Link Search Menu Expand Document
calendar_month 07-May-25

Gateway Devices Configuration

In large-scale campus networks, gateway clusters are deployed within the services aggregation layer. Wireless LANs (WLANs) are tunneled to these gateways to take advantage of advanced policy enforcement and firewall capabilities available on the platform. Gateway clustering is implemented to ensure high availability and throughput.

Option 1

This section outlines the steps to deploy a gateway in Central using the Zero Touch Provisioning (ZTP) process. The table below provides details on the VLANs and IP addresses used in the procedures.

Example: IP Addresses and VLAN ID

NameIP addressDefault gatewayVLAN IDVLAN nameGateway VRRP Address
RSVCP-SS3-CL1-110.6.15.11/2410.6.15.115MGMT10.6.15.13
RSVCP-SS3-CL1-210.6.15.12/2410.6.15.115MGMT10.6.15.14
Table of contents

Configure Gateway VLANs

Use the following procedure to configure Gateway VLANs.

Example: VLANs for Gateways

VLAN NameVLAN ID
MGMT15
EMPLOYEE103
BLDG-MGMT104
CAMERA105
PRINTER106
VISITOR112
REJECT_AUTH113
CRITICAL_AUTH114
ZTP4094

Caution: The Gateway VLANs must be created before adding the port channels, so the Native VLAN and Allowed VLANs can be selected from the dropdown lists.

Step 1 Login to HPE Greenlake and go to HPE Aruba Networking Central.

Step 2 In Global > Groups, locate the group. In this example, the group is RSVCP-WIRELESS.

Step 3 In the upper right of the Gateways page, click Config.

Step 4 Select the Interface tab, and click VLANs. Click the + (plus sign) in the lower left to add a new VLAN.

Step 5 In the New VLAN window, assign the following settings, then click Save Settings.

  • VLAN name: MGMT
  • VLAN ID/Range: 15

Step 6 Repeat this procedure for each Gateway VLAN in the environment.

Enable Physical Interfaces

Use this procedure to enable gateway physical interfaces in a group for configuration.

The ESP Campus supports Zero Touch provisioning (ZTP) of gateway devices. ZTP requires that physical interface configuration must be performed for Gateways at the group level. To simplify this configuration, best practice is to standardize a single gateway model within each group.

Caution: If a group-level interface configuration is applied to a gateway that does not have the specified physical interface, the gateway is not added to the group. The unsupported interface must be removed from the group configuration to add the gateway.

Step 1 In Groups, locate the wireless group. In this example, the group is RSVCP-WIRELESS.

Step 2 Select the Gateways tab. On the left menu, select Devices.

Step 3 Click Config in the upper right.

Step 4 Select the Interface tab, then the Ports tab. Click the + (plus sign) at the bottom left of the Ports table to add a port.

Step 5 On the New port window, click the checkbox next to the interface name, then click Save.

Configure Port Channels

Use the following procedure to configure Gateway port channels.

In deployments for which uptime and performance are priorities, best practice for gateway connectivity is to use LACP on a multi-chassis LAG (MC-LAG) connected to a pair of switches that support the VSX feature. LACP is enabled on the gateway as part of the Port Channel configuration.

When a Gateway is deployed using ZTP, it does not have an LACP configuration initially. To accommodate this during the provisioning process, LACP Fallback is enabled on the uplink switch. An example configuration for the implementation of the LACP Fallback command in a MC-LAG is shown below:

interface lag 11 multi-chassis
	description RSVCP-SS3-CL1-1
	no shutdown
	no routing
	vlan trunk native 1
	vlan trunk allowed all
	lacp mode active
	lacp fallback

Note: When LACP negotiation fails, LACP Fallback allows switch ports to function as standard access/trunk ports until LACP functions.
The above configuration snippet illustrates the implementation of the LACP Fallback command in context. Refer to earlier sections of this guide for complete switch configuration.

Step 1 In Groups, locate the wireless group. In this example, the group is RSVCP-WIRELESS.

Step 2 Select the Gateways tab. On the left menu, select the Devices tab.

Step 3 Select Config in the upper right.

Step 4 Select the Interface tab, then the Ports tab.

Step 5 In the Port channel section, click the + (plus sign) to add a port channel.

Step 6 In the New port channel window, select the next available PC-n ID; in this example PC-0. Click Save.

Step 7 In the PC-n section, assign the following settings.

