Deploying the Campus Network
The design referenced in this deployment guide is a large campus topology, described in the Aruba ESP Campus design guide. This topology implements a traditional 3-tier network using a routed core connected to an aggregation layer, which is then connected to the access layer. The access layer is deployed as Layer 2 only and default gateways are implemented at the aggregation layer. This design calls for a services aggregation block connected to the core to ensure efficient delivery of services to endpoints across the campus. All switches and gateways are configured with an IP address in the management VLAN.
The connections between the core and aggregation layers are Layer 3 and consist of point-to-point interfaces using the IP address range of 172.18.X.X. Shared services such as Active Directory, DHCP, DNS, and ClearPass are connected to the services aggregation layer which has address spaces in the 10.X.X.X range. The wireless network rides on top of the wired network using APs connected in the access switches and AOS 10 gateways dual-connected in the services aggregation switches. The physical layout of the network with switches, APs and gateways, as well as the Layer 2 and Layer 3 domains, are shown in the following diagram.
Campus Topology
Aruba ESP offers a breadth of services, including onboarding, provisioning, orchestration, analytics, location tracking, and management. AI Insights reveal issues before they impact users, allowing an organization to accomplish remediation tasks quickly and easily with intuitive workflow-centric navigation using views that present multiple dimensions of correlated data. Campus policies are created centrally and features such as Dynamic Segmentation enable the network administrator to implement them over an existing infrastructure.
Table of contents
Planning for Deployment
Before deploying the network, it is important to identify values that will ensure consistent numbering and addressing schemes to accommodate the size of your network, while leaving room for growth. Using a consistent approach to the physical and logical configurations will improve the management and troubleshooting characteristics of the network. This section provides example values and context regarding why those values were chosen. The values may require adjustment to accommodate the size of the network to be deployed.
Central Organization
Aruba Central requires that devices are added to a group for configuration. Group configuration is managed using UI workflows and an interactive CLI editor called MultiEdit. Optionally, group configuration using a static CLI template and variable files can be enabled at the time of group creation. Enable templates only when a specific deployment use case requires them.
| Group Name | Description |
|---|---|
| SW-CORE | Core Switching - Routing services and connectivity to/from Aggregation Switching |
| SW-AGG | Aggregation Switching - Devices that connect Access Switching, handle L3 services |
| SW-ACCESS | Access Switching - Wired clients and Devices (APs, Printers, IOT) |
| WL-CAMPUS | Wireless Campus Devices - AP, Gateways |
| SW-SVCS | Services Aggregation Switching - DHCP, DNS, MRT |
| BR-SDB | Branch Sites using a Gateway (SD-Branch) - Gateway maintains VPN connections to VPN-C |
| BR-SDW | Branch Sites using a Gateway (SD-WAN) - Gateway maintains VPN connections to VPN-C |
| BR-MICRO | Branch Sites using APs only - AP maintains VPN connections to VPN-C |
| VPNC-BR | VPN Concentrators used for Branch sites. Micro and SD-Branch |
Sites are used to organize devices according to the geographic location of installation.
| Site Name | Description |
|---|---|
| RSV-BLD01 | Campus Building 01 located in Roseville |
| RSV-BLD02 | Campus Building 02 located in Roseville |
| RSV-BLD03 | Campus Building 03 located in Roseville |
| RSV-DMZ | Demilitarized Zone located in Roseville |
| RSV-DC01 | Datacenter 01 located in Roseville |
| DEN-BR01 | Branch 01 located in Denver |
| SJC-BR01 | Branch 01 located in San Jose |
| WDSM-BR01 | Branch 01 located in West Des Moines |
Device Names
Device tables within Aruba Central can be filtered and sorted by name. Establish a device naming convention that indicates the device type, role, and location to simplify the steps when a subset of devices must be analyzed within a large campus network. The examples below illustrate a naming scheme of dev type-location-role serial-unit serial.
