Enabling Centralized Multi-Site Fabric
OWL Corp. plans to implement role-based policy to simplify network policy across the SD-WAN Fabric. They have requested enabling User Based Tunneling (UBT) at each branch site, with policy extended between branches.
The following procedures will demonstrate how to change the Switch and Gateway configurations, in order to enable role-based policy with UBT and Multi-Site Fabric. UBT centralizes policy at the Branch gateway. Multi-Site Fabric enables carrying the user role policy across the WAN, with enforcement at the destination branch gateway or VPNC.
Table of contents
Centralized Multi-Site Fabric Requirements
- Jumbo frames enabled on all Gateway VLANs
- Removal of user VLAN’s from switches and access points.
- Large MTU configured on switch VLANs (9198 MTU)
- Change switch user roles to use gateway roles instead of VLANs
- UBT-Client-VLAN: this guide uses VLAN 2000 .
Note: AP configuration do not require adjustment, since APs are already set to tunnel. No additional roles are needed for access points. The gateways will proxy the RADIUS request and apply roles based on the role returned from Clearpass. The gateway role will contain the policy configured below.
Policy Requirements
All devices are assigned a user role. The level of access is determined by the user role. The following policies are configured.
Role | Allowed Access |
---|---|
EMPLOYEE | Printers, Internal Applications, DNS, DHCP, AD, Internet |
IT-ADMIN | All Network Nodes , Internet |
IT-SUPP | Employees, Printers, IOT-INTERNAL, IOT-LMT-INET, IOT-NO-INET, REJECT, Internet |
VISITOR | Internet, Captive Portal, DHCP |
PRINTER | Internal Applications (Employee, IT-Admins and IT-SUPP all should be able to initiate connections to printers, but the printer should not be able to initiate connections.) |
IOT-NO-INET | IOT-NO-INET |
IOT-INTERNAL | Internal Applications (padlock systems, asset tracking.) |
IOT-LMT-INET | SaaS (Water systems, Air Quality Monitor, Smart thermostats .) |
REJECT | Internet (All devices with reject role are profiled by ClearPass.) |
QUARANTINE | Internal Applications. |
CRITICAL | Internet, AD, DNS. |
SECURITY | Internal Applications (Security Camera DVR, RFID Database) |
Note: The policy examples below do not represent all established OWL policies. The instructions provide information for only policies affected by this section’s requirements
Enabling Multi-Site Fabric
This section illustrates how to enable Multi-Site Fabric, enabled between specific groups. The section also detail the centralized configuration of user roles using the Global Policy Manager.
It is imperative to configure user roles within the Global Policy Manager, where the mapping of policy ID to user roles takes place. The assigned policy ID is carried between branches, allowing the propagation of policy. The Policy ID received by destination branches is also used for reverse lookups of roles configured in Global Policy Manager, ensuring the enforcement of role-to-role policies.
Note: For admins who do not intend to enable Multi-Site Fabric, user roles and policies can be configured at the group level.
Configure Global Client Roles
Step 1 On the Global page, in the left menu, click Security.
Step 2 Click the Client Roles tab at the top of the page.
Note: All user roles configured before Aruba Central 2.5.6 were automatically configured in Global Policy Manager. Delete roles that are not needed and skip adding the roles.
Step 3 Click the + (plus sign) in the Roles table.
Step 4 Enter the following User Role name: EMPLOYEE. Click Save.
Step 5 Repeat Steps 3 to 4 for the list of user roles below.
- IT-ADMIN
- IT-SUPP
- VISITOR
- PRINTER
- IOT-NO-INET
- IOT-INTERNAL
- IOT-LMT-INET
- REJECT
- QUARANTINE
- CRITICAL
- SECURITY
Step 6 Hover over the EMPLOYEE role that was created and click the edit (pencil) icon.
Step 7 In the Permissions table, click the edit (pencil) icon.
- Click the PRINTER box in Allow Source to Destination.
- Click Assign.
- Click Save.
Step 8 Repeat step 7 for the role-to-role permissions below. Application-level permissions are configured in the “Updating Gateway Configuration” section.
Role | Allowed Access |
---|---|
EMPLOYEE | Printers |
IT-ADMIN | All Network Nodes |
IT-SUPP | Employees, IT-ADMIN, Printers, IOT-INTERNAL, IOT-LMT-INET, IOT-NO-INET, REJECT |
PRINTER | Employee, IT-Admins and IT-SUPP should all be able to initiate connections to printers but the printer should not be able initiate connections. |
IOT-NO-INET | IOT-NO-INET |
Note: Configuring one role automatically configures other roles that are allowed to the destination.
Enable Role to Role Policy across branches
Step 9 At the bottom of the page, select No in Use a switch fabric for role propagation? Select No.
Step 10 Click Branch and click the + (plus sign.
- Select the BR-ECSDB group.
- Select the VPNC-RSVDC group.
- Click Assign.
- Click Save.
Caution: Two groups must be selected or roles and policy cannot be pushed to the group.
