Aruba Layer 3 Microbranch AP Configuration
Layer 3 Microbranch also referred to as Distributed Layer 3 (DL3). Allows admins the ability to provide three different types of access, Routed Layer 3, Nated Layer 3 and Fully-tunneled access. This guide will demonstrate, all three types of access.
Full Tunnel uses Policy based routing and will be shown as a optional section of the guide.
This guide demonstrates how to configure two types of Microbranch SSIDs:
- EXAMPLE-CORP is a Routed Layer 3 SSID that provides access to corporate resources. It is assigned VLAN ID 101 and prefix 10.14.200.0/24, which is advertised to the broader campus network.
- EXAMPLE-GUEST is a NATed Layer 3 SSID that provides only Internet access. It is assigned VLAN 100 and prefix 192.168.0.0/24, which is only routed locally.
Note: This guide uses the VPNC configured in the hub & spoke section. To configure a VPNC, review the “Deploying VPNC” section.
Table of contents
- Aruba Layer 3 Microbranch AP Configuration
- Create a Microbranch AP Group
- Configure System IP Pool
- Configure VLAN DHCP Pool
- Set AP Device Password
- Configure Country Code
- Assign System IP Pool to AP Group
- Configure DNS and NTP
- Configure WAN Uplink
- Configure WAN Health Check
- Configure Hub Site
- Configure VLANs
- Configure the WPA3-Enterprise Wireless LAN
- Configure the Visitor Wireless LAN
- (Optional) Routed Layer 3 Full-Tunnel Configuration
- Monitor Microbranch AP Routing Overlay
The illustration below shows the Microbranch topology.
Create a Microbranch AP Group
Step 1 In the left navigation pane, in the Maintain section, select Organization.
Step 2 In the left navigation pane, click Global, then select the Groups column heading.
Step 3 To create a New Group, in the upper right, click + (plus sign).
Step 4 In the Add Group window, enter a name, click the Access Point checkbox, then click Next.
Step 5 Leave ArubaOS 10 selected in Architecture for access points and gateways in this group. Click the Microbranch radio button under Network role of the access points in this group, then click Add.
Configure System IP Pool
The System IP Pool assigns IP addresses to access points dynamically, as required for Microbranch AP setup.
APs use their assigned IP for the inner tunnel IP address and to source traffic such as RADIUS, TACACS+, and SNMP. The System IP Pool is applied to the Microbranch group in a future step.
Step 1 Select the Global group. In the left navigation pane, click Network Services.
Step 2 Select the IP Address Manager tab.
Step 3 In the upper right, click + (plus sign).
Step 4 In the Add System IP Pools window, enter the following:
- Pool Name: System IP Pool
- Start address: 10.14.254.1
- End address: 10.14.254.100
Step 5 Click Save.
Configure VLAN DHCP Pool
A Shared DHCP Pool is configured for later assignment to the EXAMPLE-CORP VLAN.
Step 1 Select the Global group. In the left navigation pane, select Network Services.
Step 2 Select the IP Address Manager tab, then select the Shared DHCP Pools tab.
Step 3 To create a DHCP pool, in the upper right, click + (plus sign).
Step 4 In the Add Shared DHCP Pool window, enter the following:
- Pool Name: EXAMPLE-CORP
- Start address: 10.14.200.1
- End address: 10.14.200.255
- Hosts per DHCP VLAN: 20
Step 5 Click Save.
Set AP Device Password
Step 1 In the Global dropdown, search and select the Microbranch AP group created previously.
Step 2 In the left navigation pane under Manage, select Devices.
Step 3 Select the Access Points tab. In the upper right corner, click the Config (gear) icon.
Step 4 Enter a device password in the Password field, re-enter the password in the Confirm password field, then click Set Password.
Configure Country Code
It is important to assign the proper country code to ensure that APs operate in compliance with local regulatory restrictions.
Step 1 In the UI-MICRO-AP-01 > Devices configuration panel, in the System tile, select Properties.
Step 2 In the Set country code field, select the appropriate country code from the dropdown.
Step 3 Click Save.
