Link Search Menu Expand Document
calendar_month 07-Mar-24

Aruba Layer 3 Microbranch AP Configuration

Layer 3 Microbranch also referred to as Distributed Layer 3 (DL3). Allows admins the ability to provide three different types of access, Routed Layer 3, Nated Layer 3 and Fully-tunneled access. This guide will demonstrate, all three types of access.

Full Tunnel uses Policy based routing and will be shown as a optional section of the guide.

This guide demonstrates how to configure two types of Microbranch SSIDs:

  • EXAMPLE-CORP is a Routed Layer 3 SSID that provides access to corporate resources. It is assigned VLAN ID 101 and prefix 10.14.200.0/24, which is advertised to the broader campus network.
  • EXAMPLE-GUEST is a NATed Layer 3 SSID that provides only Internet access. It is assigned VLAN 100 and prefix 192.168.0.0/24, which is only routed locally.

Note: This guide uses the VPNC configured in the hub & spoke section. To configure a VPNC, review the “Deploying VPNC” section.

Table of contents

The illustration below shows the Microbranch topology.

Micro-Branch

Create a Microbranch AP Group

Step 1 In the left navigation pane, in the Maintain section, select Organization.

Step 2 In the left navigation pane, click Global, then select the Groups column heading.

Step 3 To create a New Group, in the upper right, click + (plus sign).

Step 4 In the Add Group window, enter a name, click the Access Point checkbox, then click Next.

Step 5 Leave ArubaOS 10 selected in Architecture for access points and gateways in this group. Click the Microbranch radio button under Network role of the access points in this group, then click Add.

Creating AP Group

Configure System IP Pool

The System IP Pool assigns IP addresses to access points dynamically, as required for Microbranch AP setup.

APs use their assigned IP for the inner tunnel IP address and to source traffic such as RADIUS, TACACS+, and SNMP. The System IP Pool is applied to the Microbranch group in a future step.

Step 1 Select the Global group. In the left navigation pane, click Network Services.

Step 2 Select the IP Address Manager tab.

Step 3 In the upper right, click + (plus sign).

Step 4 In the Add System IP Pools window, enter the following:

  • Pool Name: System IP Pool
  • Start address: 10.14.254.1
  • End address: 10.14.254.100

Step 5 Click Save.

Configuring Address Pool

Configure VLAN DHCP Pool

A Shared DHCP Pool is configured for later assignment to the EXAMPLE-CORP VLAN.

Step 1 Select the Global group. In the left navigation pane, select Network Services.

Step 2 Select the IP Address Manager tab, then select the Shared DHCP Pools tab.

Step 3 To create a DHCP pool, in the upper right, click + (plus sign).

Step 4 In the Add Shared DHCP Pool window, enter the following:

  • Pool Name: EXAMPLE-CORP
  • Start address: 10.14.200.1
  • End address: 10.14.200.255
  • Hosts per DHCP VLAN: 20

Step 5 Click Save.

Configuring Shared DHCP Pools

Set AP Device Password

Step 1 In the Global dropdown, search and select the Microbranch AP group created previously.

Step 2 In the left navigation pane under Manage, select Devices.

Step 3 Select the Access Points tab. In the upper right corner, click the Config (gear) icon.

Step 4 Enter a device password in the Password field, re-enter the password in the Confirm password field, then click Set Password.

AP Group Navigation

Configure Country Code

It is important to assign the proper country code to ensure that APs operate in compliance with local regulatory restrictions.

Step 1 In the UI-MICRO-AP-01 > Devices configuration panel, in the System tile, select Properties.

Step 2 In the Set country code field, select the appropriate country code from the dropdown.

Step 3 Click Save.

configuring Country Code

Assign System IP Pool to AP Group

Step 1 In the UI-MICRO-AP-01 > Devices configuration panel, in the System tile, select IP Addressing.

Step 2 Click + (plus sign).

Step 3 In the Select IP Address Pool field, select the previously configured System IP Pool.

Step 4 Click Save.

SystemIP Pool

Configure DNS and NTP

Step 1 In the UI-MICRO-AP-01 > Devices configuration panel, in the System tile, select DNS & NTP.

Step 2 In the Domain Name field, enter the domain name.

Step 3 To add a DNS server, in the DNS SERVERS header, click + (plus sign).

