Link Search Menu Expand Document
calendar_month 19-Apr-24

Branch Switch Configuration

The primary function of the switch in this branch deployment is to provide power and layer 2 access to wired devices and APs. Each branch deployment should have the same physical connectivity, to minimize differences in the template. OWL has the requirement for two different switch topologies. To accommodate OWL’s requirements there will be two switch templates one for the collapsed core and one for the access switch. The majority of the configuration will be the same for both switches, the only difference will be in the uplinks/Downlinks. The following section will leverage templates to configure the switches.

Templates leverage variables to apply unique configuration to switches. Variables are created by using percent sign on both sides of a string in a configuration file. This string is defined by the admin, this string will become a column in a CSV file that will need an input from the admin. Below is an example of how variables are created/formatted.

interface Vlan 10
	ip address %VLAN_IP%
Switch Name%VLAN_IP% Variable Input
Example-SW-0110.0.0.2
Example-SW-0210.0.0.2

In advanced cases templates might need to take advantage of other template functions such as If, and else statements. If statements are also delineated by a percent sign on both sides of a string. There are a few difference between an if statement variable and a single variable. The following guide will demonstrate how to use variables to allow for flexibility within a configuration file.

Table of contents

Stacking Switches Offline

Before connecting the uplinks to the switches should be stacked, use the following procedure to stack switches before they connect to central.

Caution: Do not connect the switch to the gateway before it is stacked otherwise it will not be able to stack offline without factory reset.

Before starting this procedure check the following:

Step 1 Ensure switches are AOS-CX 10.7 or Above

Step 2 All switches are factory default.

Step 3 Switches in the stack are using the reserved auto-stacking ports.

  • 24 port switches auto stack ports : 25, 26
  • 48 port switches auto stack ports: 49, 50

Step 4 Switches are connected in a ring topology.

Step 5 Console connection to the switch.

After going through the checklist above the switches are ready to be stacked.

Step 1 Press the mode button until the LED displays STK on the switch that will be the conductor, wait for the conductor to reboot.

Step 2 On the second switch press the LED until it displays STK. Wait for the second member to boot.

Note: During stacking operation, the port LEDs are displayed in three different states:
Flashing green - Indicates that the member is the conductor.
Flashing orange - Indicates that the member is rebooting to join the stack or offline due to error condition.
Solid green - Indicates that the member joined the stack and is operational.For more information on stacking LED states, refer to the Monitoring Guide.

Configure the Access Base Features

Use this procedure to configure the access switch base features. The base features include the host name, management user account, banner MOTD, NTP, DNS, TACACS, and AAA.

In the configuration template, perform the following steps:

Step 1 Configure the switch host name.

hostname %HOSTNAME%

Step 2 Configure the management user account.

user admin group administrators password plaintext <password> 

Note: There must be an admin user account for CLI access to the switch.

Step 3 Configure the login banner. The banner MOTD is normally used as a legal disclaimer to notify users logging into the network that only authorized access is allowed. Consult your own legal team to define the banner MOTD. An example is shown below.

banner motd $
**********************************************************
NOTICE TO USERS
This is a private computer system and is the property of Aruba Networks. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy while connected to this system.
...
Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use of this system, you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
***********************************************************
$

Note: When setting the banner, a delineator breaks the switch from the MOTD context. In this example, the delineator is “$”.

Step 4 Configure the NTP servers and time zone.

ntp server 10.2.120.98 iburst version 3
ntp server 10.2.120.99 iburst version 3
clock timezone us/pacific

Step 5 Configure the DNS servers and domain name.

ip dns host 10.2.120.98
ip dns host 10.2.120.99
ip dns domain-name Example.local

Configure the Access VLANs

In order to provide client devices with network connectivity, access switches must have the same VLANs as the branch gateways. The access switches also have an additional layer 3 interface for the management VLAN. IGMP, DHCP snooping, and ARP inspection are enabled.