Assign System IP Pool to AP Group
Step 1 In the UI-MICRO-AP-01 > Devices configuration panel, in the System tile, select IP Addressing.
Step 2 Click + (plus sign).
Step 3 In the Select IP Address Pool field, select the previously configured System IP Pool.
Step 4 Click Save.
Configure DNS and NTP
Step 1 In the UI-MICRO-AP-01 > Devices configuration panel, in the System tile, select DNS & NTP.
Step 2 In the Domain Name field, enter the domain name.
Step 3 To add a DNS server, in the DNS SERVERS header, click + (plus sign).
Step 4 In the dropdown, select a DNS service.
Step 5 Click Save.
Step 6 Expand the NTP section, and click > NTP.
Step 7 To add a NTP server, in the PUBLIC NTP SERVERS header, click + (plus sign).
Step 8 In the new empty field, enter an NTP server name or IP address.
Step 9 In the Timezone field, select a timezone from the dropdown.
Step 10 Click Save.
Configure WAN Uplink
The WAN uplink identifies the interface assigned a WAN IP address. Tunnel Orchestrator uses this WAN IP address to create tunnels between devices.
Step 1 In the UI-MICRO-AP-01 > Devices configuration panel, in the WAN tile, select WAN Uplink.
Step 2 On the right side, click + (plus sign).
Step 3 In the Uplink Name, enter the uplink interface name.
Step 4 Click Save.
Configure WAN Health Check
A WAN Health Check measures latency and packet loss on WAN uplinks using ICMP or UDP probes. UDP-based probes add measurement of jitter and generation of MoS scores.
Step 1 Go to the UI-MICRO-AP-01 > Devices configuration panel, in the WAN * tile, select **WAN Health Check.
Step 2 Click the slider right of Monitor WAN health.
Step 3 Click the Custom radio button.
Step 4 In the Protocol field, click the dropdown and select UDP.
Step 5 Click Save.
Configure Hub Site
Step 1 Go to the UI-MICRO-AP-01 > Devices configuration panel. In the Tunnels & Routing tile, select Data Center.
Step 2 In the Data Center header, click + (plus sign).
Step 3 In the HUB GROUP dropdown, select the VPNC Group configured in Hub and Spoke Deployment.
Step 4 In the Cluster Name dropdown, select the cluster configured in Hub and Spoke Deployment.
Step 5 Click Save.
Configure VLANs
Create VLANs for the route EXAMPLE-CORP SSID and the EXAMPLE-GUEST SSID.
Step 1 Go to the UI-MICRO-AP-01 > Devices configuration panel, in the LAN tile, select VLANs.
Step 2 In the VLANs header, click + (plus sign).
Caution: Do not use the same VLAN ID at a Microbranch site and on the VPNC. If the same VLAN ID is configured on both, a Layer 2 tunneled SSID is created operationally, even if the configuration specifies Layer 3 Routed or NATed.
Step 3 In the new VLAN form, enter the following field values.
- DHCP Profile Name: EXAMPLE-CORP
- VLAN ID: 101
- Click the Routed radio button
- DHCP Pool: EXAMPLE-CORP
- Excluded addresses: 5
- Domain name: example.local
- DNS Server: Specify Servers
- 10.2.120.98,10.2.120.99
Step 4 Leave other fields at their default values.
Step 5 Click Save.
Step 6 In the VLANs header, click + (plus sign).
Step 7 In the new VLAN window, enter the following field values.
- DHCP Profile Name: EXAMPLE-GUEST
- VLAN ID: 100
- Click the NATed radio button
- Subnet: 192.168.0.0
- Subnet Mask: 255.255.255.0
- Domain name: example.local
- DNS Server: AP Assigned DNS Server
- Excluded addresses: 5
Step 8 Leave other fields at their default values.
Step 9 Click Save.
Configure the WPA3-Enterprise Wireless LAN
The following procedure creates a secure, routed SSID for accessing internal resources.
Step 1 Go to the UI-MICRO-AP-01 > Devices configuration panel. In the Wireless tile, select WLAN.
Step 2 Near the bottom left of the WLANs tab, click + Add SSID.
Step 3 On the General tab, set the SSID Name field to EXAMPLE-CORP.
