Link Search Menu Expand Document
calendar_month 28-Aug-25

Wired Access Configuration

The access layer provides wired and wireless devices with Layer 2 connectivity to the network.

It also plays an important role in protecting users, application resources, and the network itself from human error and malicious attacks. This protection includes controlling the devices allowed on the network, ensuring that connected devices cannot provide unauthorized services to end users, and preventing unauthorized devices from taking over the role of other devices on the network.

Table of contents

Configure the Access Switch Groups

The following procedures describe the configuration of individual and stacked access layer switches using a UI Group. The base configuration of the switches was described previously in the Switch Group Configuration section of this guide.

The following procedure completes the switch configuration using a Central UI Group. The figure below shows the access switches in the Campus.

Wired Access

Configure a Standalone Switch

Connect a standalone switch to a network segment where it can receive a DHCP lease, which includes DNS servers and a valid route toward the Internet. CX 6000 series switches are factory-configured to request DHCP on any front panel interface and on the dedicated management port. After a new switch can reach Central, it automatically associates to the correct organization based on information from the time of purchase.

Configure a Switch Stack

Follow this procedure to configure a group of switches for VSF stacking. Begin by cabling the stacking ports in a ring or daisy chain topology. The recommended stack ports for a 24-port model are 25 and 26, or ports 49 and 50 on 48-port models. To perform auto-stacking using Central, connect one switch in the stack to a network with DHCP service providing Internet reachability. This switch serves as the stack conductor after the stack is formed.

Note: VSF stacking is supported on CX 6300 and 6200 model switches only.
A switch must be added to a group before VSF configuration can continue.

Caution: Make sure the switches are in factory default state before auto stacking.

Step 1 Login to HPE Greenlake and navigate to Central.

Step 2 In the filter dropdown, select Global, if it is not already selected. On the left menu, select Organization.

Step 3 Expand the Unprovisioned devices group, highlight the switch directly connected to the network, then click the Move Devices button at the lower right in the window.

Step 4 In the Destination group dropdown, select the correct access switching Group for the stack, then click Move.

Step 5 In the filter dropdown, select the access switch Group name. On the left menu, select Devices.

Step 6 Select the new switch, using the serial number if multiple new switches are being added. On the left menu, select Device.

Step 7 On the Switch page in the System tile, select Properties.

Step 8 On the Edit Properties page, enter a Name for the new switch, leave the group inherited properties unchanged, then click SAVE.

Step 9 Use the green left arrow on the filter menu to return to the Switches page.

Step 10 On the upper right of the Switches page, select Config.

Step 11 On the Switches page in the System tile, select Stacking.

Step 12 Create a new VSF stack by clicking the + (plus sign) at the upper right of the table.

Step 13 In the Create VSF Stack window, assign the following settings, then click SAVE.

  • Switch Series: 6300
  • Conductor: RSVCP-AG3-AC2
  • Link 1 Port(s): 25
  • Link 2 Port(s): 26
  • Split Mode detect: Unchecked

Step 14 A VSF stack named with the serial number of the switch selected above is now listed in VSF Stacking with a single conductor.

Step 15 Wait approximately five minutes for the stack to self-configure, then refresh the VSF Stacking page and confirm that all stack members are present.

Step 16 At the right side of a member row, click the Edit icon, check the box for Standby conductor, then click Save.

Step 17 Repeat this procedure for each VSF stack.

Enable MultiEdit for the Group

The following steps provide configuration text that can be pasted into the MultiEdit window. After pasting the configuration, right-click any device-specific values. A Modify Parameters window appears on the right, allowing input of individual device values.

Step 1 In the upper left of the Switches page, move the slider right to enable MultiEdit.

Step 2 Select all access switches for editing. In the lower right window, click EDIT CONFIG.

Configure the Access VLANs

Access switches are configured with the same VLANs created on the aggregation switches in addition to an in-band management interface.

Both DHCP snooping and ARP inspection must be enabled to inspect traffic, prevent common attacks, and facilitate DHCP services across subnets. IGMP snooping is enabled and is required for Dynamic Multicast Optimization (DMO).

