Wired Access Configuration
The access layer provides wired and wireless devices with Layer 2 connectivity to the network. It plays an important role in protecting users, application resources, and the network itself from human error and malicious attacks. This protection includes controlling the devices allowed on the network, ensuring that connected devices cannot provide unauthorized services to end users, and preventing unauthorized devices from taking over the role of other devices on the network.
Table of contents
- Wired Access Configuration
- Configure the Access Switch Groups
- Configure a Standalone Switch
- Configure a Switch Stack
- Configure the Uplink LAG Interface
- Enable MultiEdit for the Group
- Configure the Access VLANs
- Configure Spanning Tree
- Verify Spanning Tree
- Configure RADIUS
- Configure Local User Roles
- Configure Device Profiles
- Configure User Based Tunneling
- Verify RADIUS
- Verify UBT
- Configure Interfaces Using a Port Profile
- Configure the Access Switch Groups
Configure the Access Switch Groups
The following procedures describe the configuration of individual and stacked access layer switches using a UI Group. The base configuration of the switches was described previously in the Switch Group Configuration section of this guide.
The following procedure completes the switch configuration using an Central UI Group. The figure below shows the access switches in the Campus.
Wired Access
Configure a Standalone Switch
Connect a standalone switch to a network segment where it can receive a DHCP lease, which includes DNS servers and a valid route toward the Internet. CX 6000 series switches are factory-configured to request DHCP on any front panel interface or on the dedicated management port. After a new switch can reach Central, it automatically associates to the correct organization based on information from the time of purchase.
Configure a Switch Stack
Follow this procedure to configure a group of switches for VSF stacking. Begin by cabling the stacking ports in a ring or daisy chain topology. The recommended stack ports for a 24-port model are 25 and 26, or ports 49 and 50 on 48-port models. To perform auto-stacking using Central, connect one switch in the stack to a network with DHCP service providing Internet reachability. This switch serves as the stack conductor after the stack is formed.
Note: VSF stacking is supported on CX 6300 and 6200 model switches only.
A switch must be added to a group before VSF configuration can continue.
Caution: Make sure the switches are in factory default state before auto stacking.
Step 1 Login to HPE Greenlake and navigate to Central.
Step 2 In the filter dropdown, select Global, if it is not already selected. On the left menu, select Organization.
Step 3 Expand the Unprovisioned devices group, highlight the switch directly connected to the network, then click the Move Devices button at the lower right in the window.
Step 4 In the Destination group dropdown, select the correct access switching Group for the stack, then click Move.
Step 5 In the filter dropdown, select the access switch Group name. On the left menu, select Devices.
Step 6 Select the new switch, using the serial number if multiple new switches are being added. On the left menu, select Device.
Step 7 On the Switch page in the System tile, select Properties.
Step 8 On the Edit Properties page, enter a Name for the new switch, leave the group inherited properties unchanged, then click SAVE.
Step 9 Use the green left arrow on the filter menu to return to the Switches page.
Step 10 On the upper right of the Switches page, select Config.
Step 11 On the Switches page in the System tile, select Stacking.
Step 12 Create a new VSF stack by clicking the + (plus sign) at the upper right of the table.
Step 13 In the Create VSF Stack window, assign the following settings, then click SAVE.
- Switch Series: 6300
- Conductor: RSVCP-AG3-AC2
- Link 1 Port(s): 25
- Link 2 Port(s): 26
- Split Mode detect: Unchecked
Step 14 A VSF stack named with the serial number of the switch selected above is now listed in VSF Stacking with a single conductor.
Step 15 Wait approximately five minutes for the stack to self-configure, then refresh the VSF Stacking page and confirm that all stack members are present.
Step 16 At the right side of a member row, click the Edit icon, check the box for Standby conductor, then click Save.
Configure the Uplink LAG Interface
Configure link aggregation groups (LAGs) on redundant links to the aggregation switches for fault tolerance and increased capacity. By default, the uplink trunks use source and destination IP address, protocol port number, and device MAC addresses to load-balance traffic between grouped physical links. Use the Port Profiles feature of Central to apply the same port level configurations to multiple switches, or switch stacks, at the same time.
Step 1 Connect a second link to the standalone switch or VSF stack.
Step 2 In the device table, click the left arrow at the top left to return to the Switches page. Select Port Profiles in the Interfaces tile.
Step 3 To clone the Sample Uplink profile, click the Clone icon visible when the row is highlighted.
Step 4 Name the new port profile and click the Clone button.
Step 5 To edit the new profile, highlight the new row and click the Edit (pencil) icon.