IGMP snooping prevents hosts on a local network from receiving traffic for a multicast group they have not explicitly joined. The feature provides layer 2 switches with a mechanism to prune multicast traffic from ports that do not contain an active multicast listener.

DHCP snooping is enabled globally and enabled for each VLAN to snoop DHCP packets. DHCP snooping prevents DHCP starvation attacks and rogue DHCP servers from servicing requests on the network.

ARP inspection is enabled under the VLAN, but does not take effect unless DHCP snooping also is enabled. ARP inspection stops man-in-the-middle attacks caused by ARP cache poisoning.

In the configuration template, assign the following configuration:

VLAN IDDescription
100MGMT VLAN
101Employee
102Camera
103IOT
104Guest
105Reject
106Critical
107Quarantine

Step 1 Configure DHCP snooping globally.

dhcpv4-snooping

Step 2 Configure the access VLANs, enable DHCP/IGMP snooping, and enable ARP inspection.

vlan 100
  name MGMT
  dhcpv4-snooping
  arp inspection
  ip igmp snooping enable
vlan 101
  name EMPLOYEE
  dhcpv4-snooping
  arp inspection
  ip igmp snooping enable
...
vlan 107
  name QUARANTINE
  dhcpv4-snooping
  arp inspection
  ip igmp snooping enable

Step 3 Configure the layer 3 interface VLAN.

interface vlan 100
  description MGMT
  ip dhcp

Note: The IP DHCP command can only be applied to one VLAN interface. The template will fail to apply if multiply Interface VLANs have this configuration.

Configure Device Profiles

Device profiles detect APs dynamically and configure the attached port properly for device management and for tagging the bridged SSIDs. This assists network operators by eliminating manual configuration of ports to which APs are connected.

Device profiles are applied in three steps. First, configure the role to identify the AP, as well as the port tagging. Second, define the LLDP group, which uses LLDP to glean the device OUI to identify if the device is an Aruba AP. Last, associate the role and LLDP group in a device profile configuration.

Note: This procedure can be skipped if ClearPass is used to authenticate Aruba APs.

On each access switch, perform the following steps:

Step 1 Configure the Aruba-AP Role. Create the role, set the authentication mode, set the native VLAN, and define the allowed VLANs.

port-access role ARUBA-AP
  auth-mode device-mode
  vlan trunk native 100
  vlan trunk allowed 100,101,104-107

Step 2 Configure the LLDP group. Create the group and identify the Aruba AP OUIs.

port-access lldp-group AP-LLDP-GROUP
  seq 10 match vendor-oui 000b86
  seq 20 match vendor-oui D8C7C8
  seq 30 match vendor-oui 6CF37F
  seq 40 match vendor-oui 186472
  seq 50 match sys-desc ArubaOS

Note: The LLDP group identifies the Aruba APs and sets the system-description at the end as a catchall for future APs.

Step 3 Configure the device profile. Create the profile, enable it, then associate it with the role and LLDP group created previously.

port-access device-profile ARUBA_AP
  enable
  associate role ARUBA-AP
  associate lldp-group AP-LLDP-GROUP

Configure RADIUS

Use this procedure to configure the RADIUS servers for the access switch.

Access switches authenticate devices attempting to connect to the network. The two most common methods to authenticate users are 802.1x and MAC-based authentication. This design supports both methods, as well as dynamic authorization that allows the AAA server to change the authorization level of the device connected to the switch.

RADIUS tracking is enabled to verify the status of the client and server. The configuration also includes user roles for rejected clients and RADIUS failure scenarios.