Note: DHCP snooping must be enabled both globally and under each VLAN. ARP inspection is enabled only under the VLAN, but it does not take effect unless DHCP snooping also is enabled.

Example: Access VLANs

VLAN NameNET_MGMTAP_MGMTEMPLOYEE_WIREDEMPLOYEE_WLANIOTGUESTREJECT_AUTHCRITICAL_AUTH
VLAN ID1511202530405051

Enable DHCP snooping and create VLANs at the Group level.

Step 1 Enable DHCP snooping globally.

dhcpv4-snooping

Step 2 Enable DHCP snooping, ARP inspection, and IGMP snooping on each VLAN.

vlan 11
    name AP_MGMT
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 15
    name NET_MGMT
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 20
    name EMPLOYEE_WIRED
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 25
    name EMPLOYEE_WLAN
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 30
    name IOT
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 40
    name GUEST
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 50
    name REJECT_AUTH
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 51
    name CRITICAL_AUTH
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable

Caution: The access switch VLANs must match the aggregation switch VLANs for proper network operations.

Step 3 Create a VLAN SVI for each VLAN. Assign a description and an IP address for use in troubleshooting.

interface vlan 11
    description AP_MGMT
    ip address 10.1.11.5/24
interface vlan 15
    description NET_MGMT
    ip address 10.1.15.5/24
interface vlan 20
    description EMPLOYEE_WIRED
    ip address 10.1.20.5/24
interface vlan 25
    description EMPLOYEE_WLAN
    ip address 10.1.25.5/24
interface vlan 30
    description IOT
    ip address 10.1.30.5/24
interface vlan 40
    description GUEST
    ip address 10.1.40.5/24
interface vlan 50
    description REJECT_AUTH
    ip address 10.1.50.5/24
interface vlan 51
    description CRITICAL_AUTH
    ip address 10.1.51.5/24

Step 5 Assign unique SVI IP addresses to access switches. The IP addresses above are used on RSVCP-AG1-AC1. Right click the ip address value for each VLAN SVI. In the Modify Parameters popup window, assign an appropriate IP address for each access switch, then click SAVE CHANGES.

Step 6 Configure a static default route in the management VLAN with the VLAN 15 active-gateway IP address as the next hop.

ip route 0.0.0.0/0 10.1.15.1

Note: The access switch must have a default route in the management VLAN to enable connectivity to network services such as Central, TACACS, RADIUS, and NTP servers.

Step 7 The ip route next hop value above is used for access switches connected to the AG1 VSX pair. Right click the ip route next-hop value. In the Modify Parameters popup window, assign an appropriate next-hop address for each access switch, then click SAVE CHANGES.

Configure Global Loop Protection

Redundant infrastructure links are loop free, when configured correctly. VSF uplink LAGs with ports on different switches operate as a single logical link, and are connected to VSX LAGs on aggregation switches, which also operate as a single logical link.

Network loops are catastrophic to network operations, so additional protection mechanisms are implemented to ensure the network operates without interruption.

Spanning-tree is enabled as an additional loop protection mechanism in case of configuration errors and to protect against loops created on access ports. Supplemental features such as admin-edge, root guard, BPDU guard, and TCN guard are enabled on appropriate interfaces to ensure that spanning tree runs effectively.

HPE Aruba Networking’s loop-protect mechanism effectively supplements spanning-tree loop protection on access ports, when loops are created by user attached switches that do not originate or block BPDUs.

Step 1 When required, configure spanning tree globally. Multiple Spanning Tree Protocol (MSTP) is the default spanning-tree protocol.

spanning-tree

Note: Spanning tree is enabled by default on 6xxx family CX switches.

Step 2 Configure the global loop-protect re-enable timer.

loop-protect re-enable-timer 3600

Note: By default, the loop-protect re-enable timer is 0. When set to 0, ports disabled by the loop-protect function must be manually re-enabled. Setting the timer to a non-zero value automatcially re-enables loop-protect disabled ports after the specified timer duration expires.

