Audit and Remediate" snippet types. You can also use show running config commands on your switch CLI and copy the command syntax to the snippet.

  1. Navigate to Groups > Config & Audit Jobs, then click the Snippets tab.
  2. In the Add Snippets page, click at the top right.
  3. By default, AirWave selects Config. If you want to create a snippet for an audit job, select Audit and Remediate.
  4. Enter the snippet name.
  5. For snippets used in audit and remediate jobs, you can add a severity level against a device by moving the slider left or right.
  6. Add a meaningful description about the snippet, if you want.
  7. Select the device type for the snippet.
  8. Enter one command per line, building your snippet in the order you would configure the device.
  9. Click Add.

Figure 13 shows an example of a snippet used to audit a VLAN configuration with a severity level set to minor.

Figure 13  Adding an Audit and Remediate Snippet

Edit and Delete Snippets

You can edit a predefined snippet (or any snippet), adding the values that you need. Later, while creating a config job, you can use a predefined config snippets like a user-defined config snippets.

Follow these steps to edit or delete a snippet:

  1. Go to Groups > Config & Audit Jobs, then click the Snippets tab.
  2. Locate a snippet, then click to edit the snippet. Or, click to delete the snippet. Proceed to the next step to edit the snippet.
  3. In the Snippet window, enter the correct syntax in the Config Commands field.

    For example, replace <ipaddress> with the IP address of the syslog server you want to add, as shown in Figure 14.

    Figure 14  Editing the Add Syslog Server Snippet

  4. Click Update.

Device Configuration and Auditing Jobs

From the Groups > Config & Audit Job page, you can push a configuration to a device or group of devices using a template, audit the configuration, and re-mediate the configuration for non compliant devices.

From AirWave 8.2.15.1, the Groups > Config & Audit Jobs page displays the Long Supported Release (LSR) and the Short Supported Release (SSR) tag along with the firmware version running on the HPE Aruba Networking controller.

Figure 15 shows what you can do from the Config & Audit Job page.

Figure 15  Config & Audit Jobs Page

Config jobs are not recommended for groups that contain factory-default devices.

The Jobs table displays information about config, audit, and remediation jobs for the selected group of HPE Aruba Networking switches.

Table 2: Jobs Table Information

Column

Description

Name

Name of the job.

Device Type

Type of device.

Status

The job can be in several states.

  • Scheduled: The config or audit job will run in the future.
  • Running: The config or audit job is in progress.
  • Success: The config job completed successfully on all devices.
  • Failed: The job failed to run on one or more devices.
  • Compliant: The audit or remediate job completed and all devices are compliant.
  • Non Compliant: The audit or remediate job completed and the configuration on one or more devices is non compliant.

Hover your mouse over the Status column to view detailed status and device counts.

Creation Time

Timestamp showing the date and time of the job creation.

Start Time

Timestamp that shows when the job started.

End Time

Time of job completion for all devices

Action

Click to delete the job.

Create a Config Job

You can create a config job with the options of scheduling the job or saving the configuration as a baseline.

To create, run, or schedule a config job:

  1. Navigate to Groups > Config & Audit Jobs, then click to add a config job.
  2. In the Job window, enter a name for the config job. If you want, enter a description.
  3. Select the type of device: HPE Aruba Networking controllers, Aruba switches, Comware switches, or Cisco Gateway. The support for config job feature is provided explicitly for ISR4331/k9 model.
  4. If you want to set this config job as the baseline, check the "Running Config as Baseline Configuration" option.
  5. Select one or more config snippets from the drop-down. Or, enter the config command manually one per line.

    Figure 16 shows a config job to push a CLI command using a snippet to the Aruba switch.

    Figure 16  Adding a Config Job Called job1

  6. Click Next.
  7. In the Select Device tab, select the devices and click Next.

    Figure 17 shows that down devices are excluded.

    Figure 17  Selecting Devices for the Config Job

  8. Click Next.
  9. In the Schedule tab, click Next to run the job now. Or, deselect Run Now and click the Schedule Date field to select a date using the calendar tool.

    Figure 18  Scheduling the Config Job

  10. Click Next.
  11. In the Confirm tab, review the config job.

    Figure 19  Reviewing the Config Job Settings

  12. Click Confirm.

View Config Job Details

When you select a job from the Jobs page, details for the specific job display at the bottom of the page. You can see from the colored status in Figure 20 how many config jobs completed successfully or failed on the devices .

Figure 20  Job Details

View Diff Logs and Config Logs for the Config Job

You can view status for each device that received the config push. Information on the Devices tab includes: device name, status, IP address, job start and end time, and type of device.

Actions you can take:

  • Click  to view side-by-side windows that highlight the differences between previous and current configurations.
  • Click to view the switch config log.

Revert or Delete a Job

To revert jobs that failed or delete job that you don't want to keep:

  1. From the Jobs page, select the config job.
  2. Click Revert in the Action column if you want to reset the device to its previous configuration. Or, click and remove the job.

Create an Audit Job

To run an audit job using a snippet:

  1. Navigate to Groups > Config & Audit Jobs, then click to add a config job.
  2. In the Add Job window, enter a name for the audit job.
  3. If you want, enter a description.
  4. Select the type of device: HPE Aruba Networking controllers, Aruba switches, Comware switches, or Cisco Gateway. The support for audit job feature is provided explicitly for ISR4331/k9 model.
  5. Select one or more audit snippets from the drop-down.

    Figure 21  Adding an Audit Job

  6. Click Next.
  7. In the Select Device tab, select the devices and click Next. Figure 17 shows 2 devices selected for the audit job.

    Figure 22  Selecting Devices for the Audit Job

  8. Click Next.
  9. In the Schedule tab, click Next to run the job now. Or, deselect Run Now and click the Schedule Date field to select a date using the calendar tool.

    Figure 23  Scheduling the Audit Job

  10. Click Next.
  11. In the Confirm tab, review the audit job. Click the blue Show selected devices link to view device details.

    Figure 24  Reviewing the Audit Job Settings

  12. Click Confirm to create the audit job.

View Audit Job Details

You can view audit job details, including status and device count, by mousing over the job status in the Jobs table. Jobs progress from scheduled to running, and results are compliant, non compliant, or failed.

When you select an audit job from the Jobs table, non compliant device counts and audit snippets that have failed on the devices are also shown in the Job Details section at the bottom of the page . The example in Figure 25 shows that all the audited device configurations were compliant.

Figure 25  Viewing Audit Job Details

Remediate Non Compliant Devices

AirWave reports non compliant device counts in the Snippets table at the bottom of the page.

To remediate non compliant devices:

  1. Locate the non compliant job in the Jobs table, then click to open the Remediate Job window.
  2. In the Remediate Job window, choose Run Now or Schedule.
  3. Click Remediate. AirWave returns you to the Job page, where you can see the job type has changed to "Remediate" and the jobs status progresses from scheduled to running.
  4. After the remediation job completes, the job status changes to "Compliant" in the Job table.
  5. In the Job Details at the bottom of the page, click the Devices tab, then click  to view side-by-side windows that highlight the configuration change, or click to view the configuration in the telnet log.