Wired Access Configuration
The access layer provides wired and wireless devices with Layer 2 connectivity to the network. It plays an important role in protecting users, application resources, and the network itself from human error and malicious attacks. This protection includes controlling the devices allowed on the network, ensuring that connected devices cannot provide unauthorized services to end users, and preventing unauthorized devices from taking over the role of other devices on the network.
Table of contents
- Wired Access Configuration
- Configure the Access Switch Groups
Configure the Access Switch Groups
The following procedures describe the configuration of individual and stacked access layer switches using a UI Group. The base configuration of the switches was described previously in the Switch Group Configuration section of this guide.
The following procedure completes the switch configuration using an Aruba Central UI Group. The figure below shows the access switches in the ESP Campus.
Wired Access
Configure a Standalone Switch
Connect a standalone switch to a network segment where it can receive a DHCP lease, which includes DNS servers and a valid route toward the Internet. Aruba CX 6000 series switches are factory-configured to request DHCP on any front panel interface or on the dedicated management port. After a new switch can reach Central, it automatically associates to the correct organization based on information from the time of purchase.
Configure a Switch Stack
Follow this procedure to configure a group of switches for VSF stacking. Begin by cabling the stacking ports in a ring or daisy chain topology. The recommended stack ports for a 24-port model are 25 and 26, or ports 49 and 50 on 48-port models. To perform auto-stacking using Central, connect one switch in the stack to a network with DHCP service providing Internet reachability. This switch serves as the stack conductor after the stack is formed.
Note: VSF stacking is supported on Aruba CX 6300 and 6200 model switches only.
A switch must be added to a group before VSF configuration can continue.
Caution: Make sure the switches are in factory default state before auto stacking.
Step 1 Login to HPE Greenlake and navigate to Aruba Central.
Step 2 In the filter dropdown, select Global, if it is not already selected. On the left menu, select Organization.
Step 3 Expand the Unprovisioned devices group, highlight the switch directly connected to the network, then click the Move Devices button at the lower right in the window.
Step 4 In the Destination group dropdown, select the correct access switching Group for the stack, then click Move.
Step 5 In the filter dropdown, select the access switch Group name. On the left menu, select Devices.
Step 6 Select the new switch, using the serial number if multiple new switches are being added. On the left menu, select Device.
Step 7 On the Switch page in the System tile, select Properties.
Step 8 On the Edit Properties page, enter a Name for the new switch, leave the group inherited properties unchanged, then click SAVE.
Step 9 Use the green left arrow on the filter menu to return to the Switches page.
Step 10 On the upper right of the Switches page, select Config.
Step 11 On the Switches page in the System tile, select Stacking.
Step 12 Create a new VSF stack by clicking the + (plus sign) at the upper right of the table.
Step 13 In the Create VSF Stack window, assign the following settings, then click SAVE.
- Switch Series: 6300
- Conductor: RSVCP-AG3-AC2
- Link 1 Port(s): 25
- Link 2 Port(s): 26
- Split Mode detect: Unchecked
Step 14 A VSF stack named with the serial number of the switch selected above is now listed in VSF Stacking with a single conductor.
Step 15 Wait approximately five minutes for the stack to self-configure, then refresh the VSF Stacking page and confirm that all stack members are present.
Step 16 At the right side of a member row, click the Edit icon, check the box for Standby conductor, then click Save.
Configure the Uplink LAG Interface
Configure link aggregation groups (LAGs) on redundant links to the aggregation switches for fault tolerance and increased capacity. By default, the uplink trunks use source and destination IP address, protocol port number, and device MAC addresses to load-balance traffic between grouped physical links. Use the Port Profiles feature of Central to apply the same port level configurations to multiple switches, or switch stacks, at the same time.
Step 1 Connect a second link to the standalone switch or VSF stack.
Step 2 In the device table, click the left arrow at the top left to return to the Switches page. Select Port Profiles in the Interfaces tile.
Step 3 To clone the Sample Uplink profile, click the Clone icon visible when the row is highlighted.
Step 4 Name the new port profile and click the Clone button.
Step 5 To edit the new profile, highlight the new row and click the Edit (pencil) icon.
Step 6 In the Edit Profile window, enter the following LAG configuration, then click Save.
- Name: Access uplink LAG
- Description: Port profile for access switch uplink LAGs
- CLI:
interface lag 1
no shutdown
description Uplink LAG
no routing
vlan trunk native 2
vlan trunk allowed all
lacp mode active
arp inspection trust
dhcpv4-snooping trust
interface 1/1/27
no shutdown
mtu 9198
lag 1
interface 2/1/27
no shutdown
mtu 9198
lag 1
Caution: DHCP snooping and ARP inspection must be trusted on the LAG interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.
Step 7 To apply the profile, highlight the profile row and click the Apply icon.
Step 8 On the Apply screen, select the switches for LAG configuration, and click Save.
Verify LAG Operation
Step 9 Open a Remote Console window, type the command show lag 1
, then press ENTER. The output shown below indicates a healthy, two-port LAG.