Configure Local User Roles

This procedure to configures local user roles for the access switch.

Port access roles apply parameters to switch ports, based on user identity. Typical roles include employee, guest, and IoT.

The critical role is applied to devices when the RADIUS server is unreachable during the authentication process or during reauthentication. This role helps ensure that devices have limited access to the network even though authentication is incomplete. When the RADIUS server is available for authentication, the devices are fully authenticated and the intended role is applied.

The reject role is applied when a devices fails RADIUS authentication. The reject role gives restricted access to the attached device.

port-access role EMPLOYEE_WIRED
    reauth-period 14400
    auth-mode client-mode 
    vlan access 20
port-access role IOT
    reauth-period 14400
    auth-mode client-mode 
    vlan access 30
port-access role GUEST
    reauth-period 14400
    auth-mode client-mode 
    vlan access 40
port-access role REJECT_AUTH
    reauth-period 600
    auth-mode client-mode
    vlan access 50
port-access role CRITICAL_AUTH
    reauth-period 600
    auth-mode client-mode
    vlan access 51

Configure Device Profiles

Create a device profile that detects HPE Aruba Networking APs dynamically, places them into the AP_MGMT VLAN, and allows locally bridged VLANs.

Note: This procedure is unnecessary if ClearPass is used to authenticate APs.

Step 1 Configure the ARUBA_AP role. Create the role, set the authentication mode, set the native VLAN, and define the allowed VLANs.

port-access role ARUBA_AP
    auth-mode device-mode
    vlan trunk native 11
    vlan trunk allowed 11,20,25,30,40,50-51

Note: When RADIUS returns the ARUBA_AP role during device authentication, the switch assigns the native and tagged VLANs defined for that role. This native VLAN is used for AP management, and tagged VLANs support SSIDs using bridge mode.

Step 2 Configure the LLDP group. Create the group and identify the AP OUIs.

port-access lldp-group AP_LLDP_GROUP
    seq 10 match vendor-oui 000b86
    seq 20 match vendor-oui D8C7C8
    seq 30 match vendor-oui 6CF37F
    seq 40 match vendor-oui 186472
    seq 50 match sys-desc ArubaOS

Note: The LLDP group defines MAC address criteria to identify APs and sets the system-description at the end as a catchall for future APs.

Step 3 Configure the device profile. Create the profile, enable it, then associate it with the role and LLDP group created previously.

port-access device-profile ARUBA_AP
    enable
    associate role ARUBA_AP
    associate lldp-group AP_LLDP_GROUP

Configure Global RADIUS Values

Use this procedure to configure the RADIUS servers that authenticate devices attempting to connect to the network.

The two most common user authentication methods are 802.1X and MAC address. This design supports both, as well as dynamic authorization, which allows the AAA server to change the authorization level of a device from its previous authorization level.

RADIUS tracking is enabled to verify the status of the client and server. The configuration also employs user roles for rejected clients and RADIUS failures.

Step 1 Configure the RADIUS servers. Enable RADIUS dynamic authorization and track client IP addresses.

radius-server host 10.2.120.192 timeout 5 key plaintext <Password> retries 3
radius-server host 10.2.120.193 timeout 5 key plaintext <Password> retries 3

radius dyn-authorization client 10.2.120.194 secret-key plaintext <Password>
radius dyn-authorization client 10.2.120.195 secret-key plaintext <Password>
radius dyn-authorization enable

aaa group server radius clearpass_radius_group
    server 10.2.120.192
    server 10.2.120.193

aaa accounting port-access start-stop interim 60 group clearpass_radius_group
client track ip
client track ip all-vlans

Step 2 Configure AAA for 802.1X and MAC authentication.

aaa authentication port-access dot1x authenticator
    radius server-group clearpass_radius_group
    enable
aaa authentication port-access mac-auth
    radius server-group clearpass_radius_group
    enable

Step 3 At the bottom right of the MultiEdit window, click Save.

This completes the configuration common to all access switches.