On each access switch, perform the following steps:

Step 1 Configure the RADIUS servers, enable RADIUS dynamic authorization, and track client IP addresses with probes.

radius-server host 10.2.120.94 key plaintext <Password>
radius-server host 10.2.120.95 key plaintext <Password>
radius dyn-authorization enable
client track ip update-method probe

Step 2 Configure AAA for 802.1x and MAC authentication.

aaa authentication port-access dot1x authenticator
	enable
aaa authentication port-access mac-auth
	enable

Step 3 Configure local user roles, set the authentication mode, and set the VLAN.

port-access role EMPLOYEE
    reauth-period 120
    vlan access 101
port-access role  CAMERA
    reauth-period 120
    vlan access 102
port-access role  IOT
    reauth-period 120
    vlan access 103
port-access role GUEST
    reauth-period 120
    vlan access 104
port-access role REJECT
  reauth-period 120
  vlan access 105
port-access role CRITICAL
  reauth-period 120
  vlan access 106
port-access role QUARANTINE
    reauth-period 120
    vlan access 107

Step 4 Configure AAA authentication on the access ports. Set the client limit, configure 802.1x/MAC authentication, set the authentication order, and configure critical role and the rejection role. Adjust the EAPOL timeout, max requests, and max retry defaults.

interface 1/1/1
  description ACCESS_PORT 
  no shutdown
  no routing
  vlan access 1 
  aaa authentication port-access client-limit 5
  aaa authentication port-access auth-precedence dot1x mac-auth
  aaa authentication port-access critical-role CRITICAL_AUTH
  aaa authentication port-access reject-role REJECT_AUTH
  aaa authentication port-access dot1x authenticator
    eapol-timeout 30
    max-eapol-requests 1
    max-retries 1
    enable
  aaa authentication port-access mac-auth
   enable

Note: EAPOL timeout: The amount of time the switch waits for EAP responses before identifying a packet as lost.
Max EAPOL requests: The number of requests the interfaces can have at one time.
Max retries: The number of times the switch tries to authenticate the device.

Configure Spanning Tree

Spanning tree is enabled globally on each access switch as a loop prevention mechanism. Supplemental features such as admin-edge, root guard, BPDU guard, and TCN guard are enabled on appropriate interfaces to ensure that spanning tree runs effectively.

On each access switch, perform the following steps:

Step 1 Configure spanning tree globally and enable Rapid Per VLAN Spanning Tree for the access VLANs.

spanning-tree mode rpvst
spanning-tree
spanning-tree priority 8
spanning-tree vlan 100-107 priority 15
spanning-tree vlan 100-107

Step 2 Configure the supplemental spanning tree features.

interface 1/1/1
  description ACCESS_PORT 
  no shutdown
  no routing
  vlan access 1 
  spanning-tree bpdu-guard
  spanning-tree port-type admin-edge 
  spanning-tree root-guard 
  spanning-tree tcn-guard
  loop-protect
  loop-protect action tx disable

Step 3 The final access port configuration should look like the following:

interface 1/1/1
  description ACCESS_PORT 
  no shutdown
  no routing
  vlan access 1 
  spanning-tree bpdu-guard
  spanning-tree port-type admin-edge 
  spanning-tree root-guard 
  spanning-tree tcn-guard
  loop-protect
  loop-protect action tx disable
  aaa authentication port-access client-limit 5
  aaa authentication port-access auth-precedence dot1x mac-auth
  aaa authentication port-access critical-role CRITICAL_AUTH
  aaa authentication port-access reject-role REJECT_AUTH
  aaa authentication port-access dot1x authenticator
    eapol-timeout 30
    max-eapol-requests 1
    max-retries 1
    enable
  aaa authentication port-access mac-auth
   enable

Step 4 Repeat the full interface configuration for each access port. The Collapsed Core switch will be stacked so ensure the stacked interface ports are used e.g 2/1/1.

Each access switch can have an uplink connection to both BGWs or to an aggregation switch. Each uplink connected to the gateway will be a trunk with the allowed VLANs of 100-107. If the access switch is connected to an aggregation switch the switch will use a lag with the same allowed VLAN’s. The native VLAN for the uplink will be VLAN 100. Each uplink has DHCP Snooping trust allowed and ARP inspection trust enabled. The section below will demonstrate how to use If statements in the template to dictate the configuration the switch will receive.

