21-Aug-25
Access Switch Reference Configuration
The access switch template is the reference that was used in the deployment procedure. It has been sanitized to allow for easy adaptation to any environment.
hostname %SYSTEM_HOSTNAME%
banner motd !
**********************************************************
NOTICE TO USERS
This is a private computer system and is the property of
Aruba Networks. It is for authorized use only.
users (authorized or unauthorized) have no explicit or
implicit expectation of privacy while connected to this
system.
Any or all uses of this system and all files on this system
may be intercepted, monitored, recorded, copied, audited,
inspected, and disclosed to an authorized site, Aruba networks,
and law enforcement personnel
(foreign and domestic).
By using this system, the user consents to such interception,
monitoring, recording, copying, auditing, inspection, and
disclosure at the discretion of an authorized site or Aruba Networks
personnel.
Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal
penalties. By continuing to use of this system you indicate
your awareness of and consent to these terms and conditions
of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
***********************************************************!
user admin group administrators password plaintext %PASSWORD%
loop-protect re-enable-timer 3600
radius-server host %RADIUS1_IP_ADDRESS% timeout 5 key plaintext %RADIUS1_SECRET_KEY% retries 3
radius-server host %RADIUS2_IP_ADDRESS% timeout 5 key plaintext %RADIUS2_SECRET_KEY% retries 3
radius dyn-authorization client %IP_ADDRESS_1% secret-key %SECRET_KEY_1%
radius dyn-authorization client %IP_ADDRESS_2% secret-key %SECRET_KEY_2%
radius dyn-authorization enable
client track ip
client track ip all-vlans
aaa group server radius clearpass_radius_group
server %RADIUS1_IP_ADDRESS%
server %RADIUS2_IP_ADDRESS%
!
aaa accounting port-access start-stop interim 60 group clearpass_radius_group
!
aaa authentication port-access dot1x authenticator
radius server-group clearpass_radius_group
enable
aaa authentication port-access mac-auth
radius server-group clearpass_radius_group
enable
tacacs-server host %TACACS1_IP_ADDRESS% key plaintext %TACACS1_SECRET%
tacacs-server host %TACACS2_IP_ADDRESS% key plaintext %TACACS2_SECRET%
aaa group server tacacs CPPM
server %TACACS1_IP_ADDRESS%
server %TACACS2_IP_ADDRESS%
!
aaa authentication login ssh group CPPM local
aaa authorization commands default group local CPPM
aaa authentication allow-fail-through
ntp server %NTP1_IP_ADDRESS%
ntp server %NTP2_IP_ADDRESS%
ntp enable
!
!
!
!
ssh server vrf default
ssh server vrf mgmt
vsf secondary-member 2
vsf member 1
type jl660a
link 1 1/1/26
link 2 1/1/25
vsf member 2
type jl660a
link 1 2/1/25
link 2 2/1/26
flow exporter central_flow_export
description Export flows to traffic insight profile
destination type traffic-insight
destination traffic-insight TI-01
flow record central_flow_record
description Record used for ipv4 traffic analysis
match ipv4 protocol
match ipv4 version
match ipv4 destination address
match ipv4 source address
match transport destination port
match transport source port
collect application name
collect application https url
collect application dns response-code
collect application tls-attributes
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
flow monitor central_flow_monitor
description Monitor for analyzing ipv4 traffic
exporter central_flow_export
record central_flow_record
dhcpv4-snooping
dhcpv4-snooping event-log client
client track ip
client track ip all-vlans
client device-fingerprint profile SW-CLIENT-PROFILE
dhcp option-num 12,55,60
dhcp options-list
http user-agent
no ip source-lockdown resource-extended
flow-tracking
enable
app-recognition
enable
vlan 1
vlan 11
name AP_MGMT
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 15
name NET_MGMT
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 20
name EMPLOYEE_WIRED
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 25
name EMPLOYEE_WLAN
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 30
name IOT
