Deploying the Campus Network
The design referenced in this deployment guide is a large campus topology, described in the Aruba ESP Campus design guide. The topology implements a traditional 3-tier network using a routed core connected to an aggregation layer, which is then connected to the access layer. The access layer is deployed as Layer 2 only and default gateways are implemented at the aggregation layer. The design requires a services aggregation block connected to the core to ensure efficient delivery of services to endpoints across the campus. All switches and gateways are configured with an IP address in the management VLAN.
The connections between the core and aggregation layers are Layer 3 and consist of point-to-point interfaces using the IP address range of 172.18.X.X. Shared services such as Active Directory, DHCP, DNS, and ClearPass are connected to the services aggregation layer, which has address spaces in the 10.X.X.X range. The wireless network operates on top of the wired network using APs connected in the access switches and AOS 10 gateways dual-connected in the services aggregation switches. The physical layout of the network with switches, APs and gateways, as well as the Layer 2 and Layer 3 domains, are shown in the following diagram.
Campus Topology
Aruba ESP offers a breadth of services, including onboarding, provisioning, orchestration, analytics, location tracking, and management. AI Insights reveal issues before they impact users, enabling an organization to accomplish remediation tasks quickly and easily with intuitive workflow-centric navigation and views that present multiple dimensions of correlated data. Campus policies are created centrally and features such as Dynamic Segmentation enable the network administrator to implement them over an existing infrastructure.
Planning for Deployment
Before deploying the network, it is important to identify values that can ensure consistent numbering and addressing schemes to accommodate the size of your current network, while leaving room for growth. Using a consistent approach to the physical and logical configurations streamlines network management and troubleshooting. This section provides sample values and context for choosing them. The values may require adjustment to accommodate the size of the network to be deployed.
Central Organization
Aruba Central requires that devices are added to a group for configuration. Group configuration is managed using UI workflows and an interactive CLI editor called MultiEdit. Optionally, group configuration using a static CLI template and variable files can be enabled at the time of group creation. Enable templates only when a specific deployment use case requires them.
Group Name | Description |
---|---|
SW-CORE | Core Switching - Routing services and connectivity to/from Aggregation Switching |
SW-AGG | Aggregation Switching - Devices that connect Access Switching, handle L3 services |
SW-ACCESS | Access Switching - Wired clients and Devices (APs, Printers, IOT) |
WL-CAMPUS | Wireless Campus Devices - AP, Gateways |
SW-SVCS | Services Aggregation Switching - DHCP, DNS, MRT |
BR-SDB | Branch Sites using a Gateway (SD-Branch) - Gateway maintains VPN connections to VPN-C |
BR-SDW | Branch Sites using a Gateway (SD-WAN) - Gateway maintains VPN connections to VPN-C |
BR-MICRO | Branch Sites using APs only - AP maintains VPN connections to VPN-C |
VPNC-BR | VPN Concentrators used for Branch sites - Micro and SD-Branch |
Use sites to organize devices according to the geographic location of installation.
Site Name | Description |
---|---|
RSV-BLD01 | Campus Building 01 located in Roseville |
RSV-BLD02 | Campus Building 02 located in Roseville |
RSV-BLD03 | Campus Building 03 located in Roseville |
RSV-DMZ | Demilitarized Zone located in Roseville |
RSV-DC01 | Datacenter 01 located in Roseville |
DEN-BR01 | Branch 01 located in Denver |
SJC-BR01 | Branch 01 located in San Jose |
WDSM-BR01 | Branch 01 located in West Des Moines |
Device Names
Device tables within Aruba Central can be filtered and sorted by name. Establish a device naming convention that indicates the device type, role, and location to simplify the steps when a subset of devices must be analyzed within a large campus network. The examples below illustrate a naming scheme of dev type-location-role serial-unit serial.