Step 4 To display additional settings, click > Advanced Settings.
Step 5 To expand broadcast/multicast options, click (+) Broadcast/Multicast.
Step 6 In the Broadcast filtering dropdown, select All.
Step 7 To expand legacy transmission rate options, click (+) Transmit Rates (Legacy Only).
Step 8 In the 2.4 GHz section, set the following values.
- Min: 5
- Max: 54
Step 9 In the 5 GHz section, set the following values.
- Min: 18
- Max: 54
Step 10 Click Next.
Configure SSID VLAN
On the VLANs tab, enter the following values, then click Next.
- Traffic forwarding mode: L3 Routed/NATed.
- Client VLAN Assignment: Static
- VLAN ID: EXAMPLE-CORP (vlan:101)
Configure SSID Security Settings
Enable 802.1X authentication and encryption on the SSID.
Step 1 To set the security level, move the Security Level slider to Enterprise.
Step 2 From the Key Management dropdown, select WPA3 Enterprise(CMM 128).
Use WPA3 when possible to benefit from significant security improvements over WPA2. Consult endpoint documentation to confirm that Microbranch devices support WPA3. If devices do not support WPA3, use WPA2-Enterprise. |
Step 3 To add a primary RADIUS server, beside the Primary Server field, click + (plus sign).
Step 4 In the NEW SERVER window, enter the following values, then click OK.
- Server Type: RADIUS
- Name: cppm-01
- IP Address: 10.2.120.94
- Shared Key: < Enter the RADIUS server shared key >
- Retype Key: < Re-enter the RADIUS server shared key >
Note: It is important to record the Shared Key for use when configuring ClearPass Policy Manager.
Step 5 To add a secondary RADIUS server, beside the Secondary Server field, click + (plus sign).
Step 6 Repeat step 4 with appropriate values for the secondary RADIUS server.
Step 7 To enable Load Balancing, click the slider.
Step 8 Click Next.
Configure Network Access Rules
Network access rules apply policy enforcement for an SSID based on the role or IP address of a device.
Step 1 Leave the default setting of Unrestricted, then click Next.
Step 2 On the Summary tab, review all settings and click Finish.
Configure the Visitor Wireless LAN
The following procedure creates a NATed SSID with a captive portal for guest Internet access.
Create Visitor SSID
Step 1 In the UI-MICRO-AP-01 > Devices configuration panel, in the Wireless tile, select WLAN.
Step 2 On the bottom left of the WLANs tab, click + Add SSID.
Step 3 On the General tab, set the SSID Name field to EXAMPLE-GUEST.
Step 4 To display additional settings, click > Advanced Settings.
Step 5 To expand broadcast/multicast options, click (+) Broadcast/Multicast.
Step 6 In the Broadcast filtering dropdown, select All.
Step 7 To expand legacy transmission rate options, click (+) Transmit Rates (Legacy Only).
Step 8 In the 2.4 GHz section, set the following values.
- Min: 5
- Max: 54
Step 9 In the 5 GHz section, set the following values.
- Min: 18
- Max: 54
Note: Setting the time range for guest access is optional. Skip steps 11-14, if not applicable.
Step 10 Click Next to skip this configuration.
Step 12 To display time range options, click (+) Time Range Profiles.
Step 13 To create a new time range, click + New Time Range Profile.
Step 14 In the NEW PROFILE window, enter the following values, then click Save.
- Name: Guest Weekdays
- Type: Periodic
- Repeat: Daily
- Day Range: Monday - Friday (Weekdays)
- Start Time:
- Hours: 7
- Minutes: 0
- End Time:
- Hours: 18
- Minutes: 0
- Click Save.
Step 14 The new time range appears in the Time Range Profiles list. To enable the profile, click the Status dropdown beside the name, select Enabled, then click Next.
Configure VLANs
On the VLANs tab, enter the following values, then click Next.
- Traffic Forwarding Mode: L3 Routed/NATed.
- Client VLAN Assignment: Static
- VLAN ID: Example-Guest(100)
Configure Security
Enable a web-based captive portal.
Step 1 To set the security level, move the Security Level slider to Visitors.