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 40
name GUEST
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 50
name REJECT_AUTH
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 51
name CRITICAL_AUTH
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 4000
name UBT_CLIENT
interface mgmt
no shutdown
ip static %OOB_MGMT_IP%/%OOB_MGMT_MASK%
default-gateway %OOB_MGMT_GW_IP%
ubt-client-vlan 4000
spanning-tree
ubt zone OWL vrf default
primary-controller ip %GW_IP_ADDRESS%
enable
# Create roles and associated VLAN assignments based on organizational requirements
port-access lldp-group AP-LLDP-GROUP
seq 20 match vendor-oui 000b86
seq 30 match vendor-oui D8C7C8
seq 40 match vendor-oui 6CF37F
seq 50 match vendor-oui 186472
port-access role ARUBA-AP
auth-mode device-mode
vlan trunk native 11
vlan trunk allowed 11,20,25,30,40,50-51
port-access role EMPLOYEE_WIRED
reauth-period 14400
auth-mode client-mode
vlan access 20
port-access role IOT
reauth-period 14400
auth-mode client-mode
gateway-zone zone OWL gateway-role IOT-LIMITED
port-access role GUEST
reauth-period 14400
auth-mode client-mode
vlan access 40
port-access role REJECT_AUTH
reauth-period 600
auth-mode client-mode
vlan access 50
port-access role CRITICAL_AUTH
reauth-period 600
auth-mode client-mode
vlan access 51
port-access device-profile ARUBA_AP
enable
associate role ARUBA-AP
associate lldp-group AP-LLDP-GROUP
aaa authentication port-access dot1x authenticator
radius server-group clearpass_radius_group
enable
aaa authentication port-access mac-auth
radius server-group clearpass_radius_group
enable
interface lag 1
no shutdown
description Uplink LAG
no routing
vlan trunk native 15
vlan trunk allowed all
lacp mode active
arp inspection trust
dhcpv4-snooping trust
ip flow monitor central_flow_monitor in
interface vlan 1
no ip dhcp
#Set the in-band management VLAN and IP address per organizational requirements
interface vlan 15
description MGMT_VLAN
ip address %MGMT_VLAN_IP%/%MGMT_VLAN_SUBNET_MASK%
# Sample colorless access port configuration
interface 1/1/1
no shutdown
description ACCESS_PORT
no routing
vlan access 1
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree tcn-guard
spanning-tree port-type admin-edge
aaa authentication port-access allow-cdp-bpdu
aaa authentication port-access allow-lldp-bpdu
aaa authentication port-access client-limit 5
aaa authentication port-access critical-role CRITICAL_AUTH
aaa authentication port-access reject-role REJECT_AUTH
aaa authentication port-access dot1x authenticator
eapol-timeout 2
max-eapol-requests 1
max-retries 1
reauth
reauth-period 14400
enable
aaa authentication port-access mac-auth
reauth
reauth-period 14400
enable
client device-fingerprint apply-profile SW_CLIENT_PROFILE
ip flow monitor central_flow_monitor in
app-recognition enable
# Sample uplink port configuration
interface 1/1/28
no shutdown
mtu 9198
lag 1
exit
interface 2/2/28
no shutdown
mtu 9198
lag 1
exit
interface vlan 11
name AP_MGMT
ip address %AP_MGMT_TESTING_IP%/%AP_MGMT_SUBNET_MASK%
interface vlan 15
name NET_MGMT
ip address %NET_MGMT_TESTING_IP%/%NET_MGMT_SUBNET_MASK%
interface vlan 20
name EMPLOYEE_WIRED
ip address %EMPLOYEE_WIRED_TESTING_IP%/%EMPLOYEE_WIRED_SUBNET_MASK%
interface vlan 25
name EMPLOYEE_WLAN
ip address %EMPLOYEE_WLAN_TESTING_IP%/%EMPLOYEE_WLAN_SUBNET_MASK%
interface vlan 30
name IOT
ip address %IOT_TESTING_IP%/%IOT_SUBNET_MASK%
interface vlan 40
name GUEST
ip address %GUEST_TESTING_IP%/%GUEST_SUBNET_MASK%
interface vlan 50
name REJECT_AUTH
ip address %REJECT_AUTH_TESTING_IP%/%REJECT_AUTH_SUBNET_MASK%
interface vlan 51
name CRITICAL_AUTH
ip address %CRITICAL_AUTH_TESTING_IP%/%CRITICAL_AUTH_SUBNET_MASK%
!
ip route 0.0.0.0/0 %MGMT_VLAN_GW_IP%
ip dns server-address %NTP1_IP%
ip dns server-address %NTP2_IP%
!
!
!
!
# Set source interface for switch services to the management VLAN ID
traffic-insight TI-01
enable
source ipfix
monitor dns-monitor type dns-average-latency
monitor application-mon type application-flows
ip source-interface all interface vlan15
https-server vrf default
https-server vrf mgmt
client-insight enable