Link Search Menu Expand Document
calendar_month 18-Mar-24

Enabling Centralized Multi-Site Fabric

OWL Corp. plans to implement role-based policy to simplify network policy across the SD-WAN Fabric. They have requested enabling User Based Tunneling (UBT) at each branch site, with policy extended between branches.

The following procedures will demonstrate how to change the Switch and Gateway configurations, in order to enable role-based policy with UBT and Multi-Site Fabric. UBT centralizes policy at the Branch gateway. Multi-Site Fabric enables carrying the user role policy across the WAN, with enforcement at the destination branch gateway or VPNC.

Table of contents

Centralized Multi-Site Fabric Requirements

  • Jumbo frames enabled on all Gateway VLANs
  • Removal of user VLAN’s from switches and access points.
  • Large MTU configured on switch VLANs (9198 MTU)
  • Change switch user roles to use gateway roles instead of VLANs
  • UBT-Client-VLAN: this guide uses VLAN 2000 .

Note: AP configuration do not require adjustment, since APs are already set to tunnel. No additional roles are needed for access points. The gateways will proxy the RADIUS request and apply roles based on the role returned from Clearpass. The gateway role will contain the policy configured below.

image-20240131091215658

Policy Requirements

All devices are assigned a user role. The level of access is determined by the user role. The following policies are configured.

RoleAllowed Access
EMPLOYEEPrinters, Internal Applications, DNS, DHCP, AD, Internet
IT-ADMINAll Network Nodes , Internet
IT-SUPPEmployees, Printers, IOT-INTERNAL, IOT-LMT-INET, IOT-NO-INET, REJECT, Internet
VISITORInternet, Captive Portal, DHCP
PRINTERInternal Applications
(Employee, IT-Admins and IT-SUPP all should be able to initiate connections to printers, but the printer should not be able to initiate connections.)
IOT-NO-INETIOT-NO-INET
IOT-INTERNALInternal Applications (padlock systems, asset tracking.)
IOT-LMT-INETSaaS (Water systems, Air Quality Monitor, Smart thermostats .)
REJECTInternet (All devices with reject role are profiled by ClearPass.)
QUARANTINEInternal Applications.
CRITICALInternet, AD, DNS.
SECURITYInternal Applications (Security Camera DVR, RFID Database)

Note: The policy examples below do not represent all established OWL policies. The instructions provide information for only policies affected by this section’s requirements

Enabling Multi-Site Fabric

This section illustrates how to enable Multi-Site Fabric, enabled between specific groups. The section also detail the centralized configuration of user roles using the Global Policy Manager.

It is imperative to configure user roles within the Global Policy Manager, where the mapping of policy ID to user roles takes place. The assigned policy ID is carried between branches, allowing the propagation of policy. The Policy ID received by destination branches is also used for reverse lookups of roles configured in Global Policy Manager, ensuring the enforcement of role-to-role policies.

Note: For admins who do not intend to enable Multi-Site Fabric, user roles and policies can be configured at the group level.

Configure Global Client Roles

Step 1 On the Global page, in the left menu, click Security.

Step 2 Click the Client Roles tab at the top of the page.

Navigation to security page

Note: All user roles configured before Aruba Central 2.5.6 were automatically configured in Global Policy Manager. Delete roles that are not needed and skip adding the roles.

Step 3 Click the + (plus sign) in the Roles table.

Step 4 Enter the following User Role name: EMPLOYEE. Click Save. Create Global Client Roles

Step 5 Repeat Steps 3 to 4 for the list of user roles below.

  • IT-ADMIN
  • IT-SUPP
  • VISITOR
  • PRINTER
  • IOT-NO-INET
  • IOT-INTERNAL
  • IOT-LMT-INET
  • REJECT
  • QUARANTINE
  • CRITICAL
  • SECURITY

Step 6 Hover over the EMPLOYEE role that was created and click the edit (pencil) icon.

Step 7 In the Permissions table, click the edit (pencil) icon.