Caution: If DHCP Snooping and ARP inspection trust are not enabled, clients cannot get an IP address and connect to the network.

For the access switch template perform the following steps:

Step 1 Configure the uplink interface, then set the native VLAN and the allowed VLANs on the trunk.

interface 1/1/24
  description Uplink_GW
  no shutdown
  no routing
  vlan trunk native 100
  vlan trunk allowed 100-107

Step 2 Configure ARP inspection trust and DHCP snooping trust.

interface 1/1/23
  description Uplink_GW
  no shutdown
  no routing
  vlan trunk native 100
  vlan trunk allowed 100-107
  arp inspection trust
  dhcpv4-snooping trust

Caution: DHCP snooping and ARP inspection must be trusted on the trunk interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.

Step 3 Configure if statement around uplink ports.

%if SITE_HAS_AGG=n%
interface 1/1/23
  description Uplink_to_BGW
  no shutdown
  no routing
  vlan trunk native 100
  vlan trunk allowed 100-107
  arp inspection trust
  dhcpv4-snooping trust
interface 1/1/24
  description Uplink_to_BGW
  no shutdown
  no routing
  vlan trunk native 100
  vlan trunk allowed 100-107
  arp inspection trust
  dhcpv4-snooping trust
%endif%

Step 5 Configure the LAG.

interface lag 1
    no shutdown
    no routing
    vlan trunk native 100
    vlan trunk allowed 100-107
    lacp mode active
    lacp fallback-static
    arp inspection trust
    dhcpv4-snooping trust

Step 6 Configure the if statement around the LAG and uplinks

%if SITE_HAS_AGG=y%
interface lag 1
    no shutdown
    no routing
    vlan trunk native 100
    vlan trunk allowed 100-107
    lacp mode active
    lacp fallback-static
    arp inspection trust
    dhcpv4-snooping trust
%endif%

%if SITE_HAS_AGG=y%
interface 1/1/23
    no shutdown
    description Uplink_to_AGG
    lag 1
interface 1/1/24
    no shutdown
    description Uplink_to_AGG
    lag 1
%endif%

On each access switch, perform the following steps:

Step 1 Configure the LAG’s

interface lag 1
    no shutdown
    no routing
    vlan trunk native 100
    vlan trunk allowed 100-107
    lacp mode active
    lacp fallback-static
    arp inspection trust
    dhcpv4-snooping trust
interface lag 2
    no shutdown
    no routing
    vlan trunk native 100
    vlan trunk allowed 100-107
    lacp mode active
    lacp fallback-static
    arp inspection trust
    dhcpv4-snooping trust
interface lag 3
    no shutdown
    no routing
    vlan trunk native 100
    vlan trunk allowed 100-107
    lacp mode active
    lacp fallback-static
    arp inspection trust
    dhcpv4-snooping trust
interface lag 4
    no shutdown
    no routing
    vlan trunk native 100
    vlan trunk allowed 100-107
    lacp mode active
    lacp fallback-static
    arp inspection trust
    dhcpv4-snooping trust
   

Step 2 Configure the uplink interfaces, then set the native VLAN and the allowed VLANs on the trunk.

interface 1/1/23
  description Uplink_GW
  no shutdown
  no routing
  lag 1
interface 1/1/24
  description Uplink_GW
  no shutdown
  no routing
  lag 1
interface 2/1/23
  description Uplink_GW
  no shutdown
  no routing
  lag 2
interface 2/1/24
  description Uplink_GW
  no shutdown
  no routing
  lag 2

Step 3 Configure downlinks to access switches

interface 1/1/1
  description Uplink_GW
  no shutdown
  no routing
  lag 3
interface 1/1/2
  description Uplink_GW
  no shutdown
  no routing
  lag 4
interface 2/1/1
  description Uplink_GW
  no shutdown
  no routing
  lag 3
interface 2/1/2
  description Uplink_GW
  no shutdown
  no routing
  lag 4

Applying the Template Configuration

After the template configuration is created, there should be two configuration files one for the access, and one collapsed core file. The only difference being the uplinks and the stacking ports configuration for the Collapsed core. This procedure walks through steps to get the configuration into Central.

