Branch Switch Configuration
The primary function of the switch in this branch deployment is to provide power and layer 2 access to wired devices and APs. Each branch deployment should have the same physical connectivity, to minimize differences in the template. OWL has the requirement for two different switch topologies. To accommodate OWL’s requirements there will be two switch templates one for the collapsed core and one for the access switch. The majority of the configuration will be the same for both switches, the only difference will be in the uplinks/Downlinks. The following section will leverage templates to configure the switches.
Templates leverage variables to apply unique configuration to switches. Variables are created by using percent sign on both sides of a string in a configuration file. This string is defined by the admin, this string will become a column in a CSV file that will need an input from the admin. Below is an example of how variables are created/formatted.
interface Vlan 10
ip address %VLAN_IP%
Switch Name | %VLAN_IP% Variable Input |
---|---|
Example-SW-01 | 10.0.0.2 |
Example-SW-02 | 10.0.0.2 |
In advanced cases templates might need to take advantage of other template functions such as If, and else statements. If statements are also delineated by a percent sign on both sides of a string. There are a few difference between an if statement variable and a single variable. The following guide will demonstrate how to use variables to allow for flexibility within a configuration file.
Table of contents
Stacking Switches Offline
Before connecting the uplinks to the switches should be stacked, use the following procedure to stack switches before they connect to central.
Caution: Do not connect the switch to the gateway before it is stacked otherwise it will not be able to stack offline without factory reset.
Before starting this procedure check the following:
Step 1 Ensure switches are AOS-CX 10.7 or Above
Step 2 All switches are factory default.
Step 3 Switches in the stack are using the reserved auto-stacking ports.
- 24 port switches auto stack ports : 25, 26
- 48 port switches auto stack ports: 49, 50
Step 4 Switches are connected in a ring topology.
Step 5 Console connection to the switch.
After going through the checklist above the switches are ready to be stacked.
Step 1 Press the mode button until the LED displays STK on the switch that will be the conductor, wait for the conductor to reboot.
Step 2 On the second switch press the LED until it displays STK. Wait for the second member to boot.
Note: During stacking operation, the port LEDs are displayed in three different states:
Flashing green - Indicates that the member is the conductor.
Flashing orange - Indicates that the member is rebooting to join the stack or offline due to error condition.
Solid green - Indicates that the member joined the stack and is operational.For more information on stacking LED states, refer to the Monitoring Guide.
Configure the Access Base Features
Use this procedure to configure the access switch base features. The base features include the host name, management user account, banner MOTD, NTP, DNS, TACACS, and AAA.
In the configuration template, perform the following steps:
Step 1 Configure the switch host name.
hostname %HOSTNAME%
Step 2 Configure the management user account.
user admin group administrators password plaintext <password>
Note: There must be an admin user account for CLI access to the switch.
Step 3 Configure the login banner. The banner MOTD is normally used as a legal disclaimer to notify users logging into the network that only authorized access is allowed. Consult your own legal team to define the banner MOTD. An example is shown below.
banner motd $
**********************************************************
NOTICE TO USERS
This is a private computer system and is the property of Aruba Networks. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy while connected to this system.
...
Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use of this system, you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
***********************************************************
$
Note: When setting the banner, a delineator breaks the switch from the MOTD context. In this example, the delineator is “$”.
Step 4 Configure the NTP servers and time zone.
ntp server 10.2.120.98 iburst version 3
ntp server 10.2.120.99 iburst version 3
clock timezone us/pacific
Step 5 Configure the DNS servers and domain name.
ip dns host 10.2.120.98
ip dns host 10.2.120.99
ip dns domain-name Example.local
Configure the Access VLANs
In order to provide client devices with network connectivity, access switches must have the same VLANs as the branch gateways. The access switches also have an additional layer 3 interface for the management VLAN. IGMP, DHCP snooping, and ARP inspection are enabled.
IGMP snooping prevents hosts on a local network from receiving traffic for a multicast group they have not explicitly joined. The feature provides layer 2 switches with a mechanism to prune multicast traffic from ports that do not contain an active multicast listener.
DHCP snooping is enabled globally and enabled for each VLAN to snoop DHCP packets. DHCP snooping prevents DHCP starvation attacks and rogue DHCP servers from servicing requests on the network.
ARP inspection is enabled under the VLAN, but does not take effect unless DHCP snooping also is enabled. ARP inspection stops man-in-the-middle attacks caused by ARP cache poisoning.