  • Click the PRINTER box in Allow Source to Destination.
  • Click Assign.
  • Click Save.

Assigning role to role permissions

Step 8 Repeat step 7 for the role-to-role permissions below. Application-level permissions are configured in the “Updating Gateway Configuration” section.

RoleAllowed Access
EMPLOYEEPrinters
IT-ADMINAll Network Nodes
IT-SUPPEmployees, IT-ADMIN, Printers, IOT-INTERNAL, IOT-LMT-INET, IOT-NO-INET, REJECT
PRINTEREmployee, IT-Admins and IT-SUPP should all be able to initiate connections to printers but the printer should not be able initiate connections.
IOT-NO-INETIOT-NO-INET

Note: Configuring one role automatically configures other roles that are allowed to the destination.

Enable Role to Role Policy across branches

Step 9 At the bottom of the page, select No in Use a switch fabric for role propagation? Select No.

Step 10 Click Branch and click the + (plus sign.

  • Select the BR-ECSDB group.
  • Select the VPNC-RSVDC group.
  • Click Assign.
  • Click Save.

Selecting role-to-role groups-1972299

Caution: Two groups must be selected or roles and policy cannot be pushed to the group.
SD-Branch role propagation and role propagation across a switch fabric are mutually exclusive.

Step 12 At the top of the page, click the Role-to-Role Policy Enforcement slider.

Enable Role-to-Role Policy-1970841

Step 13 Scroll down the page and click Save.

Save Settings

SD-Branch User Based Tunneling

This section demonstrates changes needed for the switch and gateway to allow UBT at a branch site. APs are already set to tunnel and do not require adjustment. No additional roles are needed for access points.

Update Switch Template Configuration

The switch template must be updated first.

Four configuration changes for the switch are required: adjusting MTU size, removing unused VLAN’s, enabling UBT and adjusting user roles.

Adjusting the MTU size on the switch disrupts service and causes the switches to lose connection to the gateways. The connection is restored after gateway configuration when the MTUs match. .

Step 1 In the BR-ECSDB group, click the Switch tab.

Step 2 In the Switches List page at the top right, click Config.

navigate_sw_template_config

Step 3 In the Switches Template section, hover over the BR-ACC template and click the edit (pencil) icon.

edit template

Configuring UBT Client VLAN

The original template configuration is shown below. The following VLANs will be adjusted.

Step 1 Adjust the VLAN’s configuration.

vlan 101
    name EMPLOYEE
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 102
    name CAMERA
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 103
    name IOT
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 104
    name VISITOR
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 105
    name REJECT
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 106
    name CRITICAL
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable
vlan 107
    name QUARENATINE
    dhcpv4-snooping
    arp inspection
    ip igmp snooping enable

Step 2 Reconfigure the VLANs as:

vlan 100
    name MGMT 
vlan 101
    name EMPLOYEE
vlan 102
    name CAMERA
vlan 103
    name IOT
vlan 104
    name VISITOR
vlan 105
    name REJECT
vlan 106
    name CRITICAL
vlan 107
    name QUARENATINE    
vlan 2000
  name UBT_CLIENT
  dhcpv4-snooping
  arp inspection
  ip igmp snooping enable

Step 4 Ensure VLANs are on the uplinks and the MTU is set.

interface 1/1/23
  description Uplink_GW
  no shutdown
  no routing
  mtu 9198
  vlan trunk native 100
  vlan trunk allowed 100-107
  arp inspection trust
  dhcpv4-snooping trust
interface 1/1/24
  description Uplink_GW
  no shutdown
  no routing
  mtu 9198
  vlan trunk native 100
  vlan trunk allowed 100-107
  arp inspection trust
  dhcpv4-snooping trust

Step 3 Adjust the MTU on VLAN 100, so users can access the network.

interface vlan 100
  description MGMT
  ip mtu 9198
  ip dhcp

Configure UBT

For switch-to-tunnel traffic to the gateways, the UBT VLAN must point to the gateway’s IP address, which is a new variable in the template.