Step 1 On the Groups page, in the Manage Groups section, drag the access switches from the right side to the template group on the left side.

Step 2 Go to Global > Groups. In the Groups list, select BR-ECSDB.

Step 3 On the Switches List page at the top right, click Config.

nav_to_sw_group_template_config

Step 4 On the Switches Template section at the top right, click the + (plus sign) symbol.

Click Template Config

Step 5 On the Add Template window in the Basic Info section, assign the following settings, then click Next.

  • Template Name: BR-ACC
  • Device Type: Aruba CX
  • Model: 6200
  • Part Name: All
  • Version: All

Low_Traffic_site_template_creation-1318605-1321132

Step 6 In the Edit Template section, paste the access configuration in the box, then click SAVE.

Caution: All variables must be enclosed with percent “%” symbols.

2023-11-29_20-34-17

Step 7 Repeat steps 4-6 for the collapsed core with the following details

  • Template Name: BR-AGG
  • Device Type: Aruba CX
  • Model: 6300
  • Part Name: All
  • Version: All

Upload the Access Switch Variables

Use this procedure to upload the variables for the access switches into Central.

Step 1 On the Devices > Switches page, select the Variables tab, then click DOWNLOAD SAMPLE VARIABLES FILES.

Download Variables

Step 2 Open the CSV file in an editor, enter the proper value for each variable, and enter Y in the modified column. Save the file on your computer.

Switch SerialSwitch Mac%HOSTNAME% Variable Input%if SITE_HAS_AGG% VariableModified
SG1AKW50LJ44:5b:ed:37:62:c0HOUBR-ECB-1CR1nY
TW14KNK05138:10:f0:25:6f:c0MIABR-ECB1-CR1nY
SG12KN50528c:85:c1:5d:c1:40SFOBR-ECB1-CR1—-Y
SG12KN505R8c:85:c1:60:5f:00SFOBR-ECB1-CR1—-Y
SG0BKW506D8c:85:c1:50:e0:00SFOBR-CR1-AC1yY
SG0BKW50708c:85:c1:50:93:c0SFOBR-CR1-AC1yY

Caution: Change the modified column to Y for each device. For the Aggregation switch leave the variables that don’t apply blank

Step 3 On the Variables tab, click Upload Variables Files, find the updated CSV file on your computer, then click Open.

Upload Variables

## Stacking Collapsed Core Switches Offline

Before connecting the uplinks to the collapsed core, they should be stacked. Use the following procedure to stack switches before they connect to central. For the Houston and Miami sites the switches do not need to be stacked so they can be connected directly to the branch gateways.

Do not connect the switch to the gateway before it is stacked otherwise it will not be able to stack offline without factory reset.

Before starting this procedure check the following:

  1. Ensure switches are AOS-CX 10.7 or Above
  2. All switches are factory default.
  3. Switches in the stack are using the reserved auto-stacking ports.
  4. Switches are connected in a ring topology.
  5. Console connection to the switch.

After going through the checklist above the switches are ready to be stacked.

  1. Press the mode button until the LED displays STK on the switch that will be the conductor, wait for the conductor to reboot.
  2. On the second switch press the LED until it displays STK. Wait for the second member to boot.
During stacking operation, the port LEDs are displayed in three different states:
Flashing green - Indicates that the member is the conductor.
Flashing orange - Indicates that the member is rebooting to join the stack or offline due to error condition.
Solid green - Indicates that the member joined the stack and is operational.For more information on stacking LED states, refer to the Monitoring Guide.

###

  1. Connect the uplinks to the branch gateway.
  2. Verify all switches are online and stacked. Go to Devices > Switches > List and verify that the switches are In sync.

2023-11-29_21-09-09


Table of contents


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.