SD-Branch role propagation and role propagation across a switch fabric are mutually exclusive.
Step 12 At the top of the page, click the Role-to-Role Policy Enforcement slider.
Step 13 Scroll down the page and click Save.
SD-Branch User Based Tunneling
This section demonstrates changes needed for the switch and gateway to allow UBT at a branch site. APs are already set to tunnel and do not require adjustment. No additional roles are needed for access points.
Update Switch Template Configuration
The switch template must be updated first.
Four configuration changes for the switch are required: adjusting MTU size, removing unused VLAN’s, enabling UBT and adjusting user roles.
Adjusting the MTU size on the switch disrupts service and causes the switches to lose connection to the gateways. The connection is restored after gateway configuration when the MTUs match. .
Step 1 In the BR-ECSDB group, click the Switch tab.
Step 2 In the Switches List page at the top right, click Config.
Step 3 In the Switches Template section, hover over the BR-ACC template and click the edit (pencil) icon.
Configuring UBT Client VLAN
The original template configuration is shown below. The following VLANs will be adjusted.
Step 1 Adjust the VLAN’s configuration.
vlan 101
name EMPLOYEE
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 102
name CAMERA
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 103
name IOT
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 104
name VISITOR
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 105
name REJECT
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 106
name CRITICAL
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 107
name QUARENATINE
dhcpv4-snooping
arp inspection
ip igmp snooping enable
Step 2 Reconfigure the VLANs as:
vlan 100
name MGMT
vlan 101
name EMPLOYEE
vlan 102
name CAMERA
vlan 103
name IOT
vlan 104
name VISITOR
vlan 105
name REJECT
vlan 106
name CRITICAL
vlan 107
name QUARENATINE
vlan 2000
name UBT_CLIENT
dhcpv4-snooping
arp inspection
ip igmp snooping enable
Step 4 Ensure VLANs are on the uplinks and the MTU is set.
interface 1/1/23
description Uplink_GW
no shutdown
no routing
mtu 9198
vlan trunk native 100
vlan trunk allowed 100-107
arp inspection trust
dhcpv4-snooping trust
interface 1/1/24
description Uplink_GW
no shutdown
no routing
mtu 9198
vlan trunk native 100
vlan trunk allowed 100-107
arp inspection trust
dhcpv4-snooping trust
Step 3 Adjust the MTU on VLAN 100, so users can access the network.
interface vlan 100
description MGMT
ip mtu 9198
ip dhcp
Configure UBT
For switch-to-tunnel traffic to the gateways, the UBT VLAN must point to the gateway’s IP address, which is a new variable in the template.
Step 1 Define the UBT client VLAN and create the UBT zone in the default VRF.
- UBT Client VLAN: 2000
- UBT Zone: branch
ubt zone branch vrf default
primary-controller ip %gateway_1_sys_ip%
backup-controller ip %gateway_2_sys_ip%
enable
ubt-client-vlan 2000
Adjust User Roles
The roles must be adjusted to point to the gateway roles. The names must match the names on the gateway. The gateway map the VLAN to the roles and enforces role-to-role policy. The original configuration in the template below shows the user roles to be adjusted.
port-access role ARUBA-AP
auth-mode device-mode
vlan trunk native 100
vlan trunk allowed 100,101,104-107
port-access role REJECT
reauth-period 120
vlan access 105
port-access role EMPLOYEE
reauth-period 120
vlan access 101
port-access role PRINTER
reauth-period 120
vlan access 102
port-access role IOT
reauth-period 120
vlan access 103
port-access role GUEST
reauth-period 120
vlan access 104
port-access role REJECT
reauth-period 120
vlan access 105
port-access role CRITICAL
reauth-period 120
vlan access 106
port-access role QUARANTINE
reauth-period 120
vlan access 107
Step 1 Remove the VLAN access line from the roles displayed above and replace them with the following VLAN access line:
- gateway-zone zone branch gateway-role and the respective role name.
port-access role EMPLOYEE
reauth-period 120
gateway-zone zone branch gateway-role EMPLOYEE
port-access role SECURITY
reauth-period 120
gateway-zone zone branch gateway-role SECURITY
port-access role IOT-NO-INET
reauth-period 120
gateway-zone zone branch gateway-role IOT-NO-INET
port-access role IOT-INETERNAL
reauth-period 120
gateway-zone zone branch gateway-role IOT-INETERNAL
port-access role IOT-LMT-INET
reauth-period 120
gateway-zone zone branch gateway-role IOT-LMT-INET
port-access role VISITOR
reauth-period 120
gateway-zone zone branch gateway-role VISITOR
port-access role INFRA-DEVICE
reauth-period 120
gateway-zone zone branch gateway-role INFRA-DEVICE
port-access role PRINTER
reauth-period 120
gateway-zone zone branch gateway-role PRINTER
port-access role IT-ADMIN
reauth-period 120
gateway-zone zone branch gateway-role IT-ADMIN
port-access role IT-SUPP
reauth-period 120
gateway-zone zone branch gateway-role IT-SUPP
port-access role REJECT
reauth-period 120
gateway-zone zone branch gateway-role REJECT
port-access role CRITICAL
reauth-period 120
vlan access 106
port-access role QUARANTINE
reauth-period 120
gateway-zone zone branch gateway-role QUARANTINE
Step 2 Remove the old VLAN’s from the AP role.
port-access role ARUBA-AP
auth-mode device-mode
vlan trunk native 100
vlan trunk allowed 100
Update Gateway Configuration
The gateways require three changes to enable user based tunneling: MTU size must be increased, and both VLAN-to-role mapping and network policy must be configured in the group. This section demonstrates the process.