Step 2 In the Access Network section, click the Type dropdown and select External Captive Portal.
Step 2 To create a captive portal profile, click the + (plus sign) beside the Captive Portal Profile dropdown.
Step 3 In the External Captive Portal-New window, enter the following values, then click OK.
- Name: CPPM-Portal
- IP or Hostname: 10.2.120.92
- URL: /guest/mb_guest_portal.php
- Port: 443
- Redirect URL: http://www.arubanetworks.com
Caution: The IP or Hostname field cannot be set to an FQDN for Layer 3 NATed SSIDs. The DNS request from the AP will be NATed and cannot resolve the FQDN correctly.
Step 4 To set the primary RADIUS server, click the Primary Server dropdown and select the previously created primary RADIUS server.
Step 5 To set the secondary RADIUS server, click the Secondary Server dropdown and select the previously created secondary RADIUS server.
Step 6 To enable Load Balancing, toggle the slider.
Step 7 Click Next.
Note: Refer to Configure SSID Security Settings in the Configure the WPA3-Enterprise Wireless LAN section to create new RADIUS servers.
Configuring Access For Guest SSID
Pre- and post-authentication roles apply access restrictions to clients associated to an SSID. The pre-authentication role EXAMPLE-DENY denies all access except DNS, DHCP, and web access to the CPPM server. The EXAMPLE-GUEST post-authentication role allows access to all destinations. It is not necessary to block guests from internal networks in the post-authentication role because clients associated to the EXAMPLE-GUEST SSID cannot initiate connections to internal resources.
Configure Deny Role
Step 1 On the Access tab, move the slider to Role Based
Step 2 To create a new role, in the lower left, click + Add Roll.
Step 3 In the Add Roll window, enter EXAMPLE-DENY in the Role field, then click OK.
Configure Deny ACL
Step 1 In the Role tile, select EXAMPLE-DENY.
Step 2 In the Access Rules For Selected Roles tile, select Allow any to all destinations, then click the edit (pencil) icon.
Step 3 In the Access Rules window, click the Action dropdown, select Deny, then click OK.
Step 4 To configure additional access rules, click + Add Rule.
Step 5 In the Access Rules window, enter the values from the first row in the table below and click OK.
Rule Type | Service type | Service | Action | Destination | Network |
---|---|---|---|---|---|
Access control | Network | HTTPS/HTTP | Allow | To Particular Server | 10.2.120.92 |
Access control | Network | DNS | Allow | To Particular Server | 10.2.120.98 |
Access control | Network | DNS | Allow | To Particular Server | 10.2.120.99 |
Access control | Network | DHCP | Allow | To all destinations | N/A |
Step 6 Repeat steps 4 and 5 for each row in the table.
Step 7 In the Assign Pre-Authentication Role dropdown, select EXAMPLE-DENY
Step 8 Click Next.
(Optional) Routed Layer 3 Full-Tunnel Configuration
In highly secure deployments all traffic might need to be securely tunneled back to security appliances to ensure compliance, before forwarding to the appropriated destinations. The following section demonstrates how to configure a full tunnel.
To configure full-tunnel in Layer 3 Microbranch deployments, the Data Center deployment should be adjusted, and a Policy-Based Routing (PBR) policy should be created . With a rule stating that all traffic to any destination should be forwarded to either a VPNC or pair of VPNCs (via next hop list), through the secure IPsec tunnel. The PBR policy is then assigned to the user role(s). The users or devices who are assigned to the user role have all their user traffic forwarded to the data center via the secure tunnel.
Configure Hub Priority
Previously in the guide the hub site was configured as a site cluster which load balances based on route across the cluster, when full tunneling this can cause Asymmetric routing with a full tunnel deployment. To avoid this Manual Hub deployment should be used, this will Force the AP’s to tunnel to a single gateway. If the primary gateway fails the tunnels will failover to the next gateway in the group.
Step 1 Go to the UI-MICRO-AP-01 > Devices configuration panel. In the Tunnels & Routing tile, select Data Center.
Step 2 In the Data Center header, hover over the configured group and select the trash can.
Step 3 Click Save.
Step 4 In the Tunnels & Routing tile, select Data Center.
