The access layer provides wired and wireless devices with Layer 2 connectivity to the network. It plays an important role in protecting users, application resources, and the network itself from human error and malicious attacks. This protection includes controlling the devices allowed on the network, ensuring that connected devices cannot provide unauthorized services to end users, and preventing unauthorized devices from taking over the role of other devices on the network.
Table of contents
- Wired Access Configuration
- Configure the Access Switch Groups
- Configure a Standalone Switch
- Configure a Switch Stack
- Configure the Uplink LAG Interface
- Enable MultiEdit for the Group
- Configure the Access VLANs
- Configure Spanning Tree
- Verify Spanning Tree
- Configure RADIUS and UBT
- Verify RADIUS
- Verify UBT
- Configure Interfaces Using a Port Profile
- Configure Device Profiles
- Configure the Access Switch Groups
The following procedures describe the configuration of individual and stacked access layer switches using a UI Group. The base configuration of the switches was described previously in the Switch Group Configuration section of this guide.
The following procedure completes the switch configuration using an Aruba Central UI Group. The figure below shows the access switches in the ESP Campus.
Connect a standalone switch to a network segment where it can receive a DHCP lease, which includes DNS servers and a valid route toward the Internet. Aruba CX 6000 series switches are factory-configured to request DHCP on any front panel interface or on the dedicated management port. After a new switch can reach Central, it automatically associates to the correct organization based on information from the time of purchase.
Follow this procedure to configure a group of switches for VSF stacking. Begin by cabling the stack using ports 25 and 26 on 24-port models, or ports 49 and 50 on 48-port models. Connect one switch in the stack to a network with DHCP service providing Internet reachability. This switch serves as the stack conductor after the stack is formed.
Note: VSF stacking is supported on Aruba CX 6300 and 6200 model switches only.
A switch must be added to a group before VSF configuration can continue.
Step 1 Go to Central and login using administrator credentials.
Step 2 On the Aruba Central Account Home page, launch the Network Operations app.
Step 3 In the filter dropdown, select Global, if it is not already selected. On the left menu, select Organization.
Step 4 Expand the Unprovisioned devices group, highlight the switch directly connected to the network, then click the Move Devices button at the lower right in the window.
Step 5 In the Destination group dropdown, select the correct access switching Group for the stack, then click Move.
Step 6 In the filter dropdown, select the access switch Group name. On the left menu, select Devices.
Step 7 Select the new switch, using the serial number if multiple new switches are being added. On the left menu, select Device.
Step 8 On the Switch page in the System tile, select Properties.
Step 9 On the Edit Properties page, enter a Name for the new switch, leave the group inherited properties unchanged, then click SAVE.
Step 10 Use the green left arrow on the filter menu to return to the Switches page.
Step 11 On the upper right of the Switches page, select Config.
Step 12 On the Switches page in the System tile, select Stacking.
Step 13 Create a new VSF stack by clicking the + (plus sign) at the upper right of the table.
Step 14 In the Create VSF Stack window, assign the following settings, then click SAVE.
- Switch Series: 6300
- Conductor: RSVCP-AG3-AC2
- Link 1 Port(s): 25
- Link 2 Port(s): 26
- Split Mode detect: Unchecked
Step 15 A VSF stack named with the serial number of the switch selected above is now listed in VSF Stacking with a single conductor.
Step 16 Wait approximately five minutes for the stack to self-configure, then refresh the VSF Stacking page and confirm that all stack members are present.
Step 17 At the right side of a member row, click the Edit icon, check the box for Standby conductor, then click Save.
Configure link aggregation groups (LAGs) on redundant links to the aggregation switches for fault tolerance and increased capacity. By default, the uplink trunks use source and destination IP address, protocol port number, and device MAC addresses to load-balance traffic between grouped physical links. Use the Port Profiles feature of Central to apply the same port level configurations to multiple switches, or switch stacks, at the same time.
Step 1 Connect a second link to the standalone switch or VSF stack.
Step 2 In the device table, click the left arrow at the top left to return to the Switches page. Select Port Profiles in the Interfaces tile.
Step 3 To clone the Sample Uplink profile, click the Clone icon visible when the row is highlighted.
Step 4 Name the new port profile and click the Clone button.
Step 5 To edit the new profile, highlight the new row and click the Edit (pencil) icon.
Step 6 In the Edit Profile window, enter the following LAG configuration, then click Save.
- Name: Access uplink LAG
- Description: Port profile for access switch uplink LAGs
interface lag 1 no shutdown ip mtu 9198 description Uplink LAG no routing vlan trunk native 1 vlan trunk allowed all lacp mode active arp inspection trust dhcpv4-snooping trust interface 1/1/28 no shutdown lag 1 interface 2/1/28 no shutdown lag 1
Caution: DHCP snooping and ARP inspection must be trusted on the LAG interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.
Step 7 To apply the profile, highlight the profile row and click the Apply icon.