Step 4 In the dropdown, select a DNS service.

Step 5 Click Save.

Configuring DNS

Step 6 Expand the NTP section, and click > NTP.

Step 7 To add a NTP server, in the PUBLIC NTP SERVERS header, click + (plus sign).

Step 8 In the new empty field, enter an NTP server name or IP address.

Step 9 In the Timezone field, select a timezone from the dropdown.

Step 10 Click Save.

Configuring NTP

The WAN uplink identifies the interface assigned a WAN IP address. Tunnel Orchestrator uses this WAN IP address to create tunnels between devices.

Step 1 In the UI-MICRO-AP-01 > Devices configuration panel, in the WAN tile, select WAN Uplink.

Step 2 On the right side, click + (plus sign).

Step 3 In the Uplink Name, enter the uplink interface name.

Step 4 Click Save.

Config

Configure WAN Health Check

A WAN Health Check measures latency and packet loss on WAN uplinks using ICMP or UDP probes. UDP-based probes add measurement of jitter and generation of MoS scores.

Step 1 Go to the UI-MICRO-AP-01 > Devices configuration panel, in the WAN * tile, select **WAN Health Check.

Step 2 Click the slider right of Monitor WAN health.

Step 3 Click the Custom radio button.

Step 4 In the Protocol field, click the dropdown and select UDP.

Step 5 Click Save.

Configuring WAN Health Check

Configure Hub Site

Step 1 Go to the UI-MICRO-AP-01 > Devices configuration panel. In the Tunnels & Routing tile, select Data Center.

Step 2 In the Data Center header, click + (plus sign).

Step 3 In the HUB GROUP dropdown, select the VPNC Group configured in Hub and Spoke Deployment.

Step 4 In the Cluster Name dropdown, select the cluster configured in Hub and Spoke Deployment.

Step 5 Click Save.

configure_hub-8257684

Configure VLANs

Create VLANs for the route EXAMPLE-CORP SSID and the EXAMPLE-GUEST SSID.

Step 1 Go to the UI-MICRO-AP-01 > Devices configuration panel, in the LAN tile, select VLANs.

Step 2 In the VLANs header, click + (plus sign).

Navigating to VLAN Creation

Caution: Do not use the same VLAN ID at a Microbranch site and on the VPNC. If the same VLAN ID is configured on both, a Layer 2 tunneled SSID is created operationally, even if the configuration specifies Layer 3 Routed or NATed.

Step 3 In the new VLAN form, enter the following field values.

  • DHCP Profile Name: EXAMPLE-CORP
  • VLAN ID: 101
  • Click the Routed radio button
  • DHCP Pool: EXAMPLE-CORP
  • Excluded addresses: 5
  • Domain name: example.local
  • DNS Server: Specify Servers
    • 10.2.120.98,10.2.120.99

Step 4 Leave other fields at their default values.

Step 5 Click Save.

Configure Example Corp VLAN

Step 6 In the VLANs header, click + (plus sign).

Step 7 In the new VLAN window, enter the following field values.

  • DHCP Profile Name: EXAMPLE-GUEST
  • VLAN ID: 100
  • Click the NATed radio button
  • Subnet: 192.168.0.0
  • Subnet Mask: 255.255.255.0
  • Domain name: example.local
  • DNS Server: AP Assigned DNS Server
  • Excluded addresses: 5

Step 8 Leave other fields at their default values.

Step 9 Click Save.

Configure Example Guest VLAN

Configure the WPA3-Enterprise Wireless LAN

The following procedure creates a secure, routed SSID for accessing internal resources.

Step 1 Go to the UI-MICRO-AP-01 > Devices configuration panel. In the Wireless tile, select WLAN.

Step 2 Near the bottom left of the WLANs tab, click + Add SSID.

Add SSID

Step 3 On the General tab, set the SSID Name field to EXAMPLE-CORP.

Step 4 To display additional settings, click > Advanced Settings.

Step 5 To expand broadcast/multicast options, click (+) Broadcast/Multicast.

Step 6 In the Broadcast filtering dropdown, select All.

Step 7 To expand legacy transmission rate options, click (+) Transmit Rates (Legacy Only).

Step 8 In the 2.4 GHz section, set the following values.

