Link Search Menu Expand Document
calendar_month 27-Jan-25

Wired Access Configuration

The access layer provides wired and wireless devices with Layer 2 connectivity to the network. It plays an important role in protecting users, application resources, and the network itself from human error and malicious attacks. This protection includes controlling the devices allowed on the network, ensuring that connected devices cannot provide unauthorized services to end users, and preventing unauthorized devices from taking over the role of other devices on the network.

Table of contents

Configure the Access Switch Groups

The following procedures describe the configuration of individual and stacked access layer switches using a UI Group. The base configuration of the switches was described previously in the Switch Group Configuration section of this guide.

The following procedure completes the switch configuration using an Aruba Central UI Group. The figure below shows the access switches in the ESP Campus.

Wired Access

Configure a Standalone Switch

Connect a standalone switch to a network segment where it can receive a DHCP lease, which includes DNS servers and a valid route toward the Internet. Aruba CX 6000 series switches are factory-configured to request DHCP on any front panel interface or on the dedicated management port. After a new switch can reach Central, it automatically associates to the correct organization based on information from the time of purchase.

Configure a Switch Stack

Follow this procedure to configure a group of switches for VSF stacking. Begin by cabling the stacking ports in a ring or daisy chain topology. The recommended stack ports for a 24-port model are 25 and 26, or ports 49 and 50 on 48-port models. To perform auto-stacking using Central, connect one switch in the stack to a network with DHCP service providing Internet reachability. This switch serves as the stack conductor after the stack is formed.

Note: VSF stacking is supported on Aruba CX 6300 and 6200 model switches only.
A switch must be added to a group before VSF configuration can continue.

Caution: Make sure the switches are in factory default state before auto stacking.

Step 1 Login to HPE Greenlake and navigate to Aruba Central.

Step 2 In the filter dropdown, select Global, if it is not already selected. On the left menu, select Organization.

Step 3 Expand the Unprovisioned devices group, highlight the switch directly connected to the network, then click the Move Devices button at the lower right in the window.

Step 4 In the Destination group dropdown, select the correct access switching Group for the stack, then click Move.

Step 5 In the filter dropdown, select the access switch Group name. On the left menu, select Devices.

Step 6 Select the new switch, using the serial number if multiple new switches are being added. On the left menu, select Device.

Step 7 On the Switch page in the System tile, select Properties.

Step 8 On the Edit Properties page, enter a Name for the new switch, leave the group inherited properties unchanged, then click SAVE.

Step 9 Use the green left arrow on the filter menu to return to the Switches page.

Step 10 On the upper right of the Switches page, select Config.

Step 11 On the Switches page in the System tile, select Stacking.

Step 12 Create a new VSF stack by clicking the + (plus sign) at the upper right of the table.

Step 13 In the Create VSF Stack window, assign the following settings, then click SAVE.

  • Switch Series: 6300
  • Conductor: RSVCP-AG3-AC2
  • Link 1 Port(s): 25
  • Link 2 Port(s): 26
  • Split Mode detect: Unchecked

Step 14 A VSF stack named with the serial number of the switch selected above is now listed in VSF Stacking with a single conductor.

Step 15 Wait approximately five minutes for the stack to self-configure, then refresh the VSF Stacking page and confirm that all stack members are present.

Step 16 At the right side of a member row, click the Edit icon, check the box for Standby conductor, then click Save.

Configure link aggregation groups (LAGs) on redundant links to the aggregation switches for fault tolerance and increased capacity. By default, the uplink trunks use source and destination IP address, protocol port number, and device MAC addresses to load-balance traffic between grouped physical links. Use the Port Profiles feature of Central to apply the same port level configurations to multiple switches, or switch stacks, at the same time.

Step 1 Connect a second link to the standalone switch or VSF stack.

Step 2 In the device table, click the left arrow at the top left to return to the Switches page. Select Port Profiles in the Interfaces tile.

Step 3 To clone the Sample Uplink profile, click the Clone icon visible when the row is highlighted.

