Configuring CL2 Microbranch AP
This guide demonstrates the configuration of Centralized Layer 2 (CL2) mode SSID in Microbranch. EXAMPLE-CL2 is a Centralized Layer 2 SSID providing access to both corporate resources and non-corporate resources through the Internet.
VLAN ID 253 is the tunneled user VLAN extended from the data center VPNC and assigned to the SSID (through clustering functionality). The VLAN ID 253 should be configured only in VPNC and not in the Microbranch AP.
Table of contents
- Configuring CL2 Microbranch AP
- Create a Microbranch AP Group
- Configure System IP Pool
- Set AP Device Password
- Configure Country Code
- Assign the System IP Pool to AP Group
- Configure DNS and NTP
- Configure WAN Uplink
- Configure WAN Health Check
- Configure the WPA3-Enterprise Wireless LAN
- Configure Split-Tunnel in CL2
- Configure Full-Tunnel in CL2
- Assign a Microbranch AP to a Group
- Assign a Microbranch AP to a Site
- Monitor Microbranch Site Tunnels
- Monitor Microbranch Site Routes
The topology below illustrates the Microbranch.
Create a Microbranch AP Group
Step 1 Click the context filter Global.
Step 2 Hover over Groups column heading and click the settings icon.
Step 3 To create a New Group, in the upper right, click + (plus sign).
Step 4 In the Add Group window, enter a name. Click the Access Point checkbox, and click Next.
Step 5 Leave ArubaOS 10 selected under Architecture for access points and gateways in this group. Click the Microbranch radio button under Network role of the access points in this group, then click Add.
Configure System IP Pool
The System IP Pool dynamically assigns IP addresses to access points, which is required for Microbranch AP setup. APs use the assigned IP as the system IP for the inner tunnel IP address and as a management address to source traffic such as RADIUS, TACACS+, and SNMP. The System IP Pool is applied to the Microbranch group in a future step.
Step 1 Select the Global group. In the left navigation pane, click Network Services.
Step 2 Select the IP Address Manager tab.
Step 3 In the upper right, click + (plus sign).
Step 4 In the Add System IP Pools window, enter the following:
Pool Name: System IP Pool
Start address: 10.14.254.1
End address: 10.14.254.100
The system IP pool is global and applied to all APs in the group. When designing the system IP pool size, account for all APs in the Microbranch group.
Step 5 Click SAVE.
Note: Global VLAN DHCP pool is not required for Centralized Layer 2 (CL2) mode SSID. In CL2, the external DHCP server at the data center is used to define DHCP scope for the clients.
Set AP Device Password
Step 1 In the Global dropdown, search and select the Microbranch AP group previously created.
Step 2 In the left navigation pane under Manage, select Devices.
Step 3 Select the Access Points tab. In the upper right corner, click the config (gear) icon.
Step 4 Enter a device password in the Password field. Reenter the password in the Confirm password field, then click Set Password.
Configure Country Code
It is important to assign the proper country code to ensure that APs operate in compliance with local regulatory restrictions.
Step 1 On the group UI-MICRO-AP-01 > Devices page, in the System tile, select Properties.
Step 2 In the Set country code field, select the appropriate country code from the dropdown.
Step 3 Click Save.
Assign the System IP Pool to AP Group
Step 1 On the group UI-MICRO-AP-01 > Devices page, in the System tile, select IP Addressing.
Step 2 Click + (plus sign).
Step 3 In the Select IP Address Pool field, select the previously configured System IP Pool.
Step 4 Click Save.
Configure DNS and NTP
Step 1 On the group UI-MICRO-AP-01 > Devices page, in the System tile, select DNS & NTP.
Step 2 In the Domain Name field, enter the domain name.
Step 3 To add a DNS server, in the DNS SERVERS header, click + (plus sign).
Step 4 Select a DNS service from the dropdown.
Step 5 To expand the NTP section, click > NTP.
Step 6 To add an NTP server, in the PUBLIC NTP SERVERS header, click + (plus sign).
Step 7 In the new empty field, enter an NTP FQDN or IP address.
Step 8 In the Timezone field, select a timezone from the dropdown.
Step 9 Click Save.
Configure WAN Uplink
The WAN uplink identifies the interface assigned a WAN IP address. Tunnel Orchestrator uses the WAN IP address to create tunnels between devices. The WAN Uplink name is used in the Tunnel Matching algorithm and it will try to match the same name on the other side of the tunnel. If the labels do not match, then it is attempted to match any other WAN label.