  • Min: 5
  • Max: 54

Step 9 In the 5 GHz section, set the following values.

  • Min: 18
  • Max: 54

Step 10 Click Next.

General Configuration

Configure SSID VLAN

On the VLANs tab, enter the following values, then click Next.

  • Traffic forwarding mode: L3 Routed/NATed.
  • Client VLAN Assignment: Static
  • VLAN ID: EXAMPLE-CORP (vlan:101)

Setting VLAN

Configure SSID Security Settings

Enable 802.1X authentication and encryption on the SSID.

Step 1 To set the security level, move the Security Level slider to Enterprise.

Step 2 From the Key Management dropdown, select WPA3 Enterprise(CMM 128).

Use WPA3 when possible to benefit from significant security improvements over WPA2. Consult endpoint documentation to confirm that Microbranch devices support WPA3. If devices do not support WPA3, use WPA2-Enterprise.

Enabling dot1x

Step 3 To add a primary RADIUS server, beside the Primary Server field, click + (plus sign).

Step 4 In the NEW SERVER window, enter the following values, then click OK.

  • Server Type: RADIUS
  • Name: cppm-01
  • IP Address: 10.2.120.94
  • Shared Key: < Enter the RADIUS server shared key >
  • Retype Key: < Re-enter the RADIUS server shared key >

Adding Radius Server

Note: It is important to record the Shared Key for use when configuring ClearPass Policy Manager.

Step 5 To add a secondary RADIUS server, beside the Secondary Server field, click + (plus sign).

Step 6 Repeat step 4 with appropriate values for the secondary RADIUS server.

Step 7 To enable Load Balancing, click the slider.

Enabling Load Balancing

Step 8 Click Next.

Configure Network Access Rules

Network access rules apply policy enforcement for an SSID based on the role or IP address of a device.

Step 1 Leave the default setting of Unrestricted, then click Next. set_unrestricted

Step 2 On the Summary tab, review all settings and click Finish.

Configure the Visitor Wireless LAN

The following procedure creates a NATed SSID with a captive portal for guest Internet access.

Create Visitor SSID

Step 1 In the UI-MICRO-AP-01 > Devices configuration panel, in the Wireless tile, select WLAN.

Step 2 On the bottom left of the WLANs tab, click + Add SSID. Add SSID

Step 3 On the General tab, set the SSID Name field to EXAMPLE-GUEST.

Step 4 To display additional settings, click > Advanced Settings.

Step 5 To expand broadcast/multicast options, click (+) Broadcast/Multicast.

Step 6 In the Broadcast filtering dropdown, select All.

Step 7 To expand legacy transmission rate options, click (+) Transmit Rates (Legacy Only).

Step 8 In the 2.4 GHz section, set the following values.

  • Min: 5
  • Max: 54

Step 9 In the 5 GHz section, set the following values.

  • Min: 18
  • Max: 54

General SSID Configuration

Note: Setting the time range for guest access is optional. Skip steps 11-14, if not applicable.

Step 10 Click Next to skip this configuration.

Step 12 To display time range options, click (+) Time Range Profiles.

Step 13 To create a new time range, click + New Time Range Profile. Time Range Profile

Step 14 In the NEW PROFILE window, enter the following values, then click Save.

  • Name: Guest Weekdays
  • Type: Periodic
  • Repeat: Daily
  • Day Range: Monday - Friday (Weekdays)
  • Start Time:
    • Hours: 7
    • Minutes: 0
  • End Time:
    • Hours: 18
    • Minutes: 0
  • Click Save.

Configuring Time profile

Step 14 The new time range appears in the Time Range Profiles list. To enable the profile, click the Status dropdown beside the name, select Enabled, then click Next.

Enable Time profile

Configure VLANs

On the VLANs tab, enter the following values, then click Next.

  • Traffic Forwarding Mode: L3 Routed/NATed.
  • Client VLAN Assignment: Static
  • VLAN ID: Example-Guest(100) Guest Vlan

Configure Security

Enable a web-based captive portal.

Step 1 To set the security level, move the Security Level slider to Visitors.

Step 2 In the Access Network section, click the Type dropdown and select External Captive Portal.

enable Captive portal

Step 2 To create a captive portal profile, click the + (plus sign) beside the Captive Portal Profile dropdown.