Configure link aggregation groups (LAGs) on redundant links to the aggregation switches for fault tolerance and increased capacity by load balancing across LAG link members. By default, the uplinks use source and destination IP address, protocol port number, and device MAC addresses to load-balance traffic between LAG member links.

Step 1 Connect a second link to the standalone switch or VSF stack.

Step 2 In the MultiEdit window, select a set of access switches using consistent uplink interfaces for editing. In the lower right window, click EDIT CONFIG.

Note: If all access switch models are the same model or have the same physical port layout, all access switches may be selected.

Step 3 Create an uplink LAG on access switches using ports on two different switches in the VSF stack.

interface lag 1
    no shutdown
    description Uplink LAG
    no routing
    vlan trunk native 15 
    vlan trunk allowed all
    lacp mode active
    arp inspection trust
    dhcpv4-snooping trust
interface 1/1/28
    no shutdown
    mtu 9198
    lag 1
interface 2/1/28
    no shutdown
    mtu 9198
    lag 1

Caution: DHCP snooping and ARP inspection must be set to trust on the LAG interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.

Note: The uplink LAG interfaces are configured on different members of the VSF stack to provide chassis diversity.

Step 4 At the bottom right of the MultiEdit window, click Save.

Step 5 Repeat this procedure for each set of access switches using a different pair of uplink ports.

Configure Access Ports

Use the Port Profiles feature of Central to apply the same port level configuration to multiple switches, or switch stacks, at the same time. Create a different profile based-on consistent physical port configuration of switches. If all access switches are the same model, a single profile can be applied to all access switches.

Step 1 In the upper left of the Switches page, move the slider left to disable MultiEdit.

Step 2 Select Port Profiles in the Interfaces tile.

Step 3 To clone the Sample Access Port profile, click the Clone icon visible when the row is highlighted.

Step 4 Name the new port profile and click the Clone button.

Note: A different port profile is used to apply to unique port ranges.

Step 5 To edit the new profile, highlight the new row and click the Edit (pencil) icon.

Step 6 In the Edit Profile window, enter the following configuration, then click Save.

  • Name: Access Ports - 2 SW, 24 port
  • Description: Port profile for 2 switch VSF stack with 24 access ports
  • CLI:
interface 1/1/1-1/1/24,2/1/1-2/1/24
    no shutdown
    no routing
    description ACCESS_PORT
    vlan access 1
    spanning-tree bpdu-guard
    spanning-tree root-guard
    spanning-tree tcn-guard
    spanning-tree port-type admin-edge
    loop-protect
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 5
    aaa authentication port-access auth-precedence dot1x mac-auth
    aaa authentication port-access critical-role CRITICAL_AUTH
    aaa authentication port-access reject-role REJECT_AUTH
    aaa authentication port-access dot1x authenticator
        eapol-timeout 2
        max-eapol-requests 1
        max-retries 1
        reauth-peroid 14400
        enable
    aaa authentication port-access mac-auth
        reauth
        reauth-period 14400
        enable

Caution: Ensure that indent levels copy accurately into the Port Profiles editor.

Step 7 To apply the profile, highlight the profile row and click the Apply icon.

Step 8 On the Apply screen, select the switches for access port configuration, and click Save.

Caution: When a port profile configuration is applied, it replaces all configuration for the specified interfaces. Any previous configuration is removed.

Note: Changes to port configuration from a port profile are only set when manually applying the profile. Future modifications to the port profile do not automatically update switch configuration. A network administrator must apply the profile to a switch after changes have been made to apply profile updates to a switch for switch stack.

Step 9 Repeat this procedure for each set of access switches with a different physical access port layout.

Verify LAG Operation

Open a Remote Console window, type the command show lag 1, then press ENTER. The output shown below indicates a healthy, two-port LAG.

Verify Spanning Tree

Open a Remote Console window, type the command show spanning-tree summary root, and press ENTER. The output shown below indicates a healthy MSTP configuration state.

Verify RADIUS

Open a Remote Console window, type the command show radius-server, then press ENTER. The output shown below indicates a healthy RADIUS server configuration.