Step 4 Name the new port profile and click the Clone button.

Step 5 To edit the new profile, highlight the new row and click the Edit (pencil) icon.

Step 6 In the Edit Profile window, enter the following LAG configuration, then click Save.

  • Name: Access uplink LAG
  • Description: Port profile for access switch uplink LAGs
  • CLI:
interface lag 1
    no shutdown
    description Uplink LAG
    no routing
    vlan trunk native 2 
    vlan trunk allowed all
    lacp mode active
    arp inspection trust
    dhcpv4-snooping trust
interface 1/1/27
    no shutdown
    mtu 9198
    lag 1
interface 2/1/27
    no shutdown
    mtu 9198
    lag 1

Caution: DHCP snooping and ARP inspection must be trusted on the LAG interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.

Step 7 To apply the profile, highlight the profile row and click the Apply icon.

Step 8 On the Apply screen, select the switches for LAG configuration, and click Save.

Verify LAG Operation

Step 9 Open a Remote Console window, type the command show lag 1, then press ENTER. The output shown below indicates a healthy, two-port LAG.

Enable MultiEdit for the Group

Step 1 In the upper left of the Switches page, move the slider right to enable MultiEdit.

Step 2 Select the devices for editing. In the lower right window, click EDIT CONFIG.

The following steps provide configuration text that can be pasted into the MultiEdit window. After pasting the configuration, right-click any device-specific values. A Modify Parameters window appears on the right, allowing input of individual device values.

Note: Interface configuration can optionally be performed using the Port Profiles feature documented later in this guide. This method is of particular interest to large installations with port configurations replicated across switches.

Configure the Access VLANs

Access switches are configured with the same VLANs created on the aggregation switches in addition to an in-band management interface and a VLAN for User-Based Tunneling (UBT).

Both DHCP snooping and ARP inspection must be enabled to inspect traffic, prevent common attacks, and facilitate DHCP services across subnets. IGMP snooping is enabled and is required for Dynamic Multicast Optimization (DMO).

Note: DHCP snooping must be enabled both globally and under each VLAN. ARP inspection is enabled only under the VLAN, but it does not take effect unless DHCP snooping also is enabled.

Example: Access VLANs

VLAN NameZTP_NATIVEEMPLOYEECAMERAPRINTERREJECT_AUTHCRITICAL_AUTHMGMTUBT_CLIENT
VLAN ID23561314154000

Enable DHCP snooping and create VLANs at the Group level.

Step 1 Enable DHCP snooping globally.

dhcpv4-snooping

Step 2 Enable DHCP snooping, ARP inspection, and IGMP snooping on each VLAN.

vlan 2
  name ZTP_NATIVE
  dhcpv4-snooping
  arp inspection
  ip igmp snooping enable
...
vlan 4000
  name UBT_CLIENT
  dhcpv4-snooping
  arp inspection
  ip igmp snooping enable

Caution: The access switch VLANs must match the aggregation switch VLANs to enable the access devices to reach their default gateway.

Step 3 Create a Layer 3 interface on each VLAN except the UBT_CLIENT VLAN and configure the same MTU size used in the aggregation layer.

interface vlan 2
  description ZTP_Native
  ip mtu 9198
  ip address 10.2.15.5/24
  ...
interface vlan 15
   description MGMT
   ip mtu 9198
   ip address 10.15.15.5/24

Note: When using MultiEdit at the group level, right-click device-specific values to set values for individual devices in the group.

Step 4 Configure the default route in the management VLAN. Add the static route for the active gateway IP address in VLAN 15.

ip route 0.0.0.0/0 10.2.15.1 

Note: The access switch must have a default route in the management VLAN to enable connectivity to network services such as Central, TACACS, RADIUS, and NTP servers.

Configure Spanning Tree

Spanning tree is enabled by default on 6xxx family CX switches. The following procedure illustrates how to enable it when needed. Supplemental features such as admin-edge, root guard, BPDU guard, and TCN guard are enabled on appropriate interfaces to ensure that spanning tree runs effectively.