Step 3 In the External Captive Portal-New window, enter the following values, then click OK.

  • Name: CPPM-Portal
  • IP or Hostname: 10.2.120.92
  • URL: /guest/mb_guest_portal.php
  • Port: 443
  • Redirect URL: http://www.arubanetworks.com

Caution: The IP or Hostname field cannot be set to an FQDN for Layer 3 NATed SSIDs. The DNS request from the AP will be NATed and cannot resolve the FQDN correctly.

Captive Portal Configuration-2928543

Step 4 To set the primary RADIUS server, click the Primary Server dropdown and select the previously created primary RADIUS server.

Step 5 To set the secondary RADIUS server, click the Secondary Server dropdown and select the previously created secondary RADIUS server.

Step 6 To enable Load Balancing, toggle the slider.

Step 7 Click Next.

Configuring Radius Servers

Note: Refer to Configure SSID Security Settings in the Configure the WPA3-Enterprise Wireless LAN section to create new RADIUS servers.

Configuring Access For Guest SSID

Pre- and post-authentication roles apply access restrictions to clients associated to an SSID. The pre-authentication role EXAMPLE-DENY denies all access except DNS, DHCP, and web access to the CPPM server. The EXAMPLE-GUEST post-authentication role allows access to all destinations. It is not necessary to block guests from internal networks in the post-authentication role because clients associated to the EXAMPLE-GUEST SSID cannot initiate connections to internal resources.

Configure Deny Role

Step 1 On the Access tab, move the slider to Role Based

Step 2 To create a new role, in the lower left, click + Add Roll.

Step 3 In the Add Roll window, enter EXAMPLE-DENY in the Role field, then click OK.

Creating Roles

Configure Deny ACL

Step 1 In the Role tile, select EXAMPLE-DENY.

Step 2 In the Access Rules For Selected Roles tile, select Allow any to all destinations, then click the edit (pencil) icon.

Step 3 In the Access Rules window, click the Action dropdown, select Deny, then click OK. Deny Rule

Step 4 To configure additional access rules, click + Add Rule.

Step 5 In the Access Rules window, enter the values from the first row in the table below and click OK.

Rule TypeService typeServiceActionDestinationNetwork
Access controlNetworkHTTPS/HTTPAllowTo Particular Server10.2.120.92
Access controlNetworkDNSAllowTo Particular Server10.2.120.98
Access controlNetworkDNSAllowTo Particular Server10.2.120.99
Access controlNetworkDHCPAllowTo all destinationsN/A

Step 6 Repeat steps 4 and 5 for each row in the table.

Configuring Access Rules

Step 7 In the Assign Pre-Authentication Role dropdown, select EXAMPLE-DENY

Step 8 Click Next.

image-20220518204544679

(Optional) Routed Layer 3 Full-Tunnel Configuration

In highly secure deployments all traffic might need to be securely tunneled back to security appliances to ensure compliance, before forwarding to the appropriated destinations. The following section demonstrates how to configure a full tunnel.

To configure full-tunnel in Layer 3 Microbranch deployments, the Data Center deployment should be adjusted, and a Policy-Based Routing (PBR) policy should be created . With a rule stating that all traffic to any destination should be forwarded to either a VPNC or pair of VPNCs (via next hop list), through the secure IPsec tunnel. The PBR policy is then assigned to the user role(s). The users or devices who are assigned to the user role have all their user traffic forwarded to the data center via the secure tunnel.

Configure Hub Priority

Previously in the guide the hub site was configured as a site cluster which load balances based on route across the cluster, when full tunneling this can cause Asymmetric routing with a full tunnel deployment. To avoid this Manual Hub deployment should be used, this will Force the AP’s to tunnel to a single gateway. If the primary gateway fails the tunnels will failover to the next gateway in the group.

Step 1 Go to the UI-MICRO-AP-01 > Devices configuration panel. In the Tunnels & Routing tile, select Data Center.

Step 2 In the Data Center header, hover over the configured group and select the trash can.

Step 3 Click Save.

deleting_Clustered_hub_group

Step 4 In the Tunnels & Routing tile, select Data Center.

Step 5 Select the Hubs radio button

Step 6 In the Data Center header, click + (plus sign)

Step 7 In the HUB GROUP dropdown, select the VPNC Group configured in Hub and Spoke Deployment.

