Link Search Menu Expand Document
calendar_month 27-Sep-23

Aruba Branch Switch Configuration

The primary function of a switch in this branch deployment is to provide power and layer 2 access to wired devices and APs. Each branch deployment should have the same physical connectivity, to minimize differences in the template.

If branch sites have different physical layouts or configurations, a second template group should be created for the branch.

Table of contents
How to Create Switch Group

Create a Switch Group

Use this procedure to create a switch group, if the group has not already been created in the “Preparing to Deploy” section.

Step 1 In the left navigation pane, in the Maintain section, select Organization.

Step 2 Select the Groups tile.

Step 3 Click the + (plus sign) to create a New Group.

Creating Switch Group

Assign Switches to Group

Step 1 On the Central Account Home page, select Device Inventory.

Step 2 In the View Devices table, select the switches, then click Assign Group.

Step 3 In the Assign a Group to the Selected Devices window, select the switch group you created previously.

Step 4 Click Assign device(s), then click OK.

Moving Switches to group

Creating Switch Template Configuration

The configuration options that should be included in a switching template are shown below. These configuration items are in template format. The value of the variables is identified in the table below the configuration.

interface Vlan 10
	ip address %VLAN_IP%
Switch Name%VLAN_IP% Variable Input
Example-SW-0110.0.0.2
Example-SW-0210.0.0.2

The full configuration template file, with variables, is included in the “Branch Access Switch Configuration” section. Uplink ports used in the document differ from other branch deployments and must be adjusted to fit those environments.

Configure the Access Base Features

Use this procedure to configure the access switch base features. The base features include the host name, management user account, banner MOTD, NTP, DNS, TACACS, and AAA.

In the configuration template, perform the following steps:

Step 1 Configure the switch host name.

hostname %HOSTNAME%
Switch Serial%HOSTNAME% Variable Input
SG12KN5052RS01-SW01
SG12KN505RRS01-SW02

Step 2 Configure the management user account.

user admin group administrators password plaintext <password>

Note: There must be an admin user account for CLI access to the switch.

Step 3 Configure the login banner. The banner MOTD is normally used as a legal disclaimer to notify users logging into the network that only authorized access is allowed. Consult your own legal team to define the banner MOTD. An example is shown below.

banner motd $
**********************************************************
NOTICE TO USERS
This is a private computer system and is the property of Aruba Networks. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy while connected to this system.
...
Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use of this system, you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
***********************************************************
$

Note: When setting the banner, a delineator breaks the switch from the MOTD context. In this example, the delineator is “$”.

Step 4 Configure the NTP servers and time zone.

ntp server 10.2.120.98 iburst version 3
ntp server 10.2.120.99 iburst version 3
clock timezone us/pacific

Step 5 Configure the DNS servers and domain name.

ip dns host 10.2.120.98
ip dns host 10.2.120.99
ip dns domain-name Example.local

Configure the Access VLANs

In order to provide client devices with network connectivity, access switches must have the same VLANs as the branch gateways. The access switches also have an additional layer 3 interface for the management VLAN. IGMP, DHCP snooping, and ARP inspection are enabled.

IGMP snooping prevents hosts on a local network from receiving traffic for a multicast group they have not explicitly joined. The feature provides layer 2 switches with a mechanism to prune multicast traffic from ports that do not contain an active multicast listener.

DHCP snooping is enabled globally and enabled for each VLAN to snoop DHCP packets. DHCP snooping prevents DHCP starvation attacks and rogue DHCP servers from servicing requests on the network.

ARP inspection is enabled under the VLAN, but does not take effect unless DHCP snooping also is enabled. ARP inspection stops man-in-the-middle attacks caused by ARP cache poisoning.

VLAN NameMGMTEMPLOYEEIPTVCAMERAGuestREJECT_QUARENTINE
VLAN ID100101102103104105

In the configuration template, assign the following configuration:

Step 1 Configure DHCP snooping globally.

dhcpv4-snooping

Step 2 Configure the access VLANs, enable DHCP/IGMP snooping, and enable ARP inspection.

vlan 100
  name MGMT
  dhcpv4-snooping
  arp inspection
  ip igmp snooping enable
vlan 101
  name EMPLOYEE
  dhcpv4-snooping
  arp inspection
  ip igmp snooping enable
...
vlan 105
  name REJECT_QUARENTINE
  dhcpv4-snooping
  arp inspection
  ip igmp snooping enable

Step 3 Configure the layer 3 interface VLAN.

interface vlan 100
  description MGMT
  ip address %MGMT_IP%/24
Switch Name%MGMT_IP% Variable Input
RS01-SW0110.14.0.4
RS01-SW0210.14.0.5

Step 4 Repeat the previous step for every VLAN on the switch.

