Link Search Menu Expand Document
calendar_month 07-Mar-24

Aruba Branch Gateway Configuration

In this set of procedures, the branch gateway (BGW) is configured in two steps. The first step is the group level configuration, where the bulk of configuration is performed. This includes all common configurations, such as NTP, DNS, and VLANs.

After the group configuration is complete, each BGW’s device-specific configuration, such as hostname and IP addressing, is applied. This is applied before the device comes online with preprovisioning.

Table of contents

Create a Branch Gateway Group and Preprovision Gateways

Refer to the “Preparing to Deploy” section to create the branch group and move the gateways to the group.

Configure the Branch Gateway Group

Step 1 In Global dropdown, search or select the BR-ECSDB created in the “Preparing to Deploy” section.

Select Group

Step 2 In the left navigation pane, in the Manage section, select Devices.

Select Devices

Step 3 Select the Gateways tab, then click the gear icon in the upper right corner.

Select Config

Step 4 Click Cancel, then click Exit.

Guided_Setup

Configure Model

Use this procedure to set the gateway model. Each group can contain only a single gateway model.

Step 1 On the Gateways tab, in the System section, select Platform.

Step 2 In the Model dropdown select the platform you are standardizing on. In this case, A9004 is selected.

Configure System IP Pool

Set the configuration approach to Specify static IP address later. This is done because the management VLAN will be used as the System IP address. Ensuring that the system IP is set to a VLAN that is trunked throughout the environment is critical for high availability and wired/wireless tunneling best practice.

Select Platform

Set the System Time Parameters

Use this procedure to set the network time protocol (NTP) parameters and time zone to keep the BGW clocks synchronized.

Step 1 On the Gateways tab, in the System section, select Time.

Step 2 In the Public NTP Servers table, click the + (plus sign) to add a public NTP server.

Setting_NTP

Step 3 In the IPv4 Address/FQDN column, enter pool.ntp.org or other NTP server address.

Step 4 Select Burst Mode if this feature is supported by the NTP server. Burst mode provides faster time synchronization.

Step 5 In the Timezone dropdown, select the time zone, then click Save Settings.

NTP Server

Set DNS Servers

Specify the DNS server(s) the BGW uses to communicate with Central.

Step 1 On the Gateways tab, in the System section, select DNS.

Step 2 Select Specify DNS servers.

Step 3 In the Domain name text box, enter a domain name (example: example.local).

Step 4 In the Public DNS Servers table, click the + (plus sign) to assign a public DNS server. For a virtual BGW, leave the default DNS provided by the cloud provider and go to Step 6.

Step 5 In the Provider dropdown, select one of the listed providers, or select Alternate DNS if the desired server is not in the list.

Configuring_DNS

Step 6 Click Save Settings.

Note: The Gateway uses this DNS server for DNS lookups. Clients do not use this DNS server

Create a Management User Account

Create a management user account for CLI to access the gateways.

Step 1 On the Gateways tab, in the System section, select Management User.

Step 2 In the Local management users table, click the + (plus sign).

Add MGMT User

Step 3 In the Add Management User table, assign the following settings, then click Save.

  • Name: admin
  • Password: password
  • Retype Password: password
  • Role: Super user role

Note: Create additional users with other roles as needed.

MGMT_Name_PW

Step 3 Click Save Settings in the bottom left corner.

Configure VLANs

In this section, the data VLANs are configured. This configuration is at the group level, so none of these VLANs have an IP address assigned.

Step 1 On the right side, click Basic Mode.

Step 2 Go to LAN and select VLANs.

Step 3 On the VLANs table, click the + (plus sign).

Step 4 In the New VLAN window, configure the below VLANs, then click Save Settings.

  • Select Enable DHCP relay for VLANs
    1. 10.2.120.98
    2. 10.2.120.99

Step 5 Repeat steps for all VLANs

VLAN NameVLAN ID
MGMT100
Employee101
Printer102
Camera103
Guest104
Reject105
Critical106
Quarantine107

Creating_VLAN

In this section, the LAN links are configured.

Step 1 On the right side, click Basic Mode.

Step 2 Go to LAN and select LAN ports.

Step 3 On the LAN Ports/Port Channels table, click the + (plus sign).

