Link Search Menu Expand Document
calendar_month 28-Mar-24

Deploying the Campus Network

The design referenced in this deployment guide is a large campus topology, described in the Aruba ESP Campus design guide. The topology implements a traditional 3-tier network using a routed core connected to an aggregation layer, which is then connected to the access layer. The access layer is deployed as Layer 2 only and default gateways are implemented at the aggregation layer. The design requires a services aggregation block connected to the core to ensure efficient delivery of services to endpoints across the campus. All switches and gateways are configured with an IP address in the management VLAN.

The connections between the core and aggregation layers are Layer 3 and consist of point-to-point interfaces using the IP address range of 172.18.X.X. Shared services such as Active Directory, DHCP, DNS, and ClearPass are connected to the services aggregation layer, which has address spaces in the 10.X.X.X range. The wireless network operates on top of the wired network using APs connected in the access switches and AOS 10 gateways dual-connected in the services aggregation switches. The physical layout of the network with switches, APs and gateways, as well as the Layer 2 and Layer 3 domains, are shown in the following diagram.

Campus Topology

Aruba ESP offers a breadth of services, including onboarding, provisioning, orchestration, analytics, location tracking, and management. AI Insights reveal issues before they impact users, enabling an organization to accomplish remediation tasks quickly and easily with intuitive workflow-centric navigation and views that present multiple dimensions of correlated data. Campus policies are created centrally and features such as Dynamic Segmentation enable the network administrator to implement them over an existing infrastructure.

Table of contents

Planning for Deployment

Before deploying the network, it is important to identify values that can ensure consistent numbering and addressing schemes to accommodate the size of your current network, while leaving room for growth. Using a consistent approach to the physical and logical configurations streamlines network management and troubleshooting. This section provides sample values and context for choosing them. The values may require adjustment to accommodate the size of the network to be deployed.

Central Organization

Aruba Central requires that devices are added to a group for configuration. Group configuration is managed using UI workflows and an interactive CLI editor called MultiEdit. Optionally, group configuration using a static CLI template and variable files can be enabled at the time of group creation. Enable templates only when a specific deployment use case requires them.

Group NameDescription
SW-CORECore Switching - Routing services and connectivity to/from Aggregation Switching
SW-AGGAggregation Switching - Devices that connect Access Switching, handle L3 services
SW-ACCESSAccess Switching - Wired clients and Devices (APs, Printers, IOT)
WL-CAMPUSWireless Campus Devices - AP, Gateways
SW-SVCSServices Aggregation Switching - DHCP, DNS, MRT
BR-SDBBranch Sites using a Gateway (SD-Branch) - Gateway maintains VPN connections to VPN-C
BR-SDWBranch Sites using a Gateway (SD-WAN) - Gateway maintains VPN connections to VPN-C
BR-MICROBranch Sites using APs only - AP maintains VPN connections to VPN-C
VPNC-BRVPN Concentrators used for Branch sites - Micro and SD-Branch

Use sites to organize devices according to the geographic location of installation.

Site NameDescription
RSV-BLD01Campus Building 01 located in Roseville
RSV-BLD02Campus Building 02 located in Roseville
RSV-BLD03Campus Building 03 located in Roseville
RSV-DMZDemilitarized Zone located in Roseville
RSV-DC01Datacenter 01 located in Roseville
DEN-BR01Branch 01 located in Denver
SJC-BR01Branch 01 located in San Jose
WDSM-BR01Branch 01 located in West Des Moines

Device Names

Device tables within Aruba Central can be filtered and sorted by name. Establish a device naming convention that indicates the device type, role, and location to simplify the steps when a subset of devices must be analyzed within a large campus network. The examples below illustrate a naming scheme of dev type-location-role serial-unit serial.