Step 5 Configure the default route in the management VLAN. Add the static route for the active gateway IP address in VLAN 100.

ip route 0.0.0.0/0 %DEFAULT_ROUTE%
Switch Name%DEFAULT_ROUTE% Variable Input
RS01-SW0110.14.0.1
RS01-SW0210.14.0.1

Note: The access switch must have a default route in the management VLAN for reachability to network services such as Central, TACACS, RADIUS, and NTP servers.

Configure Device Profiles

Device profiles detect APs dynamically and configure the attached port properly for device management and for tagging the bridged SSIDs. This assists network operators by eliminating manual configuration of ports to which APs are connected.

Device profiles are applied in three steps. First, configure the role to identify the AP, as well as the port tagging. Second, define the LLDP group, which uses LLDP to glean the device OUI to identify if the device is an Aruba AP. Last, associate the role and LLDP group in a device profile configuration.

Note: This procedure can be skipped if ClearPass is used to authenticate Aruba APs.

On each access switch, perform the following steps:

Step 1 Configure the Aruba-AP Role. Create the role, set the authentication mode, set the native VLAN, and define the allowed VLANs.

port-access role ARUBA-AP
  auth-mode device-mode
  vlan trunk native 100
  vlan trunk allowed 100-105

Step 2 Configure the LLDP group. Create the group and identify the Aruba AP OUIs.

port-access lldp-group AP-LLDP-GROUP
  seq 10 match vendor-oui 000b86
  seq 20 match vendor-oui D8C7C8
  seq 30 match vendor-oui 6CF37F
  seq 40 match vendor-oui 186472
  seq 50 match sys-desc ArubaOS

Note: The LLDP group identifies the Aruba APs and sets the system-description at the end as a catchall for future APs.

Step 3 Configure the device profile. Create the profile, enable it, then associate it with the role and LLDP group created previously.

port-access device-profile ARUBA_AP
  enable
  associate role ARUBA-AP
  associate lldp-group AP-LLDP-GROUP

Configure RADIUS

Use this procedure to configure the RADIUS servers for the access switch.

Access switches authenticate devices attempting to connect to the network. The two most common methods to authenticate users are 802.1x and MAC-based authentication. This design supports both methods, as well as dynamic authorization that allows the AAA server to change the authorization level of the device connected to the switch.

RADIUS tracking is enabled to verify the status of the client and server. The configuration also includes user roles for rejected clients and RADIUS failure scenarios.

On each access switch, perform the following steps:

Step 1 Configure the RADIUS servers, enable RADIUS dynamic authorization, and track client IP addresses with probes.

radius-server host 10.2.120.94 key plaintext <Password>
radius-server host 10.2.120.95 key plaintext <Password>
radius dyn-authorization enable
client track ip update-method probe

Step 2 Configure AAA for 802.1x and MAC authentication.

aaa authentication port-access dot1x authenticator
	enable
aaa authentication port-access mac-auth
	enable

Step 3 Configure local user roles, set the authentication mode, and set the VLAN.

port-access role EMPLOYEE
    reauth-period 120
    vlan access 101
port-access role  IPTV
    reauth-period 120
    vlan access 102
port-access role  CAMERA
    reauth-period 120
    vlan access 103
port-access role GUEST
    reauth-period 120
    vlan access 104
port-access role REJECT_AUTH
  reauth-period 120
  vlan access 105
port-access role CRITICAL_AUTH
  reauth-period 120
  vlan access 105

Step 4 Configure AAA authentication on the access ports. Set the client limit, configure 802.1x/MAC authentication, set the authentication order, and configure critical role and the rejection role. Adjust the EAPOL timeout, max requests, and max retry defaults.

interface 1/1/1
  description ACCESS_PORT 
  no shutdown
  no routing
  vlan access 1 
  aaa authentication port-access client-limit 5
  aaa authentication port-access auth-precedence dot1x mac-auth
  aaa authentication port-access critical-role CRITICAL_AUTH
  aaa authentication port-access reject-role REJECT_AUTH
  aaa authentication port-access dot1x authenticator
    eapol-timeout 30
    max-eapol-requests 1
    max-retries 1
    enable
  aaa authentication port-access mac-auth
   enable

Note: EAPOL timeout: The amount of time the switch waits for EAP responses before identifying a packet as lost.
Max EAPOL requests: The number of requests the interfaces can have at one time.
Max retries: The number of times the switch tries to authenticate the device.

Configure Spanning Tree

Spanning tree is enabled globally on each access switch as a loop prevention mechanism. Supplemental features such as admin-edge, root guard, BPDU guard, and TCN guard are enabled on appropriate interfaces to ensure that spanning tree runs effectively.

