Understanding Tunneled Node Configuration

The tunneled node connects to one or more client devices at the edge of the network and then establishes a secure GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel to the controlling concentrator server. This approach allows the managed device to support all the centralized security features, like 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, captive-portal authentication, and stateful firewall Firewall is a network security system used for preventing unauthorized access to or from a private network.. A tunneled node is required to handle only the physical connection to clients.

To support the wired concentrator, the managed device must have a license to terminate APs, no other configuration is required. To configure the tunneled node, specify the IP address of the managed device and identify the ports that should be used as active tunneled node ports. Tunnels are established between the managed device and each active tunneled node port on the tunneled node. All tunneled node units must run the same version of ArubaOS. The tunneled node port can also be configured as a trunk port. This allows customers to have multiple clients on different VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. that come through the trunk port instead of having clients on a single VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

Figure 1 shows how the tunneled node fits into network operations. Traffic moves through GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels between the active tunneled node ports and the managed device. Policies are configured on the managed device and can be enforced on the same managed device or on different systems.

On the managed device, you can assign the same policy to tunneled node user traffic as you would to any untrusted wired traffic. The profile specified by the aaa authentication wired command determines the initial role, which contains the policy. The VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. setting on the concentrator port must match the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. that will be used for users at the managed device.

Figure 1  Tunneled Node Configuration Operation

Click to view a larger size.