In the configuration template, assign the following configuration:
VLAN ID | Description |
---|---|
100 | MGMT VLAN |
101 | Employee |
102 | Camera |
103 | IOT |
104 | Guest |
105 | Reject |
106 | Critical |
107 | Quarantine |
Step 1 Configure DHCP snooping globally.
dhcpv4-snooping
Step 2 Configure the access VLANs, enable DHCP/IGMP snooping, and enable ARP inspection.
vlan 100
name MGMT
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 101
name EMPLOYEE
dhcpv4-snooping
arp inspection
ip igmp snooping enable
...
vlan 107
name QUARANTINE
dhcpv4-snooping
arp inspection
ip igmp snooping enable
Step 3 Configure the layer 3 interface VLAN.
interface vlan 100
description MGMT
ip dhcp
Note: The IP DHCP command can only be applied to one VLAN interface. The template will fail to apply if multiply Interface VLANs have this configuration.
Configure Device Profiles
Device profiles detect APs dynamically and configure the attached port properly for device management and for tagging the bridged SSIDs. This assists network operators by eliminating manual configuration of ports to which APs are connected.
Device profiles are applied in three steps. First, configure the role to identify the AP, as well as the port tagging. Second, define the LLDP group, which uses LLDP to glean the device OUI to identify if the device is an Aruba AP. Last, associate the role and LLDP group in a device profile configuration.
Note: This procedure can be skipped if ClearPass is used to authenticate Aruba APs.
On each access switch, perform the following steps:
Step 1 Configure the Aruba-AP Role. Create the role, set the authentication mode, set the native VLAN, and define the allowed VLANs.
port-access role ARUBA-AP
auth-mode device-mode
vlan trunk native 100
vlan trunk allowed 100,101,104-107
Step 2 Configure the LLDP group. Create the group and identify the Aruba AP OUIs.
port-access lldp-group AP-LLDP-GROUP
seq 10 match vendor-oui 000b86
seq 20 match vendor-oui D8C7C8
seq 30 match vendor-oui 6CF37F
seq 40 match vendor-oui 186472
seq 50 match sys-desc ArubaOS
Note: The LLDP group identifies the Aruba APs and sets the system-description at the end as a catchall for future APs.
Step 3 Configure the device profile. Create the profile, enable it, then associate it with the role and LLDP group created previously.
port-access device-profile ARUBA_AP
enable
associate role ARUBA-AP
associate lldp-group AP-LLDP-GROUP
Configure RADIUS
Use this procedure to configure the RADIUS servers for the access switch.
Access switches authenticate devices attempting to connect to the network. The two most common methods to authenticate users are 802.1x and MAC-based authentication. This design supports both methods, as well as dynamic authorization that allows the AAA server to change the authorization level of the device connected to the switch.
RADIUS tracking is enabled to verify the status of the client and server. The configuration also includes user roles for rejected clients and RADIUS failure scenarios.
On each access switch, perform the following steps:
Step 1 Configure the RADIUS servers, enable RADIUS dynamic authorization, and track client IP addresses with probes.
radius-server host 10.2.120.94 key plaintext <Password>
radius-server host 10.2.120.95 key plaintext <Password>
radius dyn-authorization enable
client track ip update-method probe
Step 2 Configure AAA for 802.1x and MAC authentication.
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
Step 3 Configure local user roles, set the authentication mode, and set the VLAN.
port-access role EMPLOYEE
reauth-period 120
vlan access 101
port-access role CAMERA
reauth-period 120
vlan access 102
port-access role IOT
reauth-period 120
vlan access 103
port-access role GUEST
reauth-period 120
vlan access 104
port-access role REJECT
reauth-period 120
vlan access 105
port-access role CRITICAL
reauth-period 120
vlan access 106
port-access role QUARANTINE
reauth-period 120
vlan access 107
Step 4 Configure AAA authentication on the access ports. Set the client limit, configure 802.1x/MAC authentication, set the authentication order, and configure critical role and the rejection role. Adjust the EAPOL timeout, max requests, and max retry defaults.
interface 1/1/1
description ACCESS_PORT
no shutdown
no routing
vlan access 1
aaa authentication port-access client-limit 5
aaa authentication port-access auth-precedence dot1x mac-auth
aaa authentication port-access critical-role CRITICAL_AUTH
aaa authentication port-access reject-role REJECT_AUTH
aaa authentication port-access dot1x authenticator
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
enable
Note: EAPOL timeout: The amount of time the switch waits for EAP responses before identifying a packet as lost.