Step 4 Configure the LAN ports with the information in the below table

NamePortModeAccess VLANNative VLANAllowed VLANs
GE2 Trunk to LANGE-0/0/2trunkblank100blank
GE3 Trunk to LANGE-0/0/3trunkblank100blank

Configure_LAN_Ports

In this section, the WAN uplinks are configured. This configuration is at the group level, so none of these uplinks have an IP address assigned. Port 0/0/0 is used for the Internet connection and port 0/0/1 is used for MPLS. The Uplink field is generally the name of the service provider. For MPLS, ensure that the uplink field matches across all devices.

Step 1 On the right side, click Basic Mode.

Step 2 Go to WAN and select WAN Details.

Step 3 On the WAN Uplinks/Ports table, click the + (plus sign).

Step 4 In the New WAN Uplink / Port window configure the MPLS and INET uplinks.

MPLS:

  • Uplink: MPLS

  • WAN Type: MPLS

  • WAN Speed: 10

  • Source NAT: Unchecked

  • Use as Back: Unchecked

  • IP Addressing Method: Static

  • Port: GE 0/0/1

  • Secure with ACL: Unchecked

INET

  • Uplink: INET

  • WAN Type: INET

  • WAN Speed: 20

  • Source NAT: Checked

  • Use as Back: Unchecked

  • IP Addressing Method: DHCP

  • Port: GE 0/0/0

  • Secure with ACL: Checked

Setting WAN Uplinks

Configure the WAN Load Balancing Algorithm

Uplink utilization is recommended for use as the load balancing algorithm. This moves traffic from oversaturated links to a less used link if the bandwidth threshold is exceeded.

Step 1 On the configuration Gateways tab in Basic Mode, go to WAN and select Load Balancing.

Step 2 In the Load balancing mode list, select Uplink utilization.

Configure WAN Load Balancing Algorithm

Configure the Overlay and Set the VPNC Preference

Use this procedure to assign data center preferences for tunnel orchestration for the VPN concentrators (VPNCs).

Step 1 In basic mode select Tunnels & Routing, then DC Preference.

Step 2 In the DC Preference table, click the + (plus sign) to add a VPNC hub group.

Step 3 In the Hub Group dropdown, select a VPNC group to assign the preferred data center.

Step 4 In the Primary VPNC dropdown, select the primary VPNC.

Step 5 In the Secondary VPNC dropdown, select the secondary VPNC, then click Save Settings.

Note: VPNCs do not appear unless they have been configured. See the “Configuring VPNC” section to configure the VPNCs.

Enabling Overlay

Step 6 Repeat steps 3 to 5 if a secondary data center is used. Groups higher in the list (with lower numbers) are treated as more preferred VPNC groups.

Note: The procedures in guide do not use a second DC; this is just an example.

Enable Overlay Routes

In this procedure, branch subnets are redistributed into the VPN overlay to ensure route reachability with other sites.

Step 1 In Basic mode, select Tunnels & Routing, then Overlay Routes.

Step 3 In Redistribute connected vlans, select all the user VLANs and system IP VLAN for overlay redistribution, then click Save Settings.

Redistribute_VLANs

Enable DPI and Application Visibility

Deep packet inspection and Application Visibility must be enabled for Dynamic Path Steering and SAAS Express to function. This section describes how to enable these features.

Note: This procedure will cause the gateways to reboot to apply the configuration.

Step 1 Verify that the Gateway configuration mode is in Advanced Mode.

Step 2 Select the Security tab, then select Applications.

Step 3 Expand the Application Visibility section.

Step 4 Check the Deep packet inspection checkbox.

Step 5 Check the App performance monitoring checkbox.

Step 6 Click Save Settings.

Enable DPI & Application Visibility

Note: Deep packet inspection is enabled by default at the device level, but it is best practice to also enable it at the group level.

Configure Policies for Dynamic Path Steering

The dynamic path steering (DPS) feature allows traffic routing in real-time and traffic load balancing across available uplinks based on the performance of the uplinks. DPS policies and configurations are unique to each environment, based on the organization’s applications and performance needs. General guidance on developing a DPS policy can be found in the design section of the guide here. This section describes how to configure a DPS policy to select the optimal WAN path and apply forward error correction (FEC) for voice traffic.

Additional policies should be created based on application requirements.

Note: While this example deployment does not utilize LTE connections, LTE is included in the below policy to facilitate the future addition of LTE uplinks without the need to modify the policy.