Adjusting VLAN MTU
Step 1 Select the Gateways tab, then click the gear icon in the upper right corner.
Step 2 Select LAN. Click Lan Ports
Step 3 Hover over the GE0/0/2 interface, then select the pencil icon.
Step 5 Check the Jumbo Frames box.
Step 6 Select Save.
Step 7 Repeat steps 3-6 for the GE0/0/3 interface.
Step 8 Click Save Settings
Associate VLANs to User Roles
Roles are established within the group from global policy manager . However, these roles lack VLAN association. Consequently, during authentications, clients are assigned a role with VLAN 1 by default instead of being placed in the appropriate VLAN. The following procedure demonstrates how to associate VLANs to roles.
Step 1 Ensure the Gateway configuration is in Advanced Mode. Select the Security tab.
Step 2 Select the Roles tab.
Step 3 Select the Critical role.
Step 4 Scroll down and select the More tab. In the more tab, set the VLAN ID and the max sessions.
- VLAN: 106
- Max Sessions: 10000
Step 5 Click Save Settings.
Note: The VLAN List displays VLAN IDs. Named VLANs also can be used to associate the VLAN to the user role. In the example above, the VLAN ID is used.
Step 6 Repeat steps 3 to 5 for all roles.
User Role | VLAN ID |
---|---|
EMPLOYEE | 101 |
PRINTER | 102 |
IOT-INTERNAL | 103 |
IOT-LMT-INET | 103 |
IOT-NO-INET | 103 |
GUEST | 104 |
REJECT | 105 |
CRITICAL | 106 |
QUARANTINE | 107 |
Configuring Network Policy with User Roles
Global policy manager can configure only role-to-role policies. For more granular policies, such as applications or network protocols, the configuration be made in the group. This section walks through the process of configuring URL and IP-based policies specifically for the Visitor user role.
Role | Allowed Access | Denied Access |
---|---|---|
VISITOR | Internet, Captive Portal (cppm.example.local), DHCP/DNS(10.2.120.99/98) | RFC1918 |
Step 1 On the Gateway tab on the top right side, select Basic Mode.
Step 2 Select the Policies tab. Click Applications.
Step 3 Click the + (plus sign) beside Network Aliases. In the Name field, enter ad server.
Step 4 Click the + (plus sign) in the User Rules table.
Step 5 In the new row’s Type Column, click Name. Scroll to select Host. In the IP Address field, enter 10.2.120.98.
Step 6 Repeat step 4. Click Name. Scroll to select the Host. In the IP Address field, enter 10.2.120.99.
Step 7 Click Save.
Step 7 Click the + (plus sign) beside Network Aliases. In the Name field, enter rfc1918.
Step 8 Click the + (plus sign) in the User Rules table.
Step 9 In the new row’s Type Column, click Name. Scroll to select Network. Enter the first range, then repeat step 8 for the remaining ranges.
- IP/Mask: 192.168.0.0/255.255.0.0
- IP/Mask: 172.16.0.0/255.240.0.0
- IP/Mask: 10.0.0.0/255.0.0.0
Step 10 Click Save.
Step 11 Click the “+ (plus sign) beside Network Aliases. In the Name field, enter captive portal.
Step 12 Click the + (plus sign) in the User Rules table.
Step 13 With the Name field selected, enter cppm.example.local
Step 14 Click Save.
Step 15 Click Save Settings.
Step 16 Click the Security tab next to QOS.
Step 17 In the Roles table, select the Visitor role.
Step 18 In the Policies table click the + (plus sign) symbol and enter visitor_net_policy.
Note: The Visitor user role was created using global client roles. If the user role was not created using global client roles or if the deployment is not using multi site fabric, the User role can be created in the group by clicking the Roles tab on the page below.
Step 20 In the Rules table click the + (plus sign) to create a new rule.
Step 21 In the Rule table, assign the following:
- Source: Any
- Destination: Network Alias
- Destination Alias: ad server
- Service/App: sys-svc-dns
- Action: Permit
Step 22 Click Save.
Step 23 Repeat Steps 18 to 20 to complete the table below. Then click Save Settings. The completed policy is illustrated below.
Source | Destination | Service | Action |
---|---|---|---|
Any | AD Servers | DNS | Permit |
Any | AD Servers | DHCP | Permit |
Any | Captive Portal | Https | Permit |
Any | RFC1918 | Any | Deny |
Any | Any | Any | Permit |