Step 6 In the Edit Profile window, enter the following LAG configuration, then click Save.
- Name: Access uplink LAG
- Description: Port profile for access switch uplink LAGs
- CLI:
interface lag 1
no shutdown
description Uplink LAG
no routing
vlan trunk native 2
vlan trunk allowed all
lacp mode active
arp inspection trust
dhcpv4-snooping trust
interface 1/1/27
no shutdown
mtu 9198
lag 1
interface 2/1/27
no shutdown
mtu 9198
lag 1
Caution: DHCP snooping and ARP inspection must be trusted on the LAG interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.
Step 7 To apply the profile, highlight the profile row and click the Apply icon.
Step 8 On the Apply screen, select the switches for LAG configuration, and click Save.
Verify LAG Operation
Step 9 Open a Remote Console window, type the command show lag 1, then press ENTER. The output shown below indicates a healthy, two-port LAG.
Enable MultiEdit for the Group
Step 1 In the upper left of the Switches page, move the slider right to enable MultiEdit.
Step 2 Select the devices for editing. In the lower right window, click EDIT CONFIG.
The following steps provide configuration text that can be pasted into the MultiEdit window. After pasting the configuration, right-click any device-specific values. A Modify Parameters window appears on the right, allowing input of individual device values.
Note: Interface configuration can optionally be performed using the Port Profiles feature documented later in this guide. This method is of particular interest to large installations with port configurations replicated across switches.
Configure the Access VLANs
Access switches are configured with the same VLANs created on the aggregation switches in addition to an in-band management interface and a VLAN for User-Based Tunneling (UBT).
Both DHCP snooping and ARP inspection must be enabled to inspect traffic, prevent common attacks, and facilitate DHCP services across subnets. IGMP snooping is enabled and is required for Dynamic Multicast Optimization (DMO).
Note: DHCP snooping must be enabled both globally and under each VLAN. ARP inspection is enabled only under the VLAN, but it does not take effect unless DHCP snooping also is enabled.
Example: Access VLANs
| VLAN Name | ZTP_NATIVE | EMPLOYEE | CAMERA | PRINTER | REJECT_AUTH | CRITICAL_AUTH | MGMT | UBT_CLIENT |
|---|---|---|---|---|---|---|---|---|
| VLAN ID | 2 | 3 | 5 | 6 | 13 | 14 | 15 | 4000 |
Enable DHCP snooping and create VLANs at the Group level.
Step 1 Enable DHCP snooping globally.
dhcpv4-snooping
Step 2 Enable DHCP snooping, ARP inspection, and IGMP snooping on each VLAN.
vlan 2
name ZTP_NATIVE
dhcpv4-snooping
arp inspection
ip igmp snooping enable
...
vlan 4000
name UBT_CLIENT
dhcpv4-snooping
arp inspection
ip igmp snooping enable
Caution: The access switch VLANs must match the aggregation switch VLANs to enable the access devices to reach their default gateway.
Step 3 Create a Layer 3 interface on each VLAN except the UBT_CLIENT VLAN and configure the same MTU size used in the aggregation layer.
interface vlan 2
description ZTP_Native
ip mtu 9198
ip address 10.2.15.5/24
...
interface vlan 15
description MGMT
ip mtu 9198
ip address 10.15.15.5/24
Note: When using MultiEdit at the group level, right-click device-specific values to set values for individual devices in the group.
Step 4 Configure the default route in the management VLAN. Add the static route for the active gateway IP address in VLAN 15.
ip route 0.0.0.0/0 10.2.15.1
Note: The access switch must have a default route in the management VLAN to enable connectivity to network services such as Central, TACACS, RADIUS, and NTP servers.
Configure Spanning Tree
Spanning tree is enabled by default on 6xxx family CX switches. The following procedure illustrates how to enable it when needed. Supplemental features such as admin-edge, root guard, BPDU guard, and TCN guard are enabled on appropriate interfaces to ensure that spanning tree runs effectively.
At the group level, add the following configuration:
Step 1 Configure spanning tree globally. Multiple Spanning Tree Protocol (MSTP) is enabled by default.
spanning-tree
Step 2 Configure the port level spanning tree features and loop-protect on each access interface.
interface 1/1/1
description ACCESS_PORT
no shutdown
no routing
vlan access 1
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
spanning-tree root-guard
spanning-tree tcn-guard
loop-protect
loop-protect action tx-disable
Verify Spanning Tree
Step 3 Open a Remote Console window, type the command show spanning-tree summary root, and press ENTER. The output shown below indicates a healthy MSTP configuration state.