At the group level, add the following configuration:

Step 1 Configure spanning tree globally. Multiple Spanning Tree Protocol (MSTP) is enabled by default.

spanning-tree

Step 2 Configure the port level spanning tree features and loop-protect on each access interface.

interface 1/1/1
  description ACCESS_PORT 
  no shutdown
  no routing
  vlan access 1 
  spanning-tree bpdu-guard
  spanning-tree port-type admin-edge 
  spanning-tree root-guard 
  spanning-tree tcn-guard
  loop-protect
  loop-protect action tx-disable

Verify Spanning Tree

Step 3 Open a Remote Console window, type the command show spanning-tree summary root, and press ENTER. The output shown below indicates a healthy MSTP configuration state.

Configure RADIUS and UBT

Use this procedure to configure the RADIUS servers and UBT for the access switch.

Access switches authenticate devices attempting to connect to the network. The two most common methods to authenticate users include an 802.1X supplicant or MAC-based authentication. This design supports both, as well as dynamic authorization, which allows the AAA server to change the authorization level of the device connected to the switch.

RADIUS tracking is enabled to verify the status of the client and server. The configuration also employs user roles for rejected clients and RADIUS failures. The configuration of RADIUS and user roles goes hand-in-hand with UBT, so this section also covers the UBT configuration.

Step 1 Configure the RADIUS servers. Enable RADIUS dynamic authorization and track client IP addresses with probes.

radius-server host 10.2.120.94 key plaintext <Password>
radius-server host 10.2.120.95 key plaintext <Password>
radius dyn-authorization enable
client track ip update-method probe

Step 2 Configure AAA for 802.1X and MAC authentication.

aaa authentication port-access dot1x authenticator
	enable
aaa authentication port-access mac-auth
	enable

Step 3 Configure UBT to tunnel traffic to the gateways. Define the UBT client VLAN and create the UBT zone in the default VRF. Connect to a pair of gateways for the primary and backup tunnels.

  • UBT Client VLAN: 4000

  • UBT Zone: Aruba

ubt-client-vlan 4000

ubt zone Aruba vrf default
  primary-controller ip 10.6.15.11
  backup-controller ip 10.6.15.12
  enable

Step 4 Set the source IP address for all services to management vlan IP address.

ip source-interface all interface vlan15

Step 5 Configure local user roles. Create the user role and, if the VLAN is tunneled, set the gateway zone and gateway role. If the VLAN is not tunneled, set the authentication mode or the reauthorization period and the local VLAN.

port-access role BLDG-MGMT
    gateway-zone zone Aruba gateway-role EXAMPLE-BLDG-MGMT
port-access role GUEST
    gateway-zone zone Aruba gateway-role EXAMPLE-GUEST
port-access role ARUBA-AP
  auth-mode device-mode
  vlan access 15
port-access role CRITICAL_AUTH
  reauth-period 120
  vlan access 14
port-access role REJECT_AUTH
  reauth-period 120
  vlan access 13

Note: Special-case local user roles, such as Aruba-AP, Critical Auth, and Reject, are not tunneled to gateways.

Step 6 Configure AAA authentication on the access ports. Set the client limit, configure 802.1X and MAC authentication, and set the authentication order. Set the critical role and the rejection role to use special case user roles with local VLANs. Adjust the EAPOL timeout, max requests, and max retry defaults.

interface 1/1/1
  description ACCESS_PORT 
  no shutdown
  no routing
  vlan access 1 
  aaa authentication port-access client-limit 5
  aaa authentication port-access auth-precedence dot1x mac-auth
  aaa authentication port-access critical-role CRITICAL_AUTH
  aaa authentication port-access reject-role REJECT_AUTH
  aaa authentication port-access dot1x authenticator
    eapol-timeout 30
    max-eapol-requests 1
    max-retries 1
    enable
  aaa authentication port-access mac-auth
   enable

Verify RADIUS

Step 7 Open a Remote Console window, type the command show radius-server, then press ENTER. The output shown below indicates a healthy RADIUS server configuration.