Max EAPOL requests: The number of requests the interfaces can have at one time.
Max retries: The number of times the switch tries to authenticate the device.
Configure Spanning Tree
Spanning tree is enabled globally on each access switch as a loop prevention mechanism. Supplemental features such as admin-edge, root guard, BPDU guard, and TCN guard are enabled on appropriate interfaces to ensure that spanning tree runs effectively.
On each access switch, perform the following steps:
Step 1 Configure spanning tree globally and enable Rapid Per VLAN Spanning Tree for the access VLANs.
spanning-tree mode rpvst
spanning-tree
spanning-tree priority 8
spanning-tree vlan 100-107 priority 15
spanning-tree vlan 100-107
Step 2 Configure the supplemental spanning tree features.
interface 1/1/1
description ACCESS_PORT
no shutdown
no routing
vlan access 1
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
spanning-tree root-guard
spanning-tree tcn-guard
loop-protect
loop-protect action tx disable
Step 3 The final access port configuration should look like the following:
interface 1/1/1
description ACCESS_PORT
no shutdown
no routing
vlan access 1
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
spanning-tree root-guard
spanning-tree tcn-guard
loop-protect
loop-protect action tx disable
aaa authentication port-access client-limit 5
aaa authentication port-access auth-precedence dot1x mac-auth
aaa authentication port-access critical-role CRITICAL_AUTH
aaa authentication port-access reject-role REJECT_AUTH
aaa authentication port-access dot1x authenticator
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
enable
Step 4 Repeat the full interface configuration for each access port. The Collapsed Core switch will be stacked so ensure the stacked interface ports are used e.g 2/1/1.
Configure Access Uplink Ports
Each access switch can have an uplink connection to both BGWs or to an aggregation switch. Each uplink connected to the gateway will be a trunk with the allowed VLANs of 100-107. If the access switch is connected to an aggregation switch the switch will use a lag with the same allowed VLAN’s. The native VLAN for the uplink will be VLAN 100. Each uplink has DHCP Snooping trust allowed and ARP inspection trust enabled. The section below will demonstrate how to use If statements in the template to dictate the configuration the switch will receive.
Caution: If DHCP Snooping and ARP inspection trust are not enabled, clients cannot get an IP address and connect to the network.
For the access switch template perform the following steps:
Step 1 Configure the uplink interface, then set the native VLAN and the allowed VLANs on the trunk.
interface 1/1/24
description Uplink_GW
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
Step 2 Configure ARP inspection trust and DHCP snooping trust.
interface 1/1/23
description Uplink_GW
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
arp inspection trust
dhcpv4-snooping trust
Caution: DHCP snooping and ARP inspection must be trusted on the trunk interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.
Step 3 Configure if statement around uplink ports.
%if SITE_HAS_AGG=n%
interface 1/1/23
description Uplink_to_BGW
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
arp inspection trust
dhcpv4-snooping trust
interface 1/1/24
description Uplink_to_BGW
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
arp inspection trust
dhcpv4-snooping trust
%endif%
Step 5 Configure the LAG.
interface lag 1
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
lacp mode active
lacp fallback-static
arp inspection trust
dhcpv4-snooping trust
Step 6 Configure the if statement around the LAG and uplinks
%if SITE_HAS_AGG=y%
interface lag 1
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
lacp mode active
lacp fallback-static
arp inspection trust
dhcpv4-snooping trust
%endif%
%if SITE_HAS_AGG=y%
interface 1/1/23
no shutdown
description Uplink_to_AGG
lag 1
interface 1/1/24
no shutdown
description Uplink_to_AGG
lag 1
%endif%
Configure Collapsed Core Uplink Ports
On each access switch, perform the following steps:
Step 1 Configure the LAG’s
interface lag 1
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
lacp mode active
lacp fallback-static
arp inspection trust
dhcpv4-snooping trust
interface lag 2
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
lacp mode active
lacp fallback-static
arp inspection trust
dhcpv4-snooping trust
interface lag 3
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
lacp mode active
lacp fallback-static
arp inspection trust
dhcpv4-snooping trust
interface lag 4
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
lacp mode active
lacp fallback-static
arp inspection trust
dhcpv4-snooping trust
Step 2 Configure the uplink interfaces, then set the native VLAN and the allowed VLANs on the trunk.