Configure RADIUS
Use this procedure to configure the RADIUS servers and UBT for the access switch.
Access switches authenticate devices attempting to connect to the network. The two most common methods to authenticate users include an 802.1X supplicant or MAC-based authentication. This design supports both, as well as dynamic authorization, which allows the AAA server to change the authorization level of the device connected to the switch.
RADIUS tracking is enabled to verify the status of the client and server. The configuration also employs user roles for rejected clients and RADIUS failures.
Step 1 Configure the RADIUS servers. Enable RADIUS dynamic authorization and track client IP addresses with probes.
radius-server host 10.2.120.94 key plaintext <Password>
radius-server host 10.2.120.95 key plaintext <Password>
radius dyn-authorization enable
client track ip update-method probe
Step 2 Configure AAA for 802.1X and MAC authentication.
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
Step 3 Configure AAA authentication on access ports by defining the client limit, enabling 802.1X and MAC authentication, and specifying the authentication order. Assign the critical and rejection roles to system-defined user roles that use local VLANs. Adjust EAPOL timeout and maximum requests, and retry limits as needed.
interface 1/1/1
description ACCESS_PORT
no shutdown
no routing
vlan access 1
aaa authentication port-access client-limit 5
aaa authentication port-access auth-precedence dot1x mac-auth
aaa authentication port-access critical-role CRITICAL_AUTH
aaa authentication port-access reject-role REJECT_AUTH
aaa authentication port-access dot1x authenticator
eapol-timeout 30
max-eapol-requests 1
max-retries 1
reauth-peroid 300
enable
aaa authentication port-access mac-auth
enable
Configure Local User Roles
Use this procedure to configure the local user roles for the access switch.
The critical role is applied to devices when the RADIUS server is unreachable during the first authentication process or during reauthentication. This role helps ensure that the devices have limited access to the network even though the authentication is not completed. When the RADIUS server is available for authentication, the devices are authenticated and the ultimate role is applied.
The “reject” role is applied when the RADIUS server rejects a device during authentication. The reject role gives restricted access to the device, unlike a full access role.
port-access role CRITICAL_AUTH
reauth-period 120
auth-mode client-mode
vlan access 14
port-access role REJECT_AUTH
reauth-period 120
auth-mode client-mode
vlan access 13
Configure Device Profiles
Create a device profile that detects HPE Aruba Networking APs dynamically, places them into the management VLAN, and allows locally bridged VLANs.
Note: This procedure is unnecessary if ClearPass is used to authenticate APs.
Step 1 Configure the ARUBA-AP role. Create the role, set the authentication mode, set the native VLAN, and define the allowed VLANs.
port-access role ARUBA-AP
auth-mode device-mode
vlan trunk native 15
vlan trunk allowed 1-3,5-6,13-15
Note: The ARUBA-AP role identifies the AP’s VLAN and identifies which VLANs are bridged locally.
Step 2 Configure the LLDP group. Create the group and identify the AP OUIs.
port-access lldp-group AP-LLDP-GROUP
seq 10 match vendor-oui 000b86
seq 20 match vendor-oui D8C7C8
seq 30 match vendor-oui 6CF37F
seq 40 match vendor-oui 186472
seq 50 match sys-desc ArubaOS
Note: The LLDP group identifies the APs and sets the system-description at the end as a catchall for future APs.
Step 3 Configure the device profile. Create the profile, enable it, then associate it with the role and LLDP group created previously.
port-access device-profile ARUBA_AP
enable
associate role ARUBA-AP
associate lldp-group AP-LLDP-GROUP
Devices in the group automatically synchronize the new configuration. Synchronization status is updated on the Configuration Status page. Click Audit Trail in the left menu to observe step execution.
Configure User Based Tunneling
User-Based Tunneling (UBT) enables selective traffic tunneling to an AOS-10 gateway cluster for centralized policy enforcement. Design considerations for UBT are detailed in the UBT Design Chapter. Many campus environments that deploy UBT selectively tunnel certain clients to the gateway for application of centralized policy. This procedure illustrates tunneling wired IOT devices with the role of IOT-LIMITED to the gateway using reserved VLAN mode. Additional roles can be tunneled following this procedure.
Step 1 Create the UBT client VLAN and UBT zone. The UBT client VLAN serves as a local placeholder for clients on the edge switch. The UBT zone provides detail on the gateway cluster and enables UBT. The primary-controller is the system IP of a gateway cluster member. The switch reaches out to the primary-controller, which provides details to the switch for establishing tunnels to necessary gateways.