Step 1 On the group UI-MICRO-AP-01 > Devices page, in the WAN tile, select WAN Uplink.
Step 2 On the right side, click + (plus sign).
Step 3 In the Uplink Name field, enter the uplink interface name.
Step 4 Click Save.
Configure WAN Health Check
A WAN Health Check measures the quality of the WAN uplink. Latency and packet loss on WAN uplinks are calculated using ICMP or UDP probes. UDP-based probes add measurement of jitter and generate MoS scores.
Step 1 Go to the group UI-MICRO-AP-01 > Devices page. In the WAN tile, select WAN Health Check.
Step 2 To the right of Monitor WAN health, click the slider.
Step 3 Click the Custom radio button.
Step 4 In the Protocol field, click the dropdown and select UDP.
| We recommend using pqm.arubanetworks.com as the remote FQDN (Fully Qualified Domain Names) for Health Check probes. |
Configure the WPA3-Enterprise Wireless LAN
The following procedure creates a secure, CL2 mode SSID for accessing internal resources as well as non-internal resources.
Step 1 Go to the group UI-MICRO-AP-01 > Devices page. In the Wireless tile, select WLAN.
Step 2 Near the bottom left of the WLANs tab, click + Add SSID.
Step 3 On the General tab, set the SSID Name field to EXAMPLE-CL2.
Step 4 To display additional settings, click > Advanced Settings.
Step 5 To expand broadcast/multicast options, click (+) Broadcast/Multicast.
Step 6 In the Broadcast filtering dropdown, select All.
Step 7 To expand legacy transmission rate options, click (+) Transmit Rates (Legacy Only).
Step 8 In the 2.4 GHz section, assign the following values.
- Min: 5
- Max: 54
Step 9 In the 5 GHz section, assign the following values.
- Min: 18
- Max: 54
Step 10 Click Next.
Configure SSID VLAN
On the VLANs tab, enter the following values, then click Next.
- Traffic forwarding mode: L2 Forwarded
- Primary Gateway Cluster: Select the primary VPNC headend cluster to terminate the L2 tunnel from drop-down menu
- Secondary Gateway Cluster: (optional) Select the backup VPNC headend cluster for VPNC redundancy from the dropdown
- Client VLAN Assignment: Static
- VLAN ID: From the dropdown, select the desired VLAN for users. Example: tunneled_users (vlan:253)
Note: The VLAN ID in the dropdown are automatically populated from the selected VPNC Gateway cluster and these are the VLANs already configured on the VPNC side.
Note: CL2 is dependent of having cluster on the VPNC side. In CL2, the VLAN ID and the headend VPNC clusters are selected while configuring the SSID itself without the need to configure them seperately.
Configure SSID Security Settings
Enable 802.1X authentication and encryption on the SSID.
Step 1 To set the security level, move the Security Level slider to Enterprise.
| CL2 mode SSID uses VPNC clusters as the radius proxy when authentication is required. |
Step 2 From the Key Management dropdown, select WPA3 Enterprise(CMM 128).
| Use WPA3 when possible to benefit from significant security improvements over WPA2. Consult the endpoint documentation to confirm that Microbranch devices support WPA3. If the devices do not support WPA3, use WPA2-Enterprise. |
Step 3 To add a primary RADIUS server, beside the Primary Server field, click + (plus sign).
Step 4 In the NEW SERVER window, enter the following values, then click OK.
- Server Type: RADIUS
- Name: cppm-01
- IP Address: 10.2.120.94
- Shared Key: Enter the RADIUS server shared key
- Retype Key: Re-enter the RADIUS server shared key
Note: It is important to record the Shared Key for use when configuring ClearPass Policy Manager.
Step 5 To add a secondary RADIUS server, beside the Secondary Server field, click + (plus sign).
Step 6 Repeat step 4 with appropriate values for the secondary RADIUS server.
Step 7 To enable Load Balancing, click the toggle.
Step 8 Click Next.
Configure Network Access Rules
Network access rules apply policy enforcement for an SSID based on the role or IP address of a device.
Step 1 Leave the default setting of Unrestricted, then click Next. 
Step 2 On the Summary tab, review all settings and click Finish.
Caution: At this point, access to internal resources at the data center are restricted. By default in CL2 mode, the Microbranch AP routes all user traffic to its WAN uplink instead of sending them through the tunnel to the data center.
For the CL2 mode, to handle the user traffic flow at the AP and determine whether to forward all the user traffic to the data center or forward only a selective subset of user traffic to the data center, two options are available.