Step 5 Select the Hubs radio button
Step 6 In the Data Center header, click + (plus sign)
Step 7 In the HUB GROUP dropdown, select the VPNC Group configured in Hub and Spoke Deployment.
Step 8 In the Cluster Name dropdown, select the RSVDC-VPNC-1 configured in Hub and Spoke Deployment.
Step 9 In the highlighted VPNC-RSVDC header click + (plus sign), select RSVDC-VPNC-2.
Step 10 Click Save.
Create PBR policy for full-tunnel
Step 1 Go to the group UI-MICRO-AP-01 > Devices page. In the Tunnels & Routing tile, select Policy-based Routing.
Step 2 Near the top right of the Policies tab, click + (plus sign).
Step 3 Enter a PBR policy name (eg: EXAMPLE-PBR-DL3-FULL-TUNNEL).
Note: When a new PBR policy is added, a default rule to forward any traffic to internet is created automatically.
Step 5 Mouse-over EXAMPLE-PBR-DL3-FULL-TUNNEL policy and click the edit (pencil) icon on the right.
Step 6 Mouse-over the default rule that was created automatically.
Step 7 Click the edit (pencil) icon on the right.
Step 8 Click the EDIT RULE table. Perform either (1) or (2) based on the requirement as mentioned.
To forward all the user traffic to terminate on to a single VPNC, enter below details and click OK
Source: Any
Destination: Any
Service/App: Any
Action: Forward to IPSec Map to VPNC
VPNC: The VPNC to terminate traffic
Uplink Tag: The uplink of the VPNC
Step 9 To forward all the user traffic to nexthop devicesusing nexthop list, enter below details and click OK
- Source: Any
- Destination: Any
- Service/App: Any
- Action: Forward to Nexthop List
- Name of next-hop-list: < select the nexthop list name >
Step 10 Click Save.
Apply PBR Policy for Full-Tunnel to User Role
Step 1 Go to the group UI-MICRO-AP-01 > Devices page. In the Security tile, select Policies & Access Control.
Step 2 Expand the Roles section.
Step 3 Select the user role to which to apply the PBR policy.
Step 4 In the Rules window, click + (plus sign).
Step 5 In the ADD RULE window, enter the following values, then click OK.
Rule Type: Policy-Based Routing
Add Existing Policy:
Policy Name: EXAMPLE-PBR-FULL-TUNNEL
Step 6 The PBR policy configured for full-tunnel is assigned to the user role.
Step 7 Click Save.
Note: When a user is assigned a user role and the user traffic flows, all the access rules for the user role are applied first and if there is a PERMIT, the PBR policy is then applied to that specific user traffic.
Assign a Microbranch AP to a Group
Step 1 In the left navigation pane, click Global, then select the Groups column heading.
Step 2 Expand the Unprovisioned devices group by clicking the expansion icon (>) next to its name.
Step 3 Select the Microbranch AP.
Step 4 Click the Move Devices icon.
Step 5 In the Destination Group dropdown, select UI-Micro-AP01.
Step 6 Click Move.
Assign a Microbranch AP to a Site
The following procedure assigns the VPNCs to a site.
Step 1 Go to Organization and select Site.
Step 2 Select Unassigned devices.
Step 3 Select the Microbranch AP on the right side, then drag the AP to the ESP-MB01 site.
Step 4 Click Yes.
Monitor Microbranch AP Routing Overlay
The route orchestrator redistributes the routes between the headend VPNCs and the Microbranch APs. All the overlay routing information such as control connections, routes advertised, routes learned, etc. can be monitored in the AP device page.
Step 1 Go to AP Group > Devices > Access Points > List.
Step 2 Select an AP.
Step 3 Under Overview, click Routing tab.
Step 4 Select Overlay tab.
Step 5 The Overlay summary table displays an overview of control connection state, number of interfaces, number of routes advertised from AP and number of routes learned by the AP
Step 6 Under the Overlay details, in the dropdown box, select Routes advertised which displays all the routes advertised from the AP.
Step 7 Under the Overlay details, in the dropdown box, select Routes learned which displays all the routes learned by the AP.