| Device Name | Network Role | Description |
|---|---|---|
| SW-RSVDC01-CORE01-01 | Core Switch | Roseville Datacenter 1, core switch 1 |
| SW-RSVDC01-CORE01-02 | Core Switch | Roseville Datacenter 1, core switch 2 |
| SW-RSVBLD01-AG01-01 | Aggregation Switch | Roseville Building 1, aggregation switch 1, member 1 |
| SW-RSVBLD01-AG01-02 | Aggregation Switch | Roseville Building 1, aggregation switch 1, member 2 |
| SW-RSVBLD03-AG03-01 | Aggregation Switch | Roseville Building 3, aggregation switch 3, member 1 |
| SW-RSVBLD01-AC01 | Access Switch | Roseville Building 1, access switch 1 |
| SW-RSVBLD02-AC03 | Access Switch | Roseville Building 2, access switch 3 |
| GW-RSVSVC01-VPNC01 | VPNC Gateway | Roseville Services aggregation 01, VPN Concentrator 01 |
| GW-RSVSVC01-CAMPUS01 | Campus Gateway | Roseville Services aggregation 01, Campus Gateway 01 |
| AP-RSVBLD01-AG01AC01-01 | Access Point | Roseville Building 1, aggregation switch 1, access switch 1, access point 1 |
| AP-RSVBLD03-AG03AC01-01 | Access Point | Roseville Building 3, aggregation switch 3, access switch 1, access point 1 |
IP Addressing
When a new network is deployed, it is important to take the time to design an IP addressing scheme that can adapt to the changing needs of the organization and the business it serves. Loopback interfaces on switches, DHCP pools, OSPF point-to-point links, and the routing tables that enable access across the network should be planned in a way to minimize load on operators and devices.
| IP Address Type | Description | Example |
|---|---|---|
| DHCP Pool | Devices connected to access switches. Subnets are defined by Building/Site/Agg. Subnet is injected into routing table. | 10.x.x.x/24 |
| Management Interfaces | Dedicated management network for Out-of-Band Management (OOBM) | 172.16.10.x/24 |
| VSX ISL | Only two IP addresses needed. IPs are not injected into routing table | 10.99.99.x/30 |
| OSPF Interfaces | Each subnet needs only two IP addresses. | 172.18.10X.X/30 |
VLAN Names and Numbers
Aruba ESP best practice is to use named VLANs. This allows the grouping of multiple VLAN numbers within a name for policy creation purposes. Choose VLAN names that describe their purpose. Establish a VLAN numbering scheme that can remain consistent across periods of growth and that can align to functional ID numbers used elsewhere in the network.
| VLAN Name | VLAN ID | Description |
|---|---|---|
| EMPLOYEE | 3 | Authenticated employee access |
| PRINTER | 6 | LAN connected printers |
| REJECT_AUTH | 13 | Fail-through VLAN for authentication policy failures |
| MGMT_VLAN | 15 | Infrastructure device management interface VLAN |
MAC Address Best Practices
A Locally Administered Address (LAA) should be used any time a MAC address must be configured. An LAA is a MAC that looks like one of the four examples below:
x2-xx-xx-xx-xx-xx
x6-xx-xx-xx-xx-xx
xA-xx-xx-xx-xx-xx
xE-xx-xx-xx-xx-xx
The x positions can be any valid hex value. It is helpful to create a binary representation of the associated VLAN ID using the hex positions. For more details on the LAA format, see the IEEE Tutorial Guide.
Aruba Central
Aruba Central is a cloud-based platform to configure, manage, and monitor the ESP Campus network. Designed as a software-as-a-service subscription-based set of applications, Central provides a standard web-based interface that allows access to the network from anywhere. Group and device level configurations provide operational efficiency; monitoring and alerting streamlines day-2 operations and historical data reporting helps with auditing and troubleshooting.
Note: The content in the Aruba ESP Campus is based on Aruba Central version 2.5.4. To verify the version of Central you are running, click the “?” Icon in the upper right corner of any page and choose “Documentation Center”. The Help page URL lists the Central version after the website’s name.
Aruba Central
Account Home Page
The Aruba Central Account Home page provides access to the Network Operations application, which is a dashboard for configuration, monitoring, reporting, and troubleshooting.
The Account Home page also provides access to global settings. In this guide, the following global setting areas will be used:
Key Management
Device Inventory
License Assignment
Network Operations App
The Aruba Central Network Operations app is the main application for configuring, monitoring, reporting, and troubleshooting your network. Use the navigation bar on the left to change the context of the main screen. In this guide, the focus is on configuration in the following areas:
- Filter drop-down list—Select the groups or sites you need to configure or monitor.