On each access switch, perform the following steps:

Step 1 Configure spanning tree globally and enable Rapid Per VLAN Spanning Tree for the access VLANs.

spanning-tree mode rpvst
spanning-tree
spanning-tree priority 8
spanning-tree vlan 100-105 priority 15
spanning-tree vlan 100-105

Step 2 Configure the supplemental spanning tree features.

interface 1/1/1
  description ACCESS_PORT 
  no shutdown
  no routing
  vlan access 1 
  spanning-tree bpdu-guard
  spanning-tree port-type admin-edge 
  spanning-tree root-guard 
  spanning-tree tcn-guard
  loop-protect
  loop-protect action tx disable

Step 3 The final access port configuration should look like the following:

interface 1/1/1
  description ACCESS_PORT 
  no shutdown
  no routing
  vlan access 1 
  spanning-tree bpdu-guard
  spanning-tree port-type admin-edge 
  spanning-tree root-guard 
  spanning-tree tcn-guard
  loop-protect
  loop-protect action tx disable
  aaa authentication port-access client-limit 5
  aaa authentication port-access auth-precedence dot1x mac-auth
  aaa authentication port-access critical-role CRITICAL_AUTH
  aaa authentication port-access reject-role REJECT_AUTH
  aaa authentication port-access dot1x authenticator
    eapol-timeout 30
    max-eapol-requests 1
    max-retries 1
    enable
  aaa authentication port-access mac-auth
   enable

Step 4 Repeat the full interface configuration for each access port.

Each switch has an uplink connection to both BGWs. Each uplink is a trunk with the allowed VLANs of 100-105. The native VLAN for the trunk is VLAN 100. Each uplink has DHCP Snooping trust allowed and ARP inspection trust enabled.

Caution: If DHCP Snooping and ARP inspection trust are not enabled, clients cannot get an IP address and connect to the network.

On each access switch, perform the following steps:

Step 1 Configure the uplink interface, then set the native VLAN and the allowed VLANs on the trunk.

interface %UPLINK_1%
  description Uplink_BGW
  no shutdown
  no routing
  vlan trunk native 100
  vlan trunk allowed 100-105
interface %UPLINK_2%
  description Uplink_BGW
  no shutdown
  no routing
  vlan trunk native 100
  vlan trunk allowed 100-105

Step 2 Configure ARP inspection trust and DHCP snooping trust.

interface %UPLINK_1%
  description Uplink_BGW
  no shutdown
  no routing
  vlan trunk native 100
  vlan trunk allowed 100-105
  arp inspection trust
  dhcpv4-snooping trust
interface %UPLINK_2%
  description Uplink_BGW
  no shutdown
  no routing
  vlan trunk native 100
  vlan trunk allowed 100-105
  arp inspection trust
  dhcpv4-snooping trust
Switch Name%UPLINK_1% Variable Input%UPLINK_2% Variable Input
RS01-SW011/1/231/1/24
RS01-SW021/1/231/1/24

Caution: DHCP snooping and ARP inspection must be trusted on the LAG interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.

Applying the Template Configuration

After the template configuration is created, it must be placed into Central. This procedure walks through steps to get the configuration into the template.

Step 1 On the Groups page, in the Manage Groups section, drag the access switches from the right side to the template group on the left side.

Step 2 Go to Global > Groups. In the Groups list, select TG-SW-BG01.

Step 3 On the Switches List page at the top right, click Config.

Step 4 On the Switches Template section at the top right, click the + (plus sign) symbol.

Step 5 On the Add Template window in the Basic Info section, assign the following settings, then click Next.

  • Template Name: SW-BR-Config
  • Device Type: Aruba CX
  • Model: 6300
  • Part Name: JL666A
  • Version: All

Step 6 In the Edit Template section, paste the access configuration in the box, then click SAVE.

Caution: All variables must be enclosed with percent “%” symbols.

Creating Template

Upload the Access Switch Variables

Use this procedure to upload the variables for the access switches into Central.

Step 1 On the Devices > Switches page, select the Variables tab, then click DOWNLOAD SAMPLE VARIABLES FILES.

Download Variables

Step 2 Open the CSV file in an editor, enter the proper value for each variable, and enter Y in the modified column. Save the file on your computer.

CSV_Edit

Caution: Change the modified column to Y for each device.

Step 3 On the Variables tab, click Upload Variables Files, find the updated CSV file on your computer, then click Open.

Upload Variables

Step 5 Go to Devices > Switches > List and verify that the switches are In sync.
Verify Switchesare in Sync

Table of contents

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.