Step 1 Define the UBT client VLAN and create the UBT zone in the default VRF.

  • UBT Client VLAN: 2000
  • UBT Zone: branch
ubt zone branch vrf default
  primary-controller ip %gateway_1_sys_ip%
  backup-controller ip %gateway_2_sys_ip%
  enable

ubt-client-vlan 2000

Adjust User Roles

The roles must be adjusted to point to the gateway roles. The names must match the names on the gateway. The gateway map the VLAN to the roles and enforces role-to-role policy. The original configuration in the template below shows the user roles to be adjusted.

port-access role ARUBA-AP
  auth-mode device-mode
  vlan trunk native 100
  vlan trunk allowed 100,101,104-107
port-access role REJECT
    reauth-period 120
    vlan access 105
port-access role EMPLOYEE
    reauth-period 120
    vlan access 101
port-access role  PRINTER
    reauth-period 120
    vlan access 102
port-access role  IOT
    reauth-period 120
    vlan access 103
port-access role GUEST
    reauth-period 120
    vlan access 104
port-access role REJECT
    reauth-period 120
    vlan access 105
port-access role CRITICAL
  reauth-period 120
  vlan access 106
port-access role QUARANTINE
    reauth-period 120
    vlan access 107

Step 1 Remove the VLAN access line from the roles displayed above and replace them with the following VLAN access line:

  • gateway-zone zone branch gateway-role and the respective role name.
port-access role EMPLOYEE
    reauth-period 120
    gateway-zone zone branch gateway-role EMPLOYEE
port-access role SECURITY
    reauth-period 120
    gateway-zone zone branch gateway-role SECURITY
port-access role IOT-NO-INET
    reauth-period 120
    gateway-zone zone branch gateway-role IOT-NO-INET
port-access role IOT-INETERNAL
    reauth-period 120
    gateway-zone zone branch gateway-role IOT-INETERNAL
port-access role IOT-LMT-INET
    reauth-period 120
    gateway-zone zone branch gateway-role IOT-LMT-INET
port-access role VISITOR
    reauth-period 120
    gateway-zone zone branch gateway-role VISITOR
port-access role INFRA-DEVICE
   reauth-period 120
   gateway-zone zone branch gateway-role INFRA-DEVICE
port-access role PRINTER
   reauth-period 120
   gateway-zone zone branch gateway-role PRINTER
port-access role IT-ADMIN
   reauth-period 120
   gateway-zone zone branch gateway-role IT-ADMIN
port-access role IT-SUPP
   reauth-period 120
   gateway-zone zone branch gateway-role IT-SUPP
port-access role REJECT
    reauth-period 120
    gateway-zone zone branch gateway-role REJECT
port-access role CRITICAL
   reauth-period 120
   gateway-zone zone branch gateway-role CRITICAL
port-access role QUARANTINE
   reauth-period 120
   gateway-zone zone branch gateway-role QUARANTINE

Step 2 Remove the old VLAN’s from the AP role.

port-access role ARUBA-AP
  auth-mode device-mode
  vlan trunk native 100
  vlan trunk allowed 100

Update Gateway Configuration

The gateways require three changes to enable user based tunneling: MTU size must be increased, and both VLAN-to-role mapping and network policy must be configured in the group. This section demonstrates the process.

Adjusting VLAN MTU

Step 1 Select the Gateways tab, then click the gear icon in the upper right corner.

bgw-select-config-2

Step 2 Select LAN. Click Lan Ports

Step 3 Hover over the GE0/0/2 interface, then select the pencil icon.

Step 5 Check the Jumbo Frames box.

Step 6 Select Save.

Step 7 Repeat steps 3-6 for the GE0/0/3 interface.

Step 8 Click Save Settings

enabling jumbo frames

Associate VLANs to User Roles

Roles are established within the group from global policy manager . However, these roles lack VLAN association. Consequently, during authentications, clients are assigned a role with VLAN 1 by default instead of being placed in the appropriate VLAN. The following procedure demonstrates how to associate VLANs to roles.

