The ESP Campus for large networks includes a gateway cluster in the services aggregation layer. In this design, WLANs are tunneled to the gateways to take advantage of advanced policy enforcement and firewall capabilities available on the platform. Gateway clustering is implemented to ensure high availability and throughput.
This section describes how to deploy a gateway in Aruba Central using the Zero Touch Provisioning (ZTP) process. The table below shows VLANs and IP addresses used in the following procedures.
Example: IP Addresses and VLAN ID
|Name||IP address||Default gateway||VLAN ID||VLAN name||Gateway VRRP Address|
Table of contents
Use the following procedure to configure Gateway VLANs.
Example: VLANs for Gateways
|VLAN Name||VLAN ID|
Caution: The Gateway VLANs must be created before adding the port channels, so the Native VLAN and Allowed VLANs can be selected from the dropdown lists.
Step 1 On the Gateways tab, select the Interface tab, select VLANs, and, in the lower left, click the + (plus sign).
Step 2 In the New VLAN window, assign the following settings, then click Save Settings.
- VLAN name: MGMT
- VLAN ID/Range: 15
Note: Named VLANs facilitate policy consistency between sites.
Step 3 Repeat this procedure for each Gateway VLAN in the environment.
Use this procedure to enable gateway physical interfaces in a group for configuration.
The ESP Campus supports Zero Touch provisioning (ZTP) of gateway devices. ZTP requires that physical interface configuration must be performed for Gateways at the group level. To simplify this configuration, best practice is to standardize a single gateway model within each group.
Caution: If a group-level interface configuration is applied to a gateway that does not have the specified physical interface, the gateway is not added to the group. The unsupported interface must be removed from the group configuration to add the gateway.
Step 1 Navigate to Central and login using administrator credentials.
Step 2 On the Aruba Central Account Home page, launch the Network Operations app.
Step 3 In the filter dropdown, select an AOS10 Group name.
Step 4 On the left menu, select the Devices tab, and select the Gateways tab. In the upper right, select Config.
Step 5 On the Gateways page, select the Interface tab, then the Ports tab.
Step 6 At the bottom of the Ports table, click the + (plus sign).
Step 7 On the New port popup, select the checkbox next to the interface name, then click Save Settings.
Use the following procedure to configure Gateway port channels.
In deployments for which uptime and performance are priorities, best practice for gateway connectivity is to use LACP on a multi-chassis LAG (MC-LAG) connected to a pair of switches that support the Aruba VSX feature. LACP is enabled on the gateway as part of the Port Channel configuration.
When a Gateway is deployed using ZTP, it does not have an LACP configuration initially. To accommodate this during the provisioning process, LACP Fallback is enabled on the switch. An example configuration for VSX MC-LAG is shown below:
interface lag 11 multi-chassis description 7210-1 no shutdown no routing vlan trunk native 1 vlan trunk allowed all lacp mode active lacp fallback ! interface lag 12 multi-chassis description 7210-2 no shutdown no routing vlan trunk native 1 vlan trunk allowed all lacp mode active lacp fallback
Note: When LACP negotiation fails, LACP Fallback allows switch ports to function as standard access/trunk ports until LACP functions.
The above configuration snippet illustrates the implementation of the LACP Fallback command in context. Refer to earlier sections of this guide for complete switch configuration.
Step 1 In the filter dropdown, select an AOS10 Group name.
Step 2 On the left menu, select the Devices tab, and select the Gateways tab. In the upper right, select Config.
Step 3 On the Gateways page, select the Interface tab, then the Ports tab.
Step 4 In the Port channel section, click the + (plus sign).
Step 5 In the New port channel window, select the next available PC-n ID; in this example PC-0. Click Save Settings.
Step 6 In the PC-n section, assign the following settings.
- Protocol: LACP
- LACP Mode: Passive
- Port Members: Click Edit, select port channel ports under Available, use the right arrow to move them to Selected, then click OK.
- Admin State: checkmark
- Trust: checkmark
- Policy: Leave empty
- Mode: Trunk/
- Native VLAN: 4094
- Allowed VLANS: 15, 102-106,112-114,4094
- Jumbo MTU: checkmark
Note: The Allowed VLANs dropdown is populated from the Gateway VLANs created in the “Configure VLAN Interfaces” procedure.
Step 7 At the bottom of the page, expand Show advanced options, assign the following settings, then click Save Settings.
- LLDP Transmission: Slide to right
- LLDP Reception: checkmark
Use the following procedure to disable VLAN 4094 on the gateway physical interfaces.