Enable MultiEdit for the Group
Step 1 In the upper left of the Switches page, move the slider right to enable MultiEdit.
Step 2 Select the devices for editing. In the lower right window, click EDIT CONFIG.
The following steps provide configuration text that can be pasted into the MultiEdit window. After pasting the configuration, right-click any device-specific values. A Modify Parameters window appears on the right, allowing input of individual device values.
Note: Interface configuration can optionally be performed using the Port Profiles feature documented later in this guide. This method is of particular interest to large installations with port configurations replicated across switches.
Configure the Access VLANs
Access switches are configured with the same VLANs created on the aggregation switches in addition to an in-band management interface and a VLAN for User-Based Tunneling (UBT).
Both DHCP snooping and ARP inspection must be enabled to inspect traffic, prevent common attacks, and facilitate DHCP services across subnets. IGMP snooping is enabled and is required for Dynamic Multicast Optimization (DMO).
Note: DHCP snooping must be enabled both globally and under each VLAN. ARP inspection is enabled only under the VLAN, but it does not take effect unless DHCP snooping also is enabled.
Example: Access VLANs
VLAN Name | ZTP_NATIVE | EMPLOYEE | CAMERA | PRINTER | REJECT_AUTH | CRITICAL_AUTH | MGMT | UBT_CLIENT |
---|---|---|---|---|---|---|---|---|
VLAN ID | 2 | 3 | 5 | 6 | 13 | 14 | 15 | 4000 |
Enable DHCP snooping and create VLANs at the Group level.
Step 1 Enable DHCP snooping globally.
dhcpv4-snooping
Step 2 Enable DHCP snooping, ARP inspection, and IGMP snooping on each VLAN.
vlan 2
name ZTP_NATIVE
dhcpv4-snooping
arp inspection
ip igmp snooping enable
...
vlan 4000
name UBT_CLIENT
dhcpv4-snooping
arp inspection
ip igmp snooping enable
Caution: The access switch VLANs must match the aggregation switch VLANs to enable the access devices to reach their default gateway.
Step 3 Create a Layer 3 interface on each VLAN except the UBT_CLIENT VLAN and configure the same MTU size used in the aggregation layer.
interface vlan 2
description ZTP_Native
ip mtu 9198
ip address 10.2.15.5/24
...
interface vlan 15
description MGMT
ip mtu 9198
ip address 10.15.15.5/24
Note: When using MultiEdit at the group level, right-click device-specific values to set values for individual devices in the group.
Step 4 Configure the default route in the management VLAN. Add the static route for the active gateway IP address in VLAN 15.
ip route 0.0.0.0/0 10.2.15.1
Note: The access switch must have a default route in the management VLAN to enable connectivity to network services such as Central, TACACS, RADIUS, and NTP servers.
Configure Spanning Tree
Spanning tree is enabled by default on 6xxx family CX switches. The following procedure illustrates how to enable it when needed. Supplemental features such as admin-edge, root guard, BPDU guard, and TCN guard are enabled on appropriate interfaces to ensure that spanning tree runs effectively.
At the group level, add the following configuration:
Step 1 Configure spanning tree globally. Multiple Spanning Tree Protocol (MSTP) is enabled by default.
spanning-tree
Step 2 Configure the port level spanning tree features and loop-protect on each access interface.
interface 1/1/1
description ACCESS_PORT
no shutdown
no routing
vlan access 1
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
spanning-tree root-guard
spanning-tree tcn-guard
loop-protect
loop-protect action tx-disable
Verify Spanning Tree
Step 3 Open a Remote Console window, type the command show spanning-tree summary root
, and press ENTER. The output shown below indicates a healthy MSTP configuration state.
Configure RADIUS and UBT
Use this procedure to configure the RADIUS servers and UBT for the access switch.
Access switches authenticate devices attempting to connect to the network. The two most common methods to authenticate users include an 802.1X supplicant or MAC-based authentication. This design supports both, as well as dynamic authorization, which allows the AAA server to change the authorization level of the device connected to the switch.
RADIUS tracking is enabled to verify the status of the client and server. The configuration also employs user roles for rejected clients and RADIUS failures. The configuration of RADIUS and user roles goes hand-in-hand with UBT, so this section also covers the UBT configuration.
Step 1 Configure the RADIUS servers. Enable RADIUS dynamic authorization and track client IP addresses with probes.
radius-server host 10.2.120.94 key plaintext <Password>
radius-server host 10.2.120.95 key plaintext <Password>
radius dyn-authorization enable
client track ip update-method probe
Step 2 Configure AAA for 802.1X and MAC authentication.
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
Step 3 Configure UBT to tunnel traffic to the gateways. Define the UBT client VLAN and create the UBT zone in the default VRF. Connect to a pair of gateways for the primary and backup tunnels.
