Link Search Menu Expand Document
calendar_month 07-Mar-24

Verifying Aruba SD-Branch Hub Spoke Topology

This section explains how to verify the SD-Branch topology.

Table of contents

Verify SD-WAN Tunnels

Check the VPNCs first because they manage the aggregation of all branch gateway tunnels.

To verify that the tunnels are up, navigate to the UI-VPNC-SD-WAN and select one of the VPNCs. Select WAN from the left navigation pane to view and verify that all tunnels are up.

Repeat this step for the second VPNC.

Verify that the following is displayed:

  • Status is Up.
  • Availability is trending upward or 100%.

VPNC Tunnels

Click Tools on the left menu. Select the Console tab, log into the console, and use the show crypto ipsec sa option to see the tunnel type

Verify that the following is displayed:

  • Tunnel Type is Hubandspoke.
  • Flags display UTlt.

Tunnel Security association

Go to UI-BGW-01 and select one of the Branch Gateways. Select WAN, then select the Tunnels tab.

Verify that the following is displayed:

  • Status is Up
  • Availability is trending upward or 100%

Branch Tunnels

Verify Routes

Select the UI-VPNC-SD-WAN group. Select one of the Branch gateways. On the Overview page, select the Routing tab.

Select Overlay, then change the overlay details to Routes learned.

Verify that summarized routes are learned using the overlay.

Ensure the following is displayed:

  • Summary routes from each branch
  • Availability is trending upward or 100%.

Verify VPNC Route table

Select the UI-BGW-01 group. Select one of the Branch Gateways. On the Overview page, select the Routing tab.

Select Overlay and change the overlay details to Routes learned. Verify that routes are learned via using overlay.

Ensure the following is displayed:

  • A summary route for the campus network is learned via the Overlay.

Verify BGW Route Table

Verify NTP

Verify the NTP configuration using the show ntp status command.

Verify that the following is displayed:

  • The NTP status is enabled.
  • The NTP server connections are in the default VRF.
  • The reference time is correct for the timezone

These values indicate the NTP service is reachable by the switch.

Verify NTP

Verify DHCP Snooping

Verify the DHCP Snooping and ARP inspection configurations using the show dhcpv4-snooping statistics, show dhcpv4-snooping binding, and show arp inspection statistics vlan commands.

Verify that the following is displayed:

  • Packet-Type: server, Action is forward.
  • Packet-Type: client, Action is forward.

The non-zero values indicate that DHCP snooping is actively forwarding traffic from servers and clients.

Verifying DHCP-Snooping

Verify Radius

Verify the RADIUS configuration using the show radius-server command.

Ensure the following is displayed:

  • Both servers are reachable, without a “*” before their name.
  • The VRF is set to default.

These values indicate that the RADIUS servers are reachable in the correct VRF.

Verify Radius Connectivity

Verify Device Profile and Radius Authentication

Verify the device profile configuration using the show port-access clients and show port-access device-profile all commands.

Verify that the following is displayed:

  • Radius Onboarding displays Success.
  • The Authorization Details are applied.
  • The VLAN is displayed.
  • The device-profile onboarding method is a Success.
  • The profile name and LLDP group state are applied

These values indicate the device profiles are applied and devices are onboarded.

verifying Device profiles and Radius Authentication

Verify Radius profile is applied