Create Policy

Step 1 Verify that the Gateway configuration mode is in Basic Mode.

Step 2 Select the Policies tab, then select DPS.

Step 3 Click the + (plus sign) to create a new DPS policy.

Create DPS Policy

Step 4 In the Create Policy window, assign the following settings and click Save.

  • Policy Type: DPS
  • Policy Name: Protect-Voice

Create DPS Policy

Identify Traffic

Step 1 Select Protect-Voice.

Step 2 Click the edit (pencil) icon in the Traffic Rules section.

Identify Traffic 1

Step 3 Click the + (plus sign) to create a new traffic specification rule.

Identify Traffic 2

Step 4 In the Add Rules for Protect-Voice window, assign the following settings and click Save.

  • Source: Any
  • Destination: Any
  • Application/Port: App Categories
  • App Categories: unified-communications

Identify Traffic 3

Step 5 Click the back arrow.

Identify Traffic 4

Set WAN Paths

Step 1 Select Protect-Voice and click the pencil icon next to WAN Path.

WAN Path 1

Step 2 In the WAN Path for Protect-Voice window, assign the following settings and click Save.

  • Primary path: ALL_MPLS
  • Secondary path: ALL_INET
  • Last resort path: ALL_LTE

WAN Path 2

Configure SLA

Step 1 Select Protect-Voice and click the edit (pencil) icon next to SLA.

Step 2 In the Select SLA for Protect-Voice window, assign the following settings and click Save.

  • SLA: BestforVoice

  • Loss Correction (FEC): Checked
  • Loss % with FEC: 5
  • FEC Ratio: 1:4

WAN Path 3

Step 3 Review the configuration and click Save Settings.

Review Policy DPS

Configure Policies for SAAS Express

The SAAS Express feature allows traffic routing from the best Internet egress point based on the performance of the Internet egress points for the given application. SAAS Express policies and configurations are unique to each environment, based on the organization’s applications and performance needs. General guidance developing a SAAS Express policy can be found in the design section of the guide here. This section describes how to configure a SAAS Express policy to optimize Office 365 traffic.

Note: While this example deployment does not utilize LTE connections, LTE is included in the below policy to facilitate the future addition of LTE uplinks without the need to modify the policy.

Additional policies should be created based on application requirements.

Create Policy

Step 1 Verify that the Gateway configuration mode is in Basic Mode.

Step 2 Select the Policies tab, then select DPS.

Step 3 Click the + (plus sign) to create a new SAAS Express policy.

Create SAAS Policy

Step 4 In the Create Policy window, assign the following settings and click Save.

  • Policy Type: SAAS
  • Application: office365

Create SAAS Policy

Configure SLA

Step 1 Select saas_office365_wp and click the edit (pencil) icon beside SLA.

Create SAAS SLA Pencil

Step 2 In the Select SLA for saas_office365_wp window, select the BestforSaaS SLA.

Step 3 Click Save.

SAAS Express Create SLA

Configure Exit Profile

Step 1 Select saas_office365_wp and click the edit (pencil) icon beside Exit Profile.

SAAS Express Create Exit Profile Pencil

Step 2 In the Exit Profile for saas_office365_wp window, select the default profile BestForSaaS and click Save.

SAAS Express Create Exit Profile 1

Step 3 Review the configuration and click Save Settings.

SAAS Express Review Configuration

Configure Branch Gateway at the Device Level

In this section the primary Miami branch gateway is configured. This gateways can be preconfigured offline, and obtain their configuration when connected to Central. Ensure that the Branch Gateways are assigned to the group and site as demonstrated in the Preparing to Deploy section.

Start the Branch Gateway Configuration

Step 1 On the Aruba Central Account Home page, launch the Network Operations app.

Step 2 In the dropdown, select the branch gateway group containing the devices.

Step 3 In the left navigation pane, in the Manage section, select Devices and select the Gateways tab.

Step 4 In the Gateways table, select the device to configure as the primary branch gateway.

Step 5 In the Guided Setup window, click Cancel, then click Exit.

Starting branch configuration

Assign a Hostname

Step 1 Go to the Gateway configuration and verify that Basic Mode is enabled.

Step 2 Select System and Hostname.

Step 3 Click the basic info dropdown and enter the Hostname.

configure Hostname

Assign IP Addresses to the VLAN

Use this procedure to assign LAN VLAN IP addresses. The DHCP relay was preconfigured at the group level.