UBT Client VLAN: 4000
UBT Zone: Aruba
ubt-client-vlan 4000
ubt zone Aruba vrf default
primary-controller ip 10.6.15.11
backup-controller ip 10.6.15.12
enable
Step 4 Set the source IP address for all services to management vlan IP address.
ip source-interface all interface vlan15
Step 5 Configure local user roles. Create the user role and, if the VLAN is tunneled, set the gateway zone and gateway role. If the VLAN is not tunneled, set the authentication mode or the reauthorization period and the local VLAN.
port-access role BLDG-MGMT
gateway-zone zone Aruba gateway-role EXAMPLE-BLDG-MGMT
port-access role GUEST
gateway-zone zone Aruba gateway-role EXAMPLE-GUEST
port-access role ARUBA-AP
auth-mode device-mode
vlan access 15
port-access role CRITICAL_AUTH
reauth-period 120
vlan access 14
port-access role REJECT_AUTH
reauth-period 120
vlan access 13
Note: Special-case local user roles, such as Aruba-AP, Critical Auth, and Reject, are not tunneled to gateways.
Step 6 Configure AAA authentication on the access ports. Set the client limit, configure 802.1X and MAC authentication, and set the authentication order. Set the critical role and the rejection role to use special case user roles with local VLANs. Adjust the EAPOL timeout, max requests, and max retry defaults.
interface 1/1/1
description ACCESS_PORT
no shutdown
no routing
vlan access 1
aaa authentication port-access client-limit 5
aaa authentication port-access auth-precedence dot1x mac-auth
aaa authentication port-access critical-role CRITICAL_AUTH
aaa authentication port-access reject-role REJECT_AUTH
aaa authentication port-access dot1x authenticator
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
enable
Verify RADIUS
Step 7 Open a Remote Console window, type the command show radius-server
, then press ENTER. The output shown below indicates a healthy RADIUS server configuration.
Verify UBT
Step 8 Open a Remote Console window, type the command show ubt status
, then press ENTER. The output shown below indicates a healthy UBT configuration state.
Configure Interfaces Using a Port Profile
As an alternative to the preceding MultiEdit examples, interface configuration can be completed using the Port Profiles feature. This feature of Central applies the same port level configurations to multiple switches, or switch stacks, at the same time. Create a port profile using the interface level configuration from the previous spanning-tree and RADIUS/UBT sections.
Before proceeding, ensure that spanning tree is enabled, RADIUS authentication is configured, and that local user roles are created. Refer to the preceding procedures for configuration examples.
Step 1 On the left menu, select Devices.
Step 2 At the upper left of the Switches page, de-select MultiEdit (if enabled).
Step 3 Select Port Profiles on the Interfaces tile.
Step 4 To clone the Sample Access Port profile, click the Clone icon visible when the row is highlighted.
Step 5 Name the new port profile and click the Clone button.
Step 6 In the Edit Profile window, enter the following access port configuration, then click Save.
Name: Access ports
Description: Port profile for access switch ports
CLI:
interface 1/1/1-1/1/12 description ACCESS_PORT no shutdown no routing vlan access 1 spanning-tree bpdu-guard spanning-tree port-type admin-edge spanning-tree root-guard spanning-tree tcn-guard loop-protect loop-protect action tx-disable port-access onboarding-method concurrent enable aaa authentication port-access allow-cdp-bpdu aaa authentication port-access allow-lldp-bpdu aaa authentication port-access client-limit 5 aaa authentication port-access auth-precedence dot1x mac-auth aaa authentication port-access critical-role CRITICAL_AUTH aaa authentication port-access reject-role REJECT_AUTH aaa authentication port-access dot1x authenticator eapol-timeout 30 max-eapol-requests 1 max-retries 1 enable aaa authentication port-access mac-auth enable
Caution: Ensure that indent levels copy accurately into the Port Profiles editor.
Step 7 To apply the profile, highlight the profile row and click the Apply icon.
Step 8 In the Apply screen, select the switches for access configuration, and click Save.
Configure Device Profiles
Using MultiEdit, create a device profile that detects Aruba APs dynamically, places them into the management VLAN, and allows locally bridged VLANs.
Note: This procedure is unnecessary if ClearPass is used to authenticate Aruba APs.
Step 1 Configure the ARUBA-AP role. Create the role, set the authentication mode, set the native VLAN, and define the allowed VLANs.
port-access role ARUBA-AP
auth-mode device-mode
vlan trunk native 15
vlan trunk allowed 1-3,5-6,13-15
Note: The ARUBA-AP role identifies the AP’s VLAN and identifies which VLANs are bridged locally.
Step 2 Configure the LLDP group. Create the group and identify the Aruba AP OUIs.
port-access lldp-group AP-LLDP-GROUP
seq 10 match vendor-oui 000b86
seq 20 match vendor-oui D8C7C8
seq 30 match vendor-oui 6CF37F
seq 40 match vendor-oui 186472
seq 50 match sys-desc ArubaOS
Note: The LLDP group identifies the Aruba APs and sets the system-description at the end as a catchall for future APs.
Step 3 Configure the device profile. Create the profile, enable it, then associate it with the role and LLDP group created previously.
port-access device-profile ARUBA_AP
enable
associate role ARUBA-AP
associate lldp-group AP-LLDP-GROUP
Devices in the group automatically synchronize the new configuration. Synchronization status is updated on the Configuration Status page. Click Audit Trail in the left menu to observe step execution.