Device NameNetwork RoleDescription
SW-RSVDC01-CORE01-01Core SwitchRoseville Datacenter 1, core switch 1
SW-RSVDC01-CORE01-02Core SwitchRoseville Datacenter 1, core switch 2
SW-RSVBLD01-AG01-01Aggregation SwitchRoseville Building 1, aggregation switch 1, member 1
SW-RSVBLD01-AG01-02Aggregation SwitchRoseville Building 1, aggregation switch 1, member 2
SW-RSVBLD03-AG03-01Aggregation SwitchRoseville Building 3, aggregation switch 3, member 1
SW-RSVBLD01-AC01Access SwitchRoseville Building 1, access switch 1
SW-RSVBLD02-AC03Access SwitchRoseville Building 2, access switch 3
GW-RSVSVC01-VPNC01VPNC GatewayRoseville Services aggregation 01, VPN Concentrator 01
GW-RSVSVC01-CAMPUS01Campus GatewayRoseville Services aggregation 01, Campus Gateway 01
AP-RSVBLD01-AG01AC01-01Access PointRoseville Building 1, aggregation switch 1, access switch 1, access point 1
AP-RSVBLD03-AG03AC01-01Access PointRoseville Building 3, aggregation switch 3, access switch 1, access point 1

IP Addressing

When a new network is deployed, it is important to take the time to design an IP addressing scheme that can adapt to the changing needs of the organization and the business it serves. Loopback interfaces on switches, DHCP pools, OSPF point-to-point links, and the routing tables that enable access across the network should be planned in a way to minimize load on operators and devices.

IP Address TypeDescriptionExample
DHCP PoolDevices connected to access switches. Subnets are defined by Building/Site/Agg. Subnet is injected into routing table.10.x.x.x/24
Management InterfacesDedicated management network for Out-of-Band Management (OOBM)172.16.10.x/24
VSX ISLOnly two IP addresses are needed. IPs are not injected into routing table10.99.99.x/30
OSPF InterfacesEach subnet needs only two IP addresses.172.18.10X.X/30

VLAN Names and Numbers

Aruba ESP best practice is to use named VLANs. This allows the grouping of multiple VLAN numbers within a name for policy creation purposes. Choose VLAN names that describe their purpose. Establish a VLAN numbering scheme that can remain consistent through periods of growth and that can align to functional ID numbers used elsewhere in the network.

VLAN NameVLAN IDDescription
EMPLOYEE3Authenticated employee access
PRINTER6LAN connected printers
REJECT_AUTH13Fail-through VLAN for authentication policy failures
MGMT_VLAN15Infrastructure device management interface VLAN

MAC Address Best Practices

A Locally Administered Address (LAA) should be used any time a MAC address must be configured. An LAA is a MAC that looks like one of the four examples below:


The x positions can be any valid hex value. It is helpful to create a binary representation of the associated VLAN ID using the hex positions. For more details on the LAA format, see the IEEE Tutorial Guide.

HPE GreenLake

HPE GreenLake is a cloud based platform that brings a unified experience to apps and data everywhere while providing one IT operating model to orchestrate across edges, colocations, data centers, and multi-cloud. Using Aruba Central with HPE GreenLake provides a single, versatile platform to view and orchestrate critical network services along with data and compute services. Devices must be added to GreenLake with an active linked subscription to use Aruba Central. For more information on onboard devices and subscriptions, refer to GreenLake Platform .

Aruba Central

Aruba Central, originally a standalone cloud application, has been integrated seamleassly into HPE GreenLake. This integration yields a significant enhancement in operation efficiency and resource management. Central’s intuitive health dashboards and user-friendly management interface can be accessed quickly by clicking the Aruba Central icon on the HPE GreenLake dashboard.

This section provides details for configuring Aruba Central to prepare for a Campus deployment. A group must be created to configure devices with the same role, and a site must be established to monitor devices belonging to the same location, ensuring that a device is provisioned with both a group and site.

Aruba Central

Go to Aruba Central from GreenLake

The following procedure guides the user to open an Aruba Central Instance from GreenLake homepage.

Note: A central instance must be added to the company workspace before launching it.

Step 1 Login to GreenLake and select the workspace.

Step 2 Click the Services tab on the top.


Step 3 Click Launch on Aruba Central.