interface 1/1/23
description Uplink_GW
no shutdown
no routing
lag 1
interface 1/1/24
description Uplink_GW
no shutdown
no routing
lag 1
interface 2/1/23
description Uplink_GW
no shutdown
no routing
lag 2
interface 2/1/24
description Uplink_GW
no shutdown
no routing
lag 2
Step 3 Configure downlinks to access switches
interface 1/1/1
description Uplink_GW
no shutdown
no routing
lag 3
interface 1/1/2
description Uplink_GW
no shutdown
no routing
lag 4
interface 2/1/1
description Uplink_GW
no shutdown
no routing
lag 3
interface 2/1/2
description Uplink_GW
no shutdown
no routing
lag 4
Applying the Template Configuration
After the template configuration is created, there should be two configuration files one for the access, and one collapsed core file. The only difference being the uplinks and the stacking ports configuration for the Collapsed core. This procedure walks through steps to get the configuration into Central.
Step 1 On the Groups page, in the Manage Groups section, drag the access switches from the right side to the template group on the left side.
Step 2 Go to Global > Groups. In the Groups list, select BR-ECSDB.
Step 3 On the Switches List page at the top right, click Config.
Step 4 On the Switches Template section at the top right, click the + (plus sign) symbol.
Step 5 On the Add Template window in the Basic Info section, assign the following settings, then click Next.
- Template Name: BR-ACC
- Device Type: Aruba CX
- Model: 6200
- Part Name: All
- Version: All
Step 6 In the Edit Template section, paste the access configuration in the box, then click SAVE.
Caution: All variables must be enclosed with percent “%” symbols.
Step 7 Repeat steps 4-6 for the collapsed core with the following details
- Template Name: BR-AGG
- Device Type: Aruba CX
- Model: 6300
- Part Name: All
- Version: All
Upload the Access Switch Variables
Use this procedure to upload the variables for the access switches into Central.
Step 1 On the Devices > Switches page, select the Variables tab, then click DOWNLOAD SAMPLE VARIABLES FILES.
Step 2 Open the CSV file in an editor, enter the proper value for each variable, and enter Y in the modified column. Save the file on your computer.
Switch Serial | Switch Mac | %HOSTNAME% Variable Input | %if SITE_HAS_AGG% Variable | Modified |
---|---|---|---|---|
SG1AKW50LJ | 44:5b:ed:37:62:c0 | HOUBR-ECB-1CR1 | n | Y |
TW14KNK051 | 38:10:f0:25:6f:c0 | MIABR-ECB1-CR1 | n | Y |
SG12KN5052 | 8c:85:c1:5d:c1:40 | SFOBR-ECB1-CR1 | —- | Y |
SG12KN505R | 8c:85:c1:60:5f:00 | SFOBR-ECB1-CR1 | —- | Y |
SG0BKW506D | 8c:85:c1:50:e0:00 | SFOBR-CR1-AC1 | y | Y |
SG0BKW5070 | 8c:85:c1:50:93:c0 | SFOBR-CR1-AC1 | y | Y |
Caution: Change the modified column to Y for each device. For the Aggregation switch leave the variables that don’t apply blank
Step 3 On the Variables tab, click Upload Variables Files, find the updated CSV file on your computer, then click Open.
## Stacking Collapsed Core Switches Offline
Before connecting the uplinks to the collapsed core, they should be stacked. Use the following procedure to stack switches before they connect to central. For the Houston and Miami sites the switches do not need to be stacked so they can be connected directly to the branch gateways.
Do not connect the switch to the gateway before it is stacked otherwise it will not be able to stack offline without factory reset. |
Before starting this procedure check the following:
- Ensure switches are AOS-CX 10.7 or Above
- All switches are factory default.
- Switches in the stack are using the reserved auto-stacking ports.
- Switches are connected in a ring topology.
- Console connection to the switch.
After going through the checklist above the switches are ready to be stacked.
- Press the mode button until the LED displays STK on the switch that will be the conductor, wait for the conductor to reboot.
- On the second switch press the LED until it displays STK. Wait for the second member to boot.
During stacking operation, the port LEDs are displayed in three different states: Flashing green - Indicates that the member is the conductor. Flashing orange - Indicates that the member is rebooting to join the stack or offline due to error condition. Solid green - Indicates that the member joined the stack and is operational.For more information on stacking LED states, refer to the Monitoring Guide. |
###
- Connect the uplinks to the branch gateway.
- Verify all switches are online and stacked. Go to Devices > Switches > List and verify that the switches are In sync.