Configure User Based Tunneling

User-Based Tunneling (UBT) enables selective traffic tunneling to an AOS-10 gateway cluster for centralized policy enforcement. Design considerations for UBT are detailed in the UBT Design Chapter. Many campus environments deploy UBT to selectively tunnel certain clients to the gateway for application of centralized policy. This procedure illustrates tunneling wired IOT devices with the role of IOT-LIMITED to the gateway using reserved VLAN mode. Additional roles can be tunneled following this procedure.

Step 1 On the left menu, select Devices and move the slider right to enable MultiEdit.

Step 2 Select all access switches for editing. In the lower right window, click EDIT CONFIG.

Step 3 Create the UBT client VLAN and UBT zone. The UBT client VLAN serves as a local placeholder for clients on the edge switch. The UBT zone provides detail on the gateway cluster and enables UBT. The primary-controller is the system IP of a gateway cluster member. The switch reaches out to the primary-controller, which provides details to the switch for establishing tunnels to necessary gateways.

vlan 4000
    name UBT_CLIENT

ubt-client-vlan 4000

ubt zone OWL vrf default
    primary-controller ip 10.6.15.11
    enable

Note: Do not use the backup-controller command unless a separate cluster is designated for backup. The primary-controller establishes connectivity between the switch and all gateways within the cluster.

Step 4 Set the source IP address for all services to the management VLAN IP address.

ip source-interface all interface vlan15

Step 5 Define the required local user roles along with their associated parameters. For tunneled VLANs, specify the gateway zone and corresponding gateway role. Matching role names between the switch and the gateway is recommended for consistency. The following example illustrates the IOT role. Add additional roles as needed.

port-access role IOT
    auth-mode client-mode
    gateway-zone zone OWL gateway-role IOT-LIMITED

Step 6 At the bottom right of the MultiEdit window, click Save.

Modify Gateway Configuration

When user traffic is tunneled from a UBT-enabled switch to a gateway, the gateway assigns a user role that defines policy enforcement. Each role must be mapped to a VLAN to ensure that clients are placed in the appropriate network segment.

Multiple roles can be mapped to a single VLAN. In this model, the VLAN provides macro-level segmentation, while gateway policies deliver micro-level segmentation based on the assigned role. This design supports centralized, role-based policy enforcement while maintaining IP subnet-based filtering capabilities at other points in the network.

This procedure extends the existing tunneled WLAN configuration defined in the WLAN deployment guide. The WLAN does not use roles. A new role, IOT-LIMITED, is created on the gateway. A corresponding policy is applied, and the role is mapped to the same VLAN used by the WLAN profile. Alternatively, a dedicated VLAN can be configured for wired UBT traffic to maintain separation from the wireless WLAN segment, if required by the design.

Step 1 In Central, navigate to the group containing the UBT-enabled gateways (in this example, RSVCP-WIRELESS), then click Devices.

Step 2 Select the Gateways tab, then click Config. Ensure that advanced mode is selected.

Step 3 Under Security, select Roles.

Step 4 Click the + icon, enter IOT-LIMITED as the role name, then click Save.

Step 5 Create and assign policies to the IOT-LIMITED role. Refer to the section on Configuring Network Policy with User Roles.

Step 6 Map VLAN 103 to the IOT-LIMITED role. Refer to the section on Associating VLANs to User Roles.

Step 7 Repeat these steps for each additional role as needed.

Verify UBT

Step 1 In Central, navigate to the access switch group (in this example, CP-RSVACC), then click Tools.

Step 2 Open a Remote Console window, type the command show ubt state, then press ENTER. The output shown below indicates a healthy UBT configuration state.

Configure Prerequisites for Switch Telemetry

This procedure configures the switch telemetry features required for access to the full capabilities of HPE Aruba Networking Central. For the list of supported hardware platforms and minimum firmware requirement, refer to the Pre-requisites for New Central page. In this procedure, Client IP Tracker and Client Events are enabled using Central, and a device fingerprint profile is created using MultiEdit. Refer to the Port Profile Configuration section to associate the device-fingerprint profile to an interface.