Step 8 On the Apply screen, select the switches for LAG configuration, and click Save.
Step 9 Open a Remote Console window, type the command
show lag 1, then press ENTER. The output shown below indicates a healthy, two-port LAG.
Step 1 In the upper left of the Switches page, move the slider right to enable MultiEdit.
Step 2 Select the devices for editing. In the lower right window, click EDIT CONFIG.
The following steps provide configuration text that can be pasted into the MultiEdit window. After pasting the configuration, right-click any device-specific values. A Modify Parameters window appears on the right, allowing input of individual device values.
Note: Interface configuration can optionally be performed using the Port Profiles feature documented later in this guide. This method is of particular interest to large installations with port configurations replicated across switches.
Access switches are configured with the same VLANs created on the aggregation switches in addition to an in-band management interface and a VLAN for User-Based Tunneling (UBT).
Both DHCP snooping and ARP inspection must be enabled to inspect traffic, prevent common attacks, and facilitate DHCP services across subnets. IGMP snooping is enabled and is required for Dynamic Multicast Optimization (DMO).
Note: DHCP snooping must be enabled both globally and under each VLAN. ARP inspection is enabled only under the VLAN, but it does not take effect unless DHCP snooping also is enabled.
Example: Access VLANs
Enable DHCP snooping and create VLANs at the Group level.
Step 1 Enable DHCP snooping globally.
Step 2 Enable DHCP snooping, ARP inspection, and IGMP snooping on each VLAN.
vlan 2 name ZTP_NATIVE dhcpv4-snooping arp inspection ip igmp snooping enable ... vlan 4000 name UBT_CLIENT dhcpv4-snooping arp inspection ip igmp snooping enable
Caution: The access switch VLANs must match the aggregation switch VLANs to enable the access devices to reach their default gateway.
Step 3 Create a Layer 3 interface on each VLAN and configure the same MTU size used in the aggregation layer.
interface vlan 2 description ZTP_Native ip mtu 9198 ip address 10.2.15.5/24 ... interface vlan 15 description MGMT ip mtu 9198 ip address 10.15.15.5/24
Note: When using MultiEdit at the group level, right-click device-specific values to set values for individual devices in the group.
Step 4 Configure the default route in the management VLAN. Add the static route for the active gateway IP address in VLAN 15.
ip route 0.0.0.0/0 10.2.15.1
Note: The access switch must have a default route in the management VLAN to enable connectivity to network services such as Central, TACACS, RADIUS, and NTP servers.
Spanning tree is enabled by default on 6xxx family CX switches. The following procedure illustrates how to enable it when needed. Supplemental features such as admin-edge, root guard, BPDU guard, and TCN guard are enabled on appropriate interfaces to ensure that spanning tree runs effectively.
At the group level, add the following configuration:
Step 1 Configure spanning tree globally. Multiple Spanning Tree Protocol (MSTP) is enabled by default.
Step 2 Configure the port level spanning tree features and loop-protect on each access interface.
interface 1/1/1 description ACCESS_PORT no shutdown no routing vlan access 1 spanning-tree bpdu-guard spanning-tree port-type admin-edge spanning-tree root-guard spanning-tree tcn-guard loop-protect loop-protect action tx-disable
Step 3 Open a Remote Console window, type the command
show spanning-tree summary root, and press ENTER. The output shown below indicates a healthy MSTP configuration state.
Use this procedure to configure the RADIUS servers and UBT for the access switch.
Access switches authenticate devices attempting to connect to the network. The two most common methods to authenticate users include an 802.1X supplicant or MAC-based authentication. This design supports both, as well as dynamic authorization, which allows the AAA server to change the authorization level of the device connected to the switch.
RADIUS tracking is enabled to verify the status of the client and server. The configuration also employs user roles for rejected clients and RADIUS failures. The configuration of RADIUS and user roles goes hand-in-hand with UBT, so this section also covers the UBT configuration.
Step 1 Configure the RADIUS servers. Enable RADIUS dynamic authorization and track client IP addresses with probes.
radius-server host 10.2.120.94 key plaintext <Password> radius-server host 10.2.120.95 key plaintext <Password> radius dyn-authorization enable client track ip update-method probe
Step 2 Configure AAA for 802.1X and MAC authentication.
aaa authentication port-access dot1x authenticator enable aaa authentication port-access mac-auth enable
Step 3 Configure UBT to tunnel traffic to the gateways. Define the UBT client VLAN and create the UBT zone in the default VRF. Connect to a pair of gateways for the primary and backup tunnels.