  • Protocol: LACP
  • LACP Mode: Passive
  • Port Members: Click Edit, select port channel ports under Available, use the right arrow to move them to Selected, then click OK.
  • Admin State: checkmark
  • Trust: checkmark
  • Policy: Per-Session and allowall
  • Mode: Trunk
  • Native VLAN: 4094
  • Allowed VLANS: 15, 102-106,112-114,4094
  • Jumbo MTU: checkmark

Note: The Allowed VLANs dropdown is populated from the Gateway VLANs created in the “Configure VLAN Interfaces” procedure.

Step 8 At the bottom of the page, expand Show advanced options, assign the following settings, then click Save Settings.

  • Spanning tree: checkmark

Configure the Default Gateway

Use the following procedure to configure a default gateway on the gateway device.

Step 1 On the Gateways tab, select the Routing tab, then the IP Routes tab.

Step 2 Expand the Static Default Gateway section. At the bottom of the table, click the + (plus sign).

Step 3 On the New Default Gateway page, enter the IP address, then click Save Settings.

  • Default Gateway IP: 10.6.15.1

Configure the Gateway Base Features

Use this procedure to configure the base features of the gateway. The base features include the hostname, VLAN IP addresses, and the System IP address.

Step 1 Select the wireless group. In this example, the group is RSVCP-WIRELESS.

Step 2 Select the Gateways tab. On the left menu, select the Devices tab.

Step 3 Select a new gateway from the list.

Note: An unnamed gateway is listed with the system MAC address.

Step 4 On the left menu, select Device.

Step 5 Select the Interface tab, then the VLANs tab.

Step 6 In the VLANs table, select the MGMT VLAN. In the lower VLAN IDs section, click the VLAN row.

Step 7 Scroll down to the IP Address Assignment section, assign the following settings, then click Save Settings:

  • IP Assignment: Static

  • IPv4 Address: 10.6.15.11
  • Netmask: 255.255.255.0
  • Force operational status UP: checkmark

Step 8 In the VLANs table, select a different VLAN. In this example, VLAN 103 is selected. In the lower VLAN IDs section, click the VLAN row.

Step 9 Scroll down to the IP Address Assignment section, and assign the following settings. Click Save.

  • IP Assignment: Static
  • IPv4 Address: 10.6.103.11
  • Netmask: 255.255.255.0
  • Force operational status UP: un-checked

Step 10 Repeat the previous two steps for each additional VLAN in the environment.

Step 11 On the Gateway page, select the System tab, then the General tab.

Step 12 On the System tab, expand the Basic Info section and change the Hostname as required. Click Save Settings.

Step 13 Repeat step 2 to rename the other gateways in the group.

Caution: The admin password is inherited from the group settings. Do not change it at the device level.

Step 14 On the Gateway page, select the System tab, then the General tab.

Step 15 Expand the System IP Address section, use the IPv4 address dropdown to select the VLAN with the Force operational UP setting, then click Save.

  • IPv4 address: VLAN 15 10.6.15.11

Step 16 Repeat step 2 to assign a system IP address to the other gateways in the group.

Configure Layer 2 Gateway Clustering

Use this procedure to configure Layer 2 Gateway clustering.

Gateway clustering provides load-balancing across two or more devices, resulting in increased availability and throughput for users and endpoints. The Gateway VRRP IP addresses allow authorization servers such as ClearPass to make a Change of Authorization (CoA) request for a user anchored to a specific gateway.

Example: Gateway VRRP IP Addresses and VLANs

GatewayIP addressMulticast VLANVRRP IP addressVRRP VLAN
RSVCP-SS2-CL1-110.6.15.111510.6.15.1315
RSVCP-SS2-CL1-210.6.15.121510.6.15.1415

Step 1 On the Gateway page, select the High Availability tab.

Step 2 Confirm the Cluster mode: Auto Group.

Step 3 On the Clusters table, click the cluster name and assign the following settings.

  • Manual cluster configuration: Slide to right
  • Dynamic Authorization (CoA): Slide to right

Note: The cluster name is populated by default and cannot be changed in an auto group cluster.

Step 4 Select the box next to the gateway name in Gateways in Cluster table and assign the following settings.

  • RSVCP-SS2-CL1-1: 10.6.15.13
  • RSVCP-SS2-CL1-2: 10.6.15.14

Step 5 Scroll down, assign the following settings, then click Save Settings.

  • Multicast VLAN: 15
  • VRRP VLAN: 15
  • VRRP ID: 15
  • VRRP Passphrase: passphrase

Note: AOS-10 reserves VRRP instance IDs in the 220-255 range.

Note: Cluster changes disrupt client traffic and should be made during a maintenance window.