UBT Client VLAN: 4000
UBT Zone: Aruba
ubt-client-vlan 4000
ubt zone OWL vrf default
primary-controller ip 10.6.15.11
enable
Note: Do not use the backup-controller command unless a separate cluster is designated for backup. The primary-controller establishes connectivity between the switch and all gateways within the cluster.
Step 2 Set the source IP address for all services to the management VLAN IP address.
ip source-interface all interface vlan15
Step 3 Define the required local user roles along with their associated parameters. For tunneled VLANs, specify the gateway zone and corresponding gateway role. Matching role names between the switch and the gateway is recommended for consistency. The following example illustrates the IOT-LIMITED role. Add additional roles as needed.
port-access role IOT-LIMITED
auth-mode client-mode
gateway-zone zone OWL gateway-role IOT-LIMITED
Modify Gateway Configuration
When user traffic is tunneled from a UBT-enabled switch to a gateway, the gateway assigns a user role that defines policy enforcement. Each role must be mapped to a VLAN to ensure that clients are placed in the appropriate network segment.
Multiple roles can be mapped to a single VLAN. In this model, the VLAN provides macro-level segmentation, while gateway-enforced policies deliver micro-level segmentation based on the assigned role. This design supports centralized, role-based policy enforcement while maintaining IP subnet-based filtering capabilities at other points in the network.
This procedure extends the existing tunneled WLAN configuration defined in the WLAN deployment guide. The WLAN does not use roles. A new role, IOT-LIMITED, is created on the gateway. A corresponding policy is applied, and the role is mapped to the same VLAN (VLAN 103) used by the WLAN profile. Alternatively, a dedicated VLAN can be configured for wired UBT traffic to maintain separation from the wireless WLAN segment, if required by the design.
Step 4 In Aruba Central, navigate to the group containing the UBT-enabled gateways (in this example, RSVCP-WIRELESS), then click Devices.
Step 5 Select the Gateways tab, then click Config. Ensure that advanced mode is selected.
Step 6 Under Security, select Roles.
Step 7 Click the + icon, enter IOT-LIMITED as the role name, then click Save.
Step 8 Create and assign policies to the IOT-LIMITED role. Refer to the section on Configuring Network Policy with User Roles.
Step 9 Map VLAN 103 to the IOT-LIMITED role. Refer to the section on Associating VLANs to User Roles.
Step 10 Repeat these steps for each additional role as needed.
Verify RADIUS
Step 11 Open a Remote Console window, type the command show radius-server, then press ENTER. The output shown below indicates a healthy RADIUS server configuration.
Verify UBT
Step 12 Open a Remote Console window, type the command show ubt status, then press ENTER. The output shown below indicates a healthy UBT configuration state.
Configure Interfaces Using a Port Profile
As an alternative to the preceding MultiEdit examples, interface configuration can be completed using the Port Profiles feature. This feature of Central applies the same port level configurations to multiple switches, or switch stacks, at the same time. Create a port profile using the interface level configuration from the previous spanning-tree and RADIUS/UBT sections.
Before proceeding, ensure that spanning tree is enabled, RADIUS authentication is configured, and that local user roles are created. Refer to the preceding procedures for configuration examples.
Step 1 On the left menu, select Devices.
Step 2 At the upper left of the Switches page, de-select MultiEdit (if enabled).
Step 3 Select Port Profiles on the Interfaces tile.
Step 4 To clone the Sample Access Port profile, click the Clone icon visible when the row is highlighted.
Step 5 Name the new port profile and click the Clone button.
Step 6 In the Edit Profile window, enter the following access port configuration, then click Save.
Name: Access ports
Description: Port profile for access switch ports
CLI:
interface 1/1/1-1/1/12 description ACCESS_PORT no shutdown no routing vlan access 1 spanning-tree bpdu-guard spanning-tree port-type admin-edge spanning-tree root-guard spanning-tree tcn-guard loop-protect loop-protect action tx-disable port-access onboarding-method concurrent enable aaa authentication port-access allow-cdp-bpdu aaa authentication port-access allow-lldp-bpdu aaa authentication port-access client-limit 5 aaa authentication port-access auth-precedence dot1x mac-auth aaa authentication port-access critical-role CRITICAL_AUTH aaa authentication port-access reject-role REJECT_AUTH aaa authentication port-access dot1x authenticator eapol-timeout 30 max-eapol-requests 1 max-retries 1 enable aaa authentication port-access mac-auth enable
Caution: Ensure that indent levels copy accurately into the Port Profiles editor.
Step 7 To apply the profile, highlight the profile row and click the Apply icon.
Step 8 In the Apply screen, select the switches for access configuration, and click Save.