Device Name | Network Role | Description |
---|---|---|
SW-RSVDC01-CORE01-01 | Core Switch | Roseville Datacenter 1, core switch 1 |
SW-RSVDC01-CORE01-02 | Core Switch | Roseville Datacenter 1, core switch 2 |
SW-RSVBLD01-AG01-01 | Aggregation Switch | Roseville Building 1, aggregation switch 1, member 1 |
SW-RSVBLD01-AG01-02 | Aggregation Switch | Roseville Building 1, aggregation switch 1, member 2 |
SW-RSVBLD03-AG03-01 | Aggregation Switch | Roseville Building 3, aggregation switch 3, member 1 |
SW-RSVBLD01-AC01 | Access Switch | Roseville Building 1, access switch 1 |
SW-RSVBLD02-AC03 | Access Switch | Roseville Building 2, access switch 3 |
GW-RSVSVC01-VPNC01 | VPNC Gateway | Roseville Services aggregation 01, VPN Concentrator 01 |
GW-RSVSVC01-CAMPUS01 | Campus Gateway | Roseville Services aggregation 01, Campus Gateway 01 |
AP-RSVBLD01-AG01AC01-01 | Access Point | Roseville Building 1, aggregation switch 1, access switch 1, access point 1 |
AP-RSVBLD03-AG03AC01-01 | Access Point | Roseville Building 3, aggregation switch 3, access switch 1, access point 1 |
IP Addressing
When a new network is deployed, it is important to take the time to design an IP addressing scheme that can adapt to the changing needs of the organization and the business it serves. Loopback interfaces on switches, DHCP pools, OSPF point-to-point links, and the routing tables that enable access across the network should be planned in a way to minimize load on operators and devices.
IP Address Type | Description | Example |
---|---|---|
DHCP Pool | Devices connected to access switches. Subnets are defined by Building/Site/Agg. Subnet is injected into routing table. | 10.x.x.x/24 |
Management Interfaces | Dedicated management network for Out-of-Band Management (OOBM) | 172.16.10.x/24 |
VSX ISL | Only two IP addresses are needed. IPs are not injected into routing table | 10.99.99.x/30 |
OSPF Interfaces | Each subnet needs only two IP addresses. | 172.18.10X.X/30 |
VLAN Names and Numbers
Aruba ESP best practice is to use named VLANs. This allows the grouping of multiple VLAN numbers within a name for policy creation purposes. Choose VLAN names that describe their purpose. Establish a VLAN numbering scheme that can remain consistent through periods of growth and that can align to functional ID numbers used elsewhere in the network.
VLAN Name | VLAN ID | Description |
---|---|---|
EMPLOYEE | 3 | Authenticated employee access |
PRINTER | 6 | LAN connected printers |
REJECT_AUTH | 13 | Fail-through VLAN for authentication policy failures |
MGMT_VLAN | 15 | Infrastructure device management interface VLAN |
MAC Address Best Practices
A Locally Administered Address (LAA) should be used any time a MAC address must be configured. An LAA is a MAC that looks like one of the four examples below:
x2-xx-xx-xx-xx-xx
x6-xx-xx-xx-xx-xx
xA-xx-xx-xx-xx-xx
xE-xx-xx-xx-xx-xx
The x positions can be any valid hex value. It is helpful to create a binary representation of the associated VLAN ID using the hex positions. For more details on the LAA format, see the IEEE Tutorial Guide.
HPE GreenLake
HPE GreenLake is a cloud based platform that brings a unified experience to apps and data everywhere while providing one IT operating model to orchestrate across edges, colocations, data centers, and multi-cloud. Using Aruba Central with HPE GreenLake provides a single, versatile platform to view and orchestrate critical network services along with data and compute services. Devices must be added to GreenLake with an active linked subscription to use Aruba Central. For more information on onboard devices and subscriptions, refer to GreenLake Platform .
Aruba Central
Aruba Central, originally a standalone cloud application, has been integrated seamleassly into HPE GreenLake. This integration yields a significant enhancement in operation efficiency and resource management. Central’s intuitive health dashboards and user-friendly management interface can be accessed quickly by clicking the Aruba Central icon on the HPE GreenLake dashboard.
This section provides details for configuring Aruba Central to prepare for a Campus deployment. A group must be created to configure devices with the same role, and a site must be established to monitor devices belonging to the same location, ensuring that a device is provisioned with both a group and site.
Aruba Central
Go to Aruba Central from GreenLake
The following procedure guides the user to open an Aruba Central Instance from GreenLake homepage.
Note: A central instance must be added to the company workspace before launching it.
Step 1 Login to GreenLake and select the workspace.