UBT Client VLAN: 4000
UBT Zone: Aruba
ubt-client-vlan 4000 ubt zone Aruba vrf default primary-controller ip 10.6.15.11 backup-controller ip 10.6.15.12 enable
Step 4 Configure local user roles. Create the user role and, if the VLAN is tunneled, set the gateway zone and gateway role. If the VLAN is not tunneled, set the authentication mode or the reauthorization period and the local VLAN.
port-access role BLDG-MGMT gateway-zone zone Aruba gateway-role EXAMPLE-BLDG-MGMT port-access role GUEST gateway-zone zone Aruba gateway-role EXAMPLE-GUEST port-access role ARUBA-AP auth-mode device-mode vlan access 15 port-access role CRITICAL_AUTH reauth-period 120 vlan access 14 port-access role REJECT_AUTH reauth-period 120 vlan access 13
Note: Special-case local user roles, such as Aruba-AP, Critical Auth, and Reject, are not tunneled to gateways.
Step 5 Configure AAA authentication on the access ports. Set the client limit, configure 802.1X and MAC authentication, and set the authentication order. Set the critical role and the rejection role to use special case user roles with local VLANs. Adjust the EAPOL timeout, max requests, and max retry defaults.
interface 1/1/1 description ACCESS_PORT no shutdown no routing vlan access 1 aaa authentication port-access client-limit 5 aaa authentication port-access auth-precedence dot1x mac-auth aaa authentication port-access critical-role CRITICAL_AUTH aaa authentication port-access reject-role REJECT_AUTH aaa authentication port-access dot1x authenticator eapol-timeout 30 max-eapol-requests 1 max-retries 1 enable aaa authentication port-access mac-auth enable
Step 6 Open a Remote Console window, type the command
show radius-server, then press ENTER. The output shown below indicates a healthy RADIUS server configuration.
Step 7 Open a Remote Console window, type the command
show ubt status, then press ENTER. The output shown below indicates a healthy UBT configuration state.
As an alternative to the preceding MultiEdit examples, interface configuration can be completed using the Port Profiles feature. This feature of Central applies the same port level configurations to multiple switches, or switch stacks, at the same time. Create a port profile using the interface level configuration from the previous spanning-tree and RADIUS/UBT sections.
Before proceeding, ensure that spanning tree is enabled, RADIUS authentication is configured, and that local user roles are created. Refer to the preceding procedures for configuration examples.
Step 1 On the left menu, select Devices.
Step 2 At the upper left of the Switches page, de-select MultiEdit (if enabled).
Step 3 Select Port Profiles on the Interfaces tile.
Step 4 To clone the Sample Access Port profile, click the Clone icon visible when the row is highlighted.
Step 5 Name the new port profile and click the Clone button.
Step 6 In the Edit Profile window, enter the following access port configuration, then click Save.
Name: Access ports
Description: Port profile for access switch ports
interface 1/1/1-1/1/12 description ACCESS_PORT no shutdown no routing vlan access 1 spanning-tree bpdu-guard spanning-tree port-type admin-edge spanning-tree root-guard spanning-tree tcn-guard loop-protect loop-protect action tx-disable port-access onboarding-method concurrent enable aaa authentication port-access allow-cdp-bpdu aaa authentication port-access allow-lldp-bpdu aaa authentication port-access client-limit 5 aaa authentication port-access auth-precedence dot1x mac-auth aaa authentication port-access critical-role CRITICAL_AUTH aaa authentication port-access reject-role REJECT_AUTH aaa authentication port-access dot1x authenticator eapol-timeout 30 max-eapol-requests 1 max-retries 1 enable aaa authentication port-access mac-auth enable
Caution: Ensure that indent levels copy accurately into the Port Profiles editor.
Step 7 To apply the profile, highlight the profile row and click the Apply icon.
Step 8 In the Apply screen, select the switches for access configuration, and click Save.
Using MultiEdit, create a device profile that detects Aruba APs dynamically, places them into the management VLAN, and allows locally bridged VLANs.
Note: This procedure is unnecessary if ClearPass is used to authenticate Aruba APs.
Step 1 Configure the ARUBA-AP role. Create the role, set the authentication mode, set the native VLAN, and define the allowed VLANs.
port-access role ARUBA-AP auth-mode device-mode vlan trunk native 15 vlan trunk allowed 1-3,5-6,13-15
Note: The ARUBA-AP role identifies the AP’s VLAN and identifies which VLANs are bridged locally.
Step 2 Configure the LLDP group. Create the group and identify the Aruba AP OUIs.
port-access lldp-group AP-LLDP-GROUP seq 10 match vendor-oui 000b86 seq 20 match vendor-oui D8C7C8 seq 30 match vendor-oui 6CF37F seq 40 match vendor-oui 186472 seq 50 match sys-desc ArubaOS
Note: The LLDP group identifies the Aruba APs and sets the system-description at the end as a catchall for future APs.
Step 3 Configure the device profile. Create the profile, enable it, then associate it with the role and LLDP group created previously.
port-access device-profile ARUBA_AP enable associate role ARUBA-AP associate lldp-group AP-LLDP-GROUP
Devices in the group automatically synchronize the new configuration. Synchronization status is updated on the Configuration Status page. Click Audit Trail in the left menu to observe step execution.