The gateway has a factory configured native VLAN ID of 4094 on the interface used to make an initial connection to Central. However, a Gateway cannot sync with Central until a system IP is assigned. This behavior allows for the configuration push, which disables VLAN 4094 when the Gateway is assigned a system IP address.
Step 1 On the Gateways page, select the Interface tab, then select the VLANs tab.
Step 2 Scroll down and select the row for 4094. In the lower VLAN IDs section, click the VLAN row.
Step 3 On the IPv4 page, deselect the Admin state: checkbox, then click Save Settings.
Use the following procedure to configure a default gateway on the gateway device.
Step 1 On the Gateways tab, select the Routing tab, then the IP Routes tab.
Step 2 Expand the Static Default Gateway section. At the bottom of the table, click the + (plus sign).
Step 3 On the New Default Gateway page, enter the IP address, then click Save Settings.
- Default Gateway IP: 10.6.15.1
Use this procedure to configure the base features of the gateway. The base features include the hostname, VLAN IP addresses, and the System IP address.
Note: In the Aruba ESP Campus design, most gateway configuration is entered at the group level. An attempt to change a device property which is overridden at the group level will be indicated in the audit trail.
Step 1 In the filter dropdown, select an AOS10 Group name.
Step 2 On the left menu, select Devices on menu bar, then select Gateways.
Step 3 Select a new gateway from the list.
Note: An unnamed gateway is listed with the system MAC address.
Step 4 On the left menu, select Device, select the Interface tab, then the VLANs tab.
Step 5 In the VLANs table, select the MGMT VLAN. In the lower VLAN IDs section, click the VLAN row.
Step 6 Scroll down to the IP Address Assignment section, assign the following settings, then click Save Settings:
IP Assignment: Static
- IPv4 Address: 10.6.15.11
- Netmask: 255.255.255.0
- Force operational status UP: checkmark
Step 7 In the Vlans table, select a different VLAN. In the lower VLAN IDs section, click the VLAN row.
Step 8 Scroll down to the IP Address Assignment section, assign the following settings, then click Save:
- IP Assignment: Static
- IPv4 Address: 10.6.103.11
- Netmask: 255.255.255.0
- Force operational status UP: un-checked
Step 9 Repeat the previous two steps for each additional VLAN in the environment.
Step 10 On the Gateway page, select the System tab, then the General tab.
Step 11 In the Basic Info section, enter the Hostname, then click Save Settings.
Caution: The admin password is inherited from the group settings. Do not change it at the device level.
Step 12 Expand the System IP Address section, use the IPv4 address dropdown to select the VLAN with the Force operational UP setting, then click Save.
- IPv4 address: VLAN 15 10.6.15.11
Note: The gateway reboots and downloads its configuration after the System IP address is set. This may take time and may require multiple reboots to push all configuration. Status can be found in the audit log. After the configuration has been successfully pushed, the gateway shows a status of in-sync on the device summary page.
Step 13 Repeat this procedure for each new gateway in the environment.
Use this procedure to configure Layer 2 Gateway clustering.
Gateway clustering provides load-balancing across two or more devices, resulting in increased availability and throughput for users and endpoints. The Gateway VRRP IP addresses allow authorization servers such as ClearPass to make a Change of Authorization (CoA) request for a user anchored to a specific gateway.
Note: VRRP Addresses on gateway cluster members are required for CoA to work correctly. However, automatic cluster creation does not support CoA.
Example: Gateway VRRP IP Addresses and VLANs
|Gateway||IP address||Multicast VLAN||VRRP IP address||VRRP VLAN|
Step 1 In the dropdown, select an AOS10 Group name.
Step 2 On the left menu, select Devices, and select the Gateways tab. On the top right, click Config.
Step 3 On the top right, select Advanced Mode, and select the High Availability tab.
Step 4 Confirm the Cluster mode: Automatic slider is to the left (off).
Step 5 At the bottom of the Clusters table, click the + (plus sign) and assign the following settings.
- Manual cluster configuration: Slide to right
- Cluster name: SERVICES-7210
- Dynamic Authorization (CoA): Slide to right
Step 6 At the bottom of the Gateways in Cluster table, click the + (plus sign)and assign the following settings.
- Gateway: 7210-1
- VRRP IP: 10.6.15.13
Step 7 Click the + (plus sign)again and assign the following settings.
- Gateway: 7210-2
- VRRP IP: 10.6.15.14
Step 8 Scroll down, assign the following settings, then click Save Settings.
- Multicast VLAN: 15
- VRRP VLAN: 15
- VRRP ID: 15
- VRRP Passphrase: passphrase
Note: Cluster changes disrupt client traffic and should be made during a maintenance window.