Step 1 Split-tunnel: The AP tunnels only the user traffic destined to access resources at the data center while other traffic can be locally NATed to the AP WAN uplink (Internet or cellular)
Step 2 Full-tunnel: The AP tunnels all user traffic to the data center
Configure Split-Tunnel in CL2
By default, all user traffic is locally NATed to the AP WAN uplink and does not have access to corporate resources. To allow access to internal resources for CL2, split-tunnel mode is activated by configuring Policy-Based Routing (PBR) policy with two or more rules and assigning the PBR policy to one or more user roles. The users or devices assigned to the user role(s) have their user traffic redirected accordingly either through the tunnel to the data center or broken out locally through the AP WAN uplink based on the individual rules configured in the PBR policy.
Create PBR Policy for Split-Tunnel
Step 1 Go to the group UI-MICRO-AP-01 > Devices page. In the Tunnels & Routing tile, select Policy-based Routing.
Step 2 Near the top right of the Policies tab, click + (plus sign) .
Step 3 Enter the PBR policy Name, example: EXAMPLE-PBR-SPLIT-TUNNEL
Step 4 Click OK
| When a new PBR policy is added, a default rule to forward all traffic to internet is created automatically. |
Step 5 Mouse-over EXAMPLE-PBR-SPLIT-TUNNEL policy.
Step 6 Click the edit (pencil) icon on the right
Step 7 Near the top right of the Rules tab, click + (plus sign).
Step 8 In the ADD RULE table, enter the following values, then click OK
- Source: Any
- Other dropdown options can be selected, such as host, network, alias, etc.
- Destination: Network
- Other dropdown options can be selected, such as host, alias, any, etc.
- Network address: <eg: 10.20.253.0> (Internal resource network at Data Center to be accessed by user)
- Netmask: <eg: 255.255.255.0>
- Service/App: Any
- Other dropdown options can be selected, such as app category, application, protocol, service, TCP, UDP, Web Category, Web Reputation etc.
- Action: Forward to Cluster
Step 9 The newly created rule is added to the EXAMPLE-PBR-SPLIT-TUNNEL policy
Step 10 Drag the newly created rule to the top and click Save
Note: The order of rules in a PBR policy is important. The first rule to match the user traffic takes precedence.
Apply PBR Policy for Split-Tunnel to User Role
Step 1 Go to the group UI-MICRO-AP-01 > Devices page. In the Security tile, select Policies & Access Control.
Step 2 Expand the Roles section.
Step 3 Select the user role to which to apply the PBR policy
Step 4 In the Rules window, click + (plus sign)
Step 5 In the ADD RULE window, enter the following values, then click OK.
Rule Type: Policy-Based Routing
Add Existing Policy:
Policy Name: EXAMPLE-PBR-SPLIT-TUNNEL
Step 6 The PBR policy is assigned to the user role.
Step 7 Click Save
Note: When a user is assigned a user role and the user traffic flows, all the access rules for the user role are applied first and if there is a PERMIT, the PBR policy is then applied to that specific user traffic.
Configure Full-Tunnel in CL2
To configure full-tunnel in CL2 Microbranch deployments, a Policy-Based Routing (PBR) policy should be created first with a rule stating that all user traffic to any destination should be forwarded to the cluster through the secure IPsec tunnel. The PBR policy is then assigned to the user role(s). The users or devices who are assigned to the user role have all their user traffic forwarded to the data center via the secure tunnel.
Create PBR policy for full-tunnel
Step 1 Go to the group UI-MICRO-AP-01 > Devices page. In the Tunnels & Routing tile, select Policy-based Routing.
Step 2 Near the top right of the Policies tab, click + (plus sign).
Step 3 Enter a PBR policy name (eg: EXAMPLE-PBR-FULL-TUNNEL).
Step 4 Click OK.
Note: When a new PBR policy is added, a default rule to forward any traffic to internet is created automatically.
Step 5 Mouse-over EXAMPLE-PBR-FULL-TUNNEL policy and click the edit (pencil) icon on the right.
Step 6 Mouse-over the default rule that was created automatically.
Step 7 Click the edit (pencil) icon on the right.
Step 8 In the EDIT RULE table, enter the following values, then click OK.
Source: Any
Destination: Any
Service/App: Any
Action: Forward to Cluster
Step 9 The edited rule with action ‘forward_to_cluster’ displays in the EXAMPLE-PBR-FULL-TUNNEL policy.
Step 10 Click Save.
Apply PBR Policy for Full-Tunnel to User Role
Step 1 Go to the group UI-MICRO-AP-01 > Devices page. In the Security tile, select Policies & Access Control.