- Overview—Review network health, WAN health, summary of network status, Wi-Fi connectivity, and AI Insights.
- Devices—Manage and configure access points, switches, and gateways.
- Clients—Manage and configure clients and client profiles.
- Guests—Manage and configure guest access and presence analytics.
- Firmware—Set compliance and upgrade firmware across multiple devices, platforms, groups, sites, and labels.
- Organization—Manage groups, sites, and labels.
- Groups are the parent level for device configurations. Use groups to apply common configurations to a group of devices and device overrides for device-specific configurations.
- Sites define all devices into a single location. Use sites to monitor devices, not to configure them.
- Labels provide additional user-defined context for monitoring devices.
Create New Groups
Aruba Central uses group and device levels for configuration tasks. A device’s final configuration comprises configuration that is applied at the group level and configuration applied at the device level. Parameters changed at the device level override the configuration inherited from the group level. The recommended best practice is to enter changes at the device level only when required, such as when configuring an IP address or name of the device. Most changes should be made at the group level to ensure configuration consistency across the network.
Note: A device must be assigned to a group and assigned a license in order to receive configuration from Central.
Step 1 Navigate to Central and login using administrator credentials.
Step 2 On the Aruba Central Account Home page, launch the Network Operations app.
Step 3 In the left navigation pane in the Maintain section, select Organization.
Step 4 Select the Groups tile.
Step 5 On the Groups page in the Manage Groups section, select New Group.
Step 6 On the Create New Group page, assign the following settings, then click Next.
- Name: BD9-AGG01
Group will contain: check-mark
Note: If a template group is required, such as when configuring chassis switches, move the slider right for Configure using templates. For detailed instructions on how to create a template and custom variables, consult the Creating a Configuration Template section of the Central online help and the Reference Configuration included with this guide.
Step 7 Select the correct group type, then click Add.
Step 8 Repeat this procedure for each group.
Set the Group Password
Step 1 In the filter dropdown, select a new group, then click Devices.
Step 2 Enter the initial administrator password for all devices in the group, then click Save.
Note: A device-specific Administrator password can be set at the device level of Central.
Create New Sites
Central Groups define a set of devices with shared configuration, while sites define a set of devices with a shared location. Sites are used to monitor and analyze the network, and groups are used to configure devices. As with groups, sites are created under the Organization navigation pane. At least one site should be defined to allow Central to generate accurate topology and reporting data.
Step 1 On the Aruba Central Account Home page, launch the Network Operations app.
Step 2 On the left navigation pane in the Maintain section, select Organization.
Step 3 On the Sites and Labels tab, confirm that the slider is set to Sites. At the bottom, click New Site.
Step 4 In the Create New Site window, assign the following settings, then click Add.
- Site Name: EXAMPLE SITE
- Street Address: 123 Any Street
- City: Santa Clara
- County: United States
- State or Province: California
- Zip/Postal Code: 95054
Step 5 Repeat this procedure for each site.
Manage Firmware Compliance
Enable firmware compliance to ensure that devices in a group are maintained at the same firmware level, starting when the device is first added to the group. Aruba recommends running the latest updated firmware for the initial deployment.
Step 1 On the Aruba Central Account Home page, launch the Network Operations app.
Step 2 On the left navigation pane in the Maintain section, select Firmware.
Step 3 On the Access Points page on the top right, click SET COMPLIANCE.
Step 4 On the initial window, click the Set firmware compliance slider.
Step 5 On the expanded window, assign the following settings, then click Save.
- Groups: EXAMPLE-GROUP
- Firmware Version: Latest Recommended
- When: Now
Note: The Firmware Compliance feature does not have Live Upgrade capabilities. In most networks, Firmware Compliance should be turned off after the initial deployment of devices. A custom build (as shown in the image above) that does not yet have a general availability tag (GA) is chosen by selecting Custom Build and entering the build number provided by Aruba Support.
Step 6 Repeat this procedure for all groups.
Add Devices to Inventory
After a customer has a Central account setup, devices are automatically associated to it at the time of purchase. If devices were purchased before creating a Central account, they can be added manually using the device serial number and MAC address.