Step 2 Click the Services tab on the top.
Step 3 Click Launch on Aruba Central.
Create New Groups
Aruba Central uses group and device levels for configuration tasks. A device’s final configuration comprises configurations applied at both the group level and the device level. Parameters changed at the device level override the configuration inherited from the group level. Recommended best practice is to enter changes at the device level only when required, such as when configuring an IP address or name of the device. Most changes should be made at the group level to reduce configuration time and to ensure configuration consistency across the network.
Note: A device must be provisioned to a group and assigned a license in order to receive configuration from Central.
The following procedure creates a group. This group can then be used to configure devices that have the same role.
Step 1 Go to Aruba Central home page, and set the filter to Global.
Step 2 On the left navigation pane in the Maintain section, select Organization.
Step 3 Select the Groups tile.
Step 4 Click the + (plus sign) to create a new group.
Step 5 Enter a Name for the group. Enable the toggle for Make this group compatible with New Central, select the appropriate checkbox in the Group will contain list, then click Next. Sample group details are:
Name: BDG9-AGG01
Make this group compatible with New Central: toggle button
Group will contain: check-mark
Note: For detailed instructions on how to create a template and custom variables, consult the Creating a Configuration Template section in Central online help.
Step 6 Click Add.
Note: When Access points and Gateways are selected in the previous step, select the Architecture and Network role for the device types.
Step 7 Repeat this procedure to create all required groups.
Set the Group Password
Step 1 Go to Aruba Central and set the filter to Global.
Step 2 On the left navigation pane, select Organization in the Maintain section.
Step 3 Select the Group tile and click Go to config .
Step 4 Provide the password. Click Save.
Note: A device-specific Administrator password can be set at the device level of Central. To setup passwords for Access Points and Gateways, select the device tab and click to the config (gear) button at the top right.
Create New Sites
Central Groups define a set of devices with shared configuration, while sites define a set of devices with a shared location. Use sites to monitor and analyze the network, and use groups to configure similar devices. Like groups, sites are created in the Organization navigation pane. At least one site should be defined to allow Central to generate accurate topology and reporting data.
Step 1 Go to Aruba Central Account Home page, and set the filter to Global.
Step 2 On the left navigation pane, select Organization in the Maintain section.
Step 3 Click the Sites tab.
Step 4 At the bottom, click New Site.
Step 5 In the Create New Site window, provide the site details and click Add. Sample the site details are shown below.
- Site Name: EXAMPLE SITE
- Street Address: 123 Any Street
- City: Santa Clara
- County: United States
- State or Province: California
- Zip/Postal Code: 95054
Step 6 Repeat this procedure to create each required site.
Manage Firmware Compliance
Enable firmware compliance to ensure that devices in a group are maintained at the same firmware level, starting when the device is first added to the group. Aruba recommends running the latest updated firmware for the initial deployment.
Step 1 Go to the Aruba Central home page, and set the filter to the appropriate group.
Step 2 On the left navigation pane, select Firmware in the Maintain section.
Step 3 On the Access Points page at the top right, click SET COMPLIANCE.
Step 4 On the initial window, click the Set firmware compliance slider.
Step 5 Provide the firmware details, then click Save. Sample firmware details are shown below.
- Groups: EXAMPLE-GROUP
- Firmware Version: Latest Recommended
- Upgrade Type: Live
- When: Now
Step 6 Repeat this procedure for all groups.
Provision a Device in a Group
This procedure outlines the steps to add a device to a central group for configuration deployment.
Step 1 Go to the Aruba Central home page, and set the filter to Global.
Step 2 On the left navigation pane, click Organization in the Maintain section.
Step 3 Click the Groups tile.
Step 4 Select Unprovisioned Devices, then select the device(s) to be pre provisioned.
Step 5 Click the provision button.
Step 6 Select the Destination group, then click Move.
Provision a Device in a Site
This procedure outlines the steps to add a device to a site for monitoring.
Step 1 Go to the Aruba Central homepage, and set the filter to Global.
Step 2 In the Maintain section, select Organization.
Step 3 Click the Sites tile.
Step 4 Select the device(s) to move and drag the device to the corresponding site.
Step 5 Click Yes to confirm the move.