Step 1 Ensure that the Gateway configuration mode is in Basic Mode.

Step 2 Select the LAN tab and select VLANs.

Step 3 In the VLANs table, select one of the VLANs, and click the edit (pencil) icon.

Step 4 In the VLAN window, assign the following settings, then click Save. (These IP address are for the Miami site)

VLAN IDDescriptionNetworkDefault Gateway (VRRP)MIABR-ECB1-1 IP AddressMIABR-ECB1-2 IP Address
100MGMT (Gateway System IP)10.14.0.0/2410.14.0.110.14.0.210.14.0.3
101Employee10.14.1.0/2410.14.1.110.14.1.210.14.1.3
102PRINTER10.14.2.0/2410.14.2.110.14.2.210.14.2.3
103IoT (smart thermostats, smart access control, and meeting room kiosk.)10.14.3.0/2410.14.3.110.14.3.210.14.3.3
104Guest10.14.4.0/2410.14.4.110.14.4.210.14.4.3.
105Reject10.14.5.0/2410.14.5.110.14.5/.210.14.5.3
106Critical10.14.6.0/2410.14.6.110.14.6.210.14.6.3
107Quarantine10.14.7.0/2410.14.7.110.14.7.210.14.7.3
Summary 10.14.0.0/21——–——–——–

Step 5 Repeat step 3 and 4 for all VLANs in the table above.

Assigning an IP to VLAN

Note: Clicking Save Settings after changing each VLAN IP is unnecessary. All VLAN IP changes can be saved at the same time.

Configure the MPLS VLAN

The MPLS VLAN must be configured statically with an IP address and gateway. The DNS is used for health checks on the interface.

Step 1 Ensure that the Gateway configuration mode is in Basic Mode.

Step 2 Go to WAN and select WAN Details.

Step 3 Scroll and select the MPLS VLAN. (Be sure the local gateway VLAN is selected.)

Step 4 Enter the IPv4 Address, Gateway IP, Netmask, and DNS Servers for the MPLS VLAN.

Step 5 Click Save.

Configuring MPLS IP

Assign System IP Address

Use this procedure to select the Management VLAN as the system IP address.

Step 1 Ensure that the Gateway configuration mode is in Advanced Mode.

Step 2 In the System section, select General and expand System IP Address.

Step 3 In the dropdown, select VLAN 100.

Step 4 Click Save Settings.

configure Hostname

Configure the LAN Redundancy

Step 1 Ensure that the Gateway configuration mode is in Basic Mode.

Step 2 In the Redundancy section, select Preferred Cluster Leader.

Step 3 Set the Preferred Cluster Leader to MIABR-ECB1-1.

Step 4 In the Cluster Virtual Router IPs table, click the + (plus sign).

Step 5 In the VLAN ID dropdown, select a LAN VLAN. The IP Address on Local and IP Address on Peer columns should autopopulate with the IP address values.

Step 6 In Virtual IP column, enter an IP address; for example, 10.14.0.1.

Step 7 Repeat steps 3 and 4 for all user VLANs.

Step 8 Click Save Settings.

Note: Ensure that Automatic Clustering and Auto Site are both enabled at the group level by selecting BR-ECSDB > Select Advanced mode High Availability > Clusters.

Clustering and VIP

Configure WAN Redundancy for Specific Deployments (Optional)

If only one of each WAN transport is available at a site with redundant gateways, WAN transports can be shared over the LAN. For example, the INET circuit terminates on one gateway and the MPLS circuit terminates on another gateway. As long as the gateways are reachable over the LAN, they can share the respective WAN transports. This configuration is not used in this deployment because the sites have redundant connections for both INET and MPLS. In this example, site RS01 is shown, with VLAN 100 used for connectivity between the gateways. Follow these steps to configure WAN redundancy.

Step 1 Verify that the Gateway configuration mode is in Basic Mode.

Step 2 Select the WAN tab, then select WAN Details.

Step 3 Turn on Enable High Availability deployment.

Step 4 In the Peer Gateway section, select the gateway at each site.

Step 5 Ensure that all the WAN transports appear in the WAN Uplinks / Ports table.

Note: As long as both gateways have the same site-id the peer gateway and site ID are populated automatically and grayed out.