Step 8 In the Cluster Name dropdown, select the RSVDC-VPNC-1 configured in Hub and Spoke Deployment.

Step 9 In the highlighted VPNC-RSVDC header click + (plus sign), select RSVDC-VPNC-2.

Step 10 Click Save.

set_manual_hub_priority

Create PBR policy for full-tunnel

Step 1 Go to the group UI-MICRO-AP-01 > Devices page. In the Tunnels & Routing tile, select Policy-based Routing.

Step 2 Near the top right of the Policies tab, click + (plus sign).

Step 3 Enter a PBR policy name (eg: EXAMPLE-PBR-DL3-FULL-TUNNEL).

create_pbr_policy

Note: When a new PBR policy is added, a default rule to forward any traffic to internet is created automatically.

Step 5 Mouse-over EXAMPLE-PBR-DL3-FULL-TUNNEL policy and click the edit (pencil) icon on the right.

image-20230928141634927

Step 6 Mouse-over the default rule that was created automatically.

Step 7 Click the edit (pencil) icon on the right.

image-20230928141818901

Step 8 Click the EDIT RULE table. Perform either (1) or (2) based on the requirement as mentioned.

To forward all the user traffic to terminate on to a single VPNC, enter below details and click OK

  • Source: Any

  • Destination: Any

  • Service/App: Any

  • Action: Forward to IPSec Map to VPNC

  • VPNC: The VPNC to terminate traffic

  • Uplink Tag: The uplink of the VPNC

image-20230929101758372

image-20231002145937585

Step 9 To forward all the user traffic to nexthop devicesusing nexthop list, enter below details and click OK

  • Source: Any
  • Destination: Any
  • Service/App: Any
  • Action: Forward to Nexthop List
  • Name of next-hop-list: < select the nexthop list name >

image-20231002155648848

Step 10 Click Save.

Apply PBR Policy for Full-Tunnel to User Role

Step 1 Go to the group UI-MICRO-AP-01 > Devices page. In the Security tile, select Policies & Access Control.

Step 2 Expand the Roles section.

Step 3 Select the user role to which to apply the PBR policy.

Step 4 In the Rules window, click + (plus sign).

image-20231002165508884

Step 5 In the ADD RULE window, enter the following values, then click OK.

  • Rule Type: Policy-Based Routing

  • Add Existing Policy:

  • Policy Name: EXAMPLE-PBR-FULL-TUNNEL

image-20231002165549846

Step 6 The PBR policy configured for full-tunnel is assigned to the user role.

image-20231002165647469

Step 7 Click Save.

Note: When a user is assigned a user role and the user traffic flows, all the access rules for the user role are applied first and if there is a PERMIT, the PBR policy is then applied to that specific user traffic.

Assign a Microbranch AP to a Group

Step 1 In the left navigation pane, click Global, then select the Groups column heading.

Step 2 Expand the Unprovisioned devices group by clicking the expansion icon (>) next to its name.

Step 3 Select the Microbranch AP.

Step 4 Click the Move Devices icon.

Step 5 In the Destination Group dropdown, select UI-Micro-AP01.

Step 6 Click Move.

Moving Ap

Assign a Microbranch AP to a Site

The following procedure assigns the VPNCs to a site.

Step 1 Go to Organization and select Site.

Step 2 Select Unassigned devices.

Step 3 Select the Microbranch AP on the right side, then drag the AP to the ESP-MB01 site.

Step 4 Click Yes.

Adding microbranch AP to site

Monitor Microbranch AP Routing Overlay

The route orchestrator redistributes the routes between the headend VPNCs and the Microbranch APs. All the overlay routing information such as control connections, routes advertised, routes learned, etc. can be monitored in the AP device page.

Step 1 Go to AP Group > Devices > Access Points > List.

Step 2 Select an AP.

Step 3 Under Overview, click Routing tab.

Step 4 Select Overlay tab.

Step 5 The Overlay summary table displays an overview of control connection state, number of interfaces, number of routes advertised from AP and number of routes learned by the AP

Step 6 Under the Overlay details, in the dropdown box, select Routes advertised which displays all the routes advertised from the AP.

Step 7 Under the Overlay details, in the dropdown box, select Routes learned which displays all the routes learned by the AP.

mb_route_table


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.