Create New Groups

Aruba Central uses group and device levels for configuration tasks. A device’s final configuration comprises configurations applied at both the group level and the device level. Parameters changed at the device level override the configuration inherited from the group level. Recommended best practice is to enter changes at the device level only when required, such as when configuring an IP address or name of the device. Most changes should be made at the group level to reduce configuration time and to ensure configuration consistency across the network.

Note: A device must be provisioned to a group and assigned a license in order to receive configuration from Central.

The following procedure creates a group. This group can then be used to configure devices that have the same role.

Step 1 Go to Aruba Central home page, and set the filter to Global.

Step 2 On the left navigation pane in the Maintain section, select Organization.

Step 3 Select the Groups tile.


Step 4 Click the + (plus sign) to create a new group.


Step 5 Enter a Name for the group. Enable the toggle for Make this group compatible with New Central, select the appropriate checkbox in the Group will contain list, then click Next. Sample group details are:

  • Name: BDG9-AGG01

  • Make this group compatible with New Central: toggle button

  • Group will contain: check-mark


Note: For detailed instructions on how to create a template and custom variables, consult the Creating a Configuration Template section in Central online help.

Step 6 Click Add.


Note: When Access points and Gateways are selected in the previous step, select the Architecture and Network role for the device types.

Step 7 Repeat this procedure to create all required groups.

Set the Group Password

Step 1 Go to Aruba Central and set the filter to Global.

Step 2 On the left navigation pane, select Organization in the Maintain section.

Step 3 Select the Group tile and click Go to config .


Step 4 Provide the password. Click Save.


Note: A device-specific Administrator password can be set at the device level of Central. To setup passwords for Access Points and Gateways, select the device tab and click to the config (gear) button at the top right.

Create New Sites

Central Groups define a set of devices with shared configuration, while sites define a set of devices with a shared location. Use sites to monitor and analyze the network, and use groups to configure similar devices. Like groups, sites are created in the Organization navigation pane. At least one site should be defined to allow Central to generate accurate topology and reporting data.

Step 1 Go to Aruba Central Account Home page, and set the filter to Global.

Step 2 On the left navigation pane, select Organization in the Maintain section.

Step 3 Click the Sites tab.


Step 4 At the bottom, click New Site.


Step 5 In the Create New Site window, provide the site details and click Add. Sample the site details are shown below.

  • Site Name: EXAMPLE SITE
  • Street Address: 123 Any Street
  • City: Santa Clara
  • County: United States
  • State or Province: California
  • Zip/Postal Code: 95054


Step 6 Repeat this procedure to create each required site.

Manage Firmware Compliance

Enable firmware compliance to ensure that devices in a group are maintained at the same firmware level, starting when the device is first added to the group. Aruba recommends running the latest updated firmware for the initial deployment.

Step 1 Go to the Aruba Central home page, and set the filter to the appropriate group.

Step 2 On the left navigation pane, select Firmware in the Maintain section.


Step 3 On the Access Points page at the top right, click SET COMPLIANCE.


Step 4 On the initial window, click the Set firmware compliance slider.

Step 5 Provide the firmware details, then click Save. Sample firmware details are shown below.

  • Firmware Version: Latest Recommended
  • Upgrade Type: Live
  • When: Now


Step 6 Repeat this procedure for all groups.

Provision a Device in a Group

This procedure outlines the steps to add a device to a central group for configuration deployment.

Step 1 Go to the Aruba Central home page, and set the filter to Global.

Step 2 On the left navigation pane, click Organization in the Maintain section.

Step 3 Click the Groups tile.


Step 4 Select Unprovisioned Devices, then select the device(s) to be pre provisioned.

Step 5 Click the provision button.


Step 6 Select the Destination group, then click Move.


Provision a Device in a Site

This procedure outlines the steps to add a device to a site for monitoring.

Step 1 Go to the Aruba Central homepage, and set the filter to Global.

Step 2 In the Maintain section, select Organization.

Step 3 Click the Sites tile.


Step 4 Select the device(s) to move and drag the device to the corresponding site.


Step 5 Click Yes to confirm the move.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.