Verify UBT

Step 8 Open a Remote Console window, type the command show ubt status, then press ENTER. The output shown below indicates a healthy UBT configuration state.

Configure Interfaces Using a Port Profile

As an alternative to the preceding MultiEdit examples, interface configuration can be completed using the Port Profiles feature. This feature of Central applies the same port level configurations to multiple switches, or switch stacks, at the same time. Create a port profile using the interface level configuration from the previous spanning-tree and RADIUS/UBT sections.

Before proceeding, ensure that spanning tree is enabled, RADIUS authentication is configured, and that local user roles are created. Refer to the preceding procedures for configuration examples.

Step 1 On the left menu, select Devices.

Step 2 At the upper left of the Switches page, de-select MultiEdit (if enabled).

Step 3 Select Port Profiles on the Interfaces tile.

Step 4 To clone the Sample Access Port profile, click the Clone icon visible when the row is highlighted.

Step 5 Name the new port profile and click the Clone button.

Step 6 In the Edit Profile window, enter the following access port configuration, then click Save.

  • Name: Access ports

  • Description: Port profile for access switch ports

  • CLI:

    interface 1/1/1-1/1/12
      description ACCESS_PORT 
      no shutdown
      no routing
      vlan access 1 
      spanning-tree bpdu-guard
      spanning-tree port-type admin-edge 
      spanning-tree root-guard 
      spanning-tree tcn-guard
      loop-protect
      loop-protect action tx-disable
      port-access onboarding-method concurrent enable
      aaa authentication port-access allow-cdp-bpdu
      aaa authentication port-access allow-lldp-bpdu
      aaa authentication port-access client-limit 5
      aaa authentication port-access auth-precedence dot1x mac-auth
      aaa authentication port-access critical-role CRITICAL_AUTH
      aaa authentication port-access reject-role REJECT_AUTH
      aaa authentication port-access dot1x authenticator
        eapol-timeout 30
        max-eapol-requests 1
        max-retries 1
        enable
      aaa authentication port-access mac-auth
        enable
    

Caution: Ensure that indent levels copy accurately into the Port Profiles editor.

Step 7 To apply the profile, highlight the profile row and click the Apply icon.

Step 8 In the Apply screen, select the switches for access configuration, and click Save.

Configure Device Profiles

Using MultiEdit, create a device profile that detects Aruba APs dynamically, places them into the management VLAN, and allows locally bridged VLANs.

Note: This procedure is unnecessary if ClearPass is used to authenticate Aruba APs.

Step 1 Configure the ARUBA-AP role. Create the role, set the authentication mode, set the native VLAN, and define the allowed VLANs.

port-access role ARUBA-AP
  auth-mode device-mode
  vlan trunk native 15
  vlan trunk allowed 1-3,5-6,13-15

Note: The ARUBA-AP role identifies the AP’s VLAN and identifies which VLANs are bridged locally.

Step 2 Configure the LLDP group. Create the group and identify the Aruba AP OUIs.

port-access lldp-group AP-LLDP-GROUP
  seq 10 match vendor-oui 000b86
  seq 20 match vendor-oui D8C7C8
  seq 30 match vendor-oui 6CF37F
  seq 40 match vendor-oui 186472
  seq 50 match sys-desc ArubaOS

Note: The LLDP group identifies the Aruba APs and sets the system-description at the end as a catchall for future APs.

Step 3 Configure the device profile. Create the profile, enable it, then associate it with the role and LLDP group created previously.

port-access device-profile ARUBA_AP
  enable
  associate role ARUBA-AP
  associate lldp-group AP-LLDP-GROUP

Devices in the group automatically synchronize the new configuration. Synchronization status is updated on the Configuration Status page. Click Audit Trail in the left menu to observe step execution.