Step 2 Expand the Roles section.
Step 3 Select the user role to which to apply the PBR policy.
Step 4 In the Rules window, click + (plus sign).
Step 5 In the ADD RULE window, enter the following values, then click OK.
Rule Type: Policy-Based Routing
Add Existing Policy:
Policy Name: EXAMPLE-PBR-FULL-TUNNEL
Step 6 The PBR policy configured for full-tunnel is assigned to the user role.
Step 7 Click Save.
Note: When a user is assigned a user role and the user traffic flows, all the access rules for the user role are applied first and if there is a PERMIT, the PBR policy is then applied to that specific user traffic.
Assign a Microbranch AP to a Group
Step 1 In the left navigation pane, click Global, then select the Groups column heading.
Step 2 Expand the Unprovisioned devices group by clicking the expansion icon (>) next to its name.
Step 3 Select the Microbranch AP.
Step 4 Click the Move Devices icon.
Step 5 In the Destination Group dropdown, select UI-Micro-AP01.
Step 6 Click Move.
Assign a Microbranch AP to a Site
The following procedure assigns the APs to a site.
Step 1 Go to Organization and select Site.
Step 2 Select Unassigned devices.
Step 3 Select the Microbranch AP on the right side, then drag the AP to the ESP-MB01 site.
Step 4 Click Yes. .gif)
Monitor Microbranch Site Tunnels
The tunnels for the Microbranch sites can be monitored under SD-WAN overlay tab in a map view along with the tunnel details.
Step 1 Go to Global > Network Services > SD-WAN Overlay.
Step 2 Select Tunnel.
Step 3 Under Overlay Tunnel Orchestrator Topology, click Spokes tab.
Step 4 Under the Spokes Groups, select the Microbranch group where the Microbranch AP resides.
Step 5 In the search filed, select a Microbranch site (for which the tunnel details need to be viewed)
- Hover over the Microbranch site pin location and view the name, total number of tunnels and their status.
- Hover over the DC pin location(s) to view the headend VPNC(s) and their status.
- Hover over the tunnel links between the AP and DC, and view their tunnel status.
| The number next to the DC pin represents the data center preferences. For example: Number ‘1’ represent primary data center cluster, ‘2’ represents secondary data center cluster and so on. |
In CL2, the Microbranch AP establishes tunnels to all VPNCs in primary cluster as well to VPNCs in secondary cluster. In below screenshots, there are total of three IPSec tunnels established from Microbranch AP:
- Two tunnels established to the two VPNCs in primary DC.
- One tunnel established to the one VPNC in secondary DC.
More details about the tunnels such as tunnel endpoints, public IP, private IP, SPI, next rekey, tunnel event logs, etc. can also be viewed.
Step 1 Click the tunnel link between the Microbranch AP and the DC
Step 2 In the pop-up window, expand each row to view individual tunnel details
The control channel state for the Microbranch AP can also be viewed by selecting the control connection as below:
Step 1 Go to Global > Network Services > SD-WAN Overlay > Tunnel > Spokes
Step 2 Under the Spokes Groups, select the Microbranch group where the Microbranch AP resides.
Step 3 In the search filed, select a Microbanch site (for which the control channel state need to be viewed)
Step 4 Scroll to the bottom and select Control Connections
Step 5 Expand the row to view more details
Monitor Microbranch Site Routes
For each Microbranch site, the routes learnt from the Microbranch AP and the routes advertised to the Microbranch AP can be monitored in SD-WAN overlay tab as below.
Step 1 Go to Global > Network Services > SD-WAN Overlay.
Step 2 Select Routes.
Step 3 Under Overlay Tunnel Orchestrator Topology, click Spokes tab.
Step 4 Under the Spokes Groups, select the Microbranch group where the Microbranch AP resides.
Step 5 In the search filed, select a Microbranch site (for which the route details need to be viewed).
Step 6 Scroll to the bottom to view control connections details for the Microbranch AP in the above selected site.
Step 7 Under Routes Learned column, the number denotes the number of routes learned from this Microbranch AP.
- Click on the number to view the actual routes learned from the Microbranch AP.
Step 8 Under Routes Advertised column, the number denotes the number of routes advertised to this Microbranch AP (and eventually stored in the route table).
- Click on the number to view the actual routes advertised to the Microbranch AP.
The Microbranch uplink statistics such as WAN status, type, availability, usage, throughput, utilization, etc. can be viewed under Global > Overview > WAN Health > List > Transport