Step 1 At the top right of any page, click the Account Home icon.
Step 2 On the Account Home page in the Global Settings section, select DEVICE INVENTORY.
Step 3 Check the device inventory page to confirm that all devices are correctly listed.
Step 4 If devices are missing, scroll to the bottom of the page, then click Add Devices.
Step 5 In the window, enter the serial number and MAC address of the missing devices. When they are all entered, click Done.
- SERIAL NUMBER: serial number
- MAC ADDRESS: MAC address
After entering the information and moving to the next line, the system attempts to add the device to inventory. One of the following messages will appear:
- Success - The device has been added to inventory
- Error - The serial number or MAC address is incorrect. Check for a typo, but if both are entered correctly, open a TAC case.
- Blocked - This device is currently assigned to another customer. Open a TAC case. There are occasions when a company has multiple accounts or orders to Aruba, and TAC can resolve the issue.
- Device Already exists - This device is already in the inventory.
Note: The serial number and MAC address can be found on the original box or a label on the device.
Step 6 Repeat this procedure until all devices are added to inventory.
Add Device Subscription Keys
Use this procedure to add device subscription keys to your Central account.
Step 1 At the top right of any page, click the Account Home icon.
Step 2 On the Account Home page in the Global Settings section, select KEY MANAGEMENT.
Step 3 On the Key Management page, enter a subscription key, then click Add Key.
Step 4 Repeat the previous step for each subscription key.
Note: The Key Management page also displays the status and expiration dates for the existing licenses.
Assign Licenses to Devices
Use this procedure to assign device licenses manually.
Most Aruba ESP networks should operate with the default License Auto-Assign setting enabled. This feature automatically assigns the correct license to new devices added to inventory. When Auto-Assign is disabled, licenses must be assigned to devices manually.
Step 1 At the top right of any page, click the Account Home icon.
Step 2 On the Account Home page in the Global Settings section, select LICENSE ASSIGNMENT.
Step 3 At the top of the page, the default device type is Access Points.
Step 4 To assign licenses automatically to this device type, move the AUTO-ASSIGN slider to the right.
Step 5 In the window, choose the License Type to automatically assign all devices of this type, then click Update.
Step 6 To assign licenses manually, leave the AUTO-ASSIGN slider to the left. Select one or more devices from the list.
Step 7 At the bottom of the selection section, click MANAGE ASSIGNMENT.
Step 8 In the window, choose the License Type to assign the selected devices, then click Update.
Step 9 Repeat this procedure for all the devices.
Create New Users
Use this procedure to create new users and roles.
Note: For detailed information on setting up user access, click the question mark icon in the upper right corner of any web page in Central. Search for “user and roles” in the Documentation Center home page.
Step 1 At the top right of any page, click the Account Home icon.
Step 2 On the Account Home page in the Global Settings section, select USERS AND ROLES.
Step 3 On the Users and Roles page, click ADD USER.
Step 4 In the window, assign the following settings, then click Save.
- Username: user@hpe.com
- Description: Example user
- Language: English
- Account Home: admin
- Network Operations: admin
- ClearPass Device Insight: admin
- Select Groups: All Groups
Note: The Account Home allows you to select a user role for the Account Home page
The Network Operations allows you to select a user role for the Network Operations application
The ClearPass Device Insight allows you to select a user role for the ClearPass Device Insight application
The Select Group allows you to select the groups this user can access
ClearPass Policy Manager
ClearPass Policy Manager provides role- and device-based secure network access control for IoT, BYOD, corporate devices, as well as employees, contractors, and guests across wired, wireless, and VPN infrastructure. With a built-in context-based policy engine, RADIUS, TACACS+, non-RADIUS enforcement using OnConnect, device profiling, posture assessment, onboarding, and guest access options, ClearPass is unrivaled as a foundation for network security for organizations of any size.
Note: The content in the ESP Campus is based on ClearPass Policy Manager version 6.9. This guide does not cover the initial turn up and implementation of ClearPass. The ClearPass platform must be installed and patched to version 6.9 before implementing the steps in the subsequent sections of this guide. For details on ClearPass deployment, refer to the following link: ClearPass Policy Manager 6.9 Deployment Guide