Step 1 On the left menu, select Devices and click the Config (or AOS-CX) configuration icon in the upper right.

Step 2 Move the slider left to disable MultiEdit.

Step 3 Select Client IP Tracker.

Step 4 Enable the Client IP address tracking toggle. Click Save.

Step 5 To enable client events, select the Client Events section.

Step 6 Enable the Authentication and DHCP Events toggle. Click Save.

Step 7 Enable MultiEdit and select the list of switches to configure.

Step 8 Enter the following configuration to create a client device-fingerprint profile and assign associated protocols, then click Save.

client device-fingerprint profile SW_CLIENT_PROFILE
    dhcp option-num 12,55,60
    dhcp options-list
    http user-agent

Configure Prerequisites for DNS Latency Telemetry and Application Visibility

This procedure configures DNS latency telemetry and Application Visibility on an access switch.

Step 1 Disable ip source-lockdown resource extended using the following configuration.

no ip source-lockdown resource-extended

Step 2 Enable Application Visibility globally using the following configuration.

app-recognition
    enable

Step 3 Enable flow-tracking globally using the following configuration.

flow-tracking
    enable

Step 4 Create a traffic insight instance and assign a monitor for DNS Latency Telemetry and a monitor for application flow using the following configuration.

traffic-insight TI-01
    enable
    source ipfix
    monitor dns-monitor type dns-average-latency
    monitor application-mon type application-flows

Step 5 Create a flow exporter using the following configuration.

flow exporter central_flow_export
    description Export flows to traffic insight profile
    destination type traffic-insight
    destination traffic-insight TI-01

Step 6 Create a flow record using the following configuration.

flow record central_flow_record
    description Record used for ipv4 traffic analysis
    match ipv4 protocol
    match ipv4 version
    match ipv4 destination address
    match ipv4 source address
    match transport destination port
    match transport source port
    collect application name
    collect application https url
    collect application dns response-code
    collect application tls-attributes
    collect counter bytes
    collect counter packets
    collect timestamp absolute first
    collect timestamp absolute last

Step 7 Create a flow monitor using the following configuration.

flow monitor central_flow_monitor
    description Monitor for analyzing ipv4 traffic
    exporter central_flow_export
    record central_flow_record

Step 8 Configure IPFIX on uplink LAG interfaces to export application details to Central. For downlink ports, refer to the next section to configure IPFIX in a port profile.

interface lag 1
    no shutdown
    description Uplink LAG
    no routing
    vlan trunk native 2 
    vlan trunk allowed all
    lacp mode active
    arp inspection trust
    dhcpv4-snooping trust
    ip flow monitor central_flow_monitor in

Step 9 At the bottom right of the MultiEdit window, click Save.

Update Access Port Profile

Step 1 Move the slider left to disable MultiEdit.

Step 2 Select Port Profiles on the Interfaces tile.

Step 3 Click the Edit icon of the previously configured port profile.

Step 4 In the Edit Profile window, add the last three configuration lines below to the existing access port configuration, then click Save.

interface 1/1/1-1/1/24
    description ACCESS_PORT 
    no shutdown
    no routing
    vlan access 1 
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge 
    spanning-tree root-guard 
    spanning-tree tcn-guard
    loop-protect
    loop-protect action tx-disable
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 5
    aaa authentication port-access auth-precedence dot1x mac-auth
    aaa authentication port-access critical-role CRITICAL_AUTH
    aaa authentication port-access reject-role REJECT_AUTH
    aaa authentication port-access dot1x authenticator
        eapol-timeout 2
        max-eapol-requests 1
        max-retries 1
        reauth-peroid 14400
        enable
    aaa authentication port-access mac-auth
        reauth
        reauth-period 14400
        enable
    client device-fingerprint apply-profile SW_CLIENT_PROFILE
    ip flow monitor central_flow_monitor in
    app-recognition enable

Step 5 To apply the profile, highlight the profile row and click the Apply icon.

Step 6 In the Apply screen, select the switches for access configuration, and click Save.