Step 1 Ensure the Gateway configuration is in Advanced Mode. Select the Security tab.

Step 2 Select the Roles tab.

Navigation to roles

Step 3 Select the Critical role.

Step 4 Scroll down and select the More tab. In the more tab, set the VLAN ID and the max sessions.

  • VLAN: 106
  • Max Sessions: 10000

Step 5 Click Save Settings.

Connecting VLAN to user Role

Note: The VLAN List displays VLAN IDs. Named VLANs also can be used to associate the VLAN to the user role. In the example above, the VLAN ID is used.

Step 6 Repeat steps 3 to 5 for all roles.

User RoleVLAN ID
EMPLOYEE101
PRINTER102
IOT-INTERNAL103
IOT-LMT-INET103
IOT-NO-INET103
GUEST104
REJECT105
CRITICAL106
QUARANTINE107

Configuring Network Policy with User Roles

Global policy manager can configure only role-to-role policies. For more granular policies, such as applications or network protocols, the configuration be made in the group. This section walks through the process of configuring URL and IP-based policies specifically for the Visitor user role.

RoleAllowed AccessDenied Access
VISITORInternet, Captive Portal (cppm.example.local), DHCP/DNS(10.2.120.99/98)RFC1918

Step 1 On the Gateway tab on the top right side, select Basic Mode.

select basic mode

Step 2 Select the Policies tab. Click Applications.

Navigation_to_polices

Step 3 Click the + (plus sign) beside Network Aliases. In the Name field, enter ad server.

Step 4 Click the + (plus sign) in the User Rules table.

Step 5 In the new row’s Type Column, click Name. Scroll to select Host. In the IP Address field, enter 10.2.120.98.

Step 6 Repeat step 4. Click Name. Scroll to select the Host. In the IP Address field, enter 10.2.120.99.

Step 7 Click Save.

ad_network_alias

Step 7 Click the + (plus sign) beside Network Aliases. In the Name field, enter rfc1918.

Step 8 Click the + (plus sign) in the User Rules table.

Step 9 In the new row’s Type Column, click Name. Scroll to select Network. Enter the first range, then repeat step 8 for the remaining ranges.

  • IP/Mask: 192.168.0.0/255.255.0.0
  • IP/Mask: 172.16.0.0/255.240.0.0
  • IP/Mask: 10.0.0.0/255.0.0.0

Step 10 Click Save.

RFC1918

Step 11 Click the “+ (plus sign) beside Network Aliases. In the Name field, enter captive portal.

Step 12 Click the + (plus sign) in the User Rules table.

Step 13 With the Name field selected, enter cppm.example.local

Step 14 Click Save.

Step 15 Click Save Settings.

url rule

Step 16 Click the Security tab next to QOS.

navigation_to_apply_rules

Step 17 In the Roles table, select the Visitor role.

Step 18 In the Policies table click the + (plus sign) symbol and enter visitor_net_policy.

Note: The Visitor user role was created using global client roles. If the user role was not created using global client roles or if the deployment is not using multi site fabric, the User role can be created in the group by clicking the Roles tab on the page below.

Create visitor policy

Step 20 In the Rules table click the + (plus sign) to create a new rule.

Step 21 In the Rule table, assign the following:

  • Source: Any
  • Destination: Network Alias
  • Destination Alias: ad server
  • Service/App: sys-svc-dns
  • Action: Permit

Step 22 Click Save.

adding rules to policy

Step 23 Repeat Steps 18 to 20 to complete the table below. Then click Save Settings. The completed policy is illustrated below.

SourceDestinationServiceAction
AnyAD ServersDNSPermit
AnyAD ServersDHCPPermit
AnyCaptive PortalHttpsPermit
AnyRFC1918AnyDeny
AnyAnyAnyPermit

complete visitor policy-5016929


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.