Medium Branch Switch Configuration
The In this deployment the Aggregation switch will have dual purposes, providing power and layer 2 access to wired devices and access points, while also aggregating downstream aggregation switches. Access switches are utilized to increase port count for layer 2 access to wired devices and access points. Consistency in physical connectivity across branch deployments is crucial to minimize variations in the template. See image below
Table of contents
- Medium Branch Switch Configuration
- Stacking Switches Offline
- Creating Switch Template Configuration
- Configure the Access Base Features
- Configure the Access VLANs
- Configure Device Profiles
- Configure RADIUS
- Configure Spanning Tree
- Configure Aggregation Uplink Ports
- Configure Aggregation Downlink Ports
- Configure Access Uplink Ports
- Applying the Template Configuration
- Upload the Access Switch Variables
- Assign Switches to Site
Stacking Switches Offline
Before connecting the uplinks to the Aggregation switches should be stacked, use the following procedure to stack switches before they connect to central.
Caution: Do not connect the switch to the gateway before it is stacked otherwise it will not be able to stack offline without factory reset.
Before starting this procedure check the following:
Step 1 Ensure switches are AOS-CX 10.7 or Above
Step 2 All switches are factory default.
Step 3 Switches in the stack are using the reserved auto-stacking ports.
- 24 port switches auto stack ports : 25, 26
- 48 port switches auto stack ports: 49, 50
Step 4 Switches are connected in a ring topology.
Step 5 Console connection to the switch.
After going through the checklist above the switches are ready to be stacked.
Step 1 Press the mode button until the LED displays STK on the switch that will be the conductor, wait for the conductor to reboot.
Step 2 On the second switch press the LED until it displays STK. Wait for the second member to boot.
Note: During stacking operation, the port LEDs are displayed in three different states:
Flashing green - Indicates that the member is the conductor.
Flashing orange - Indicates that the member is rebooting to join the stack or offline due to error condition.
Solid green - Indicates that the member joined the stack and is operational.For more information on stacking LED states, refer to the Monitoring Guide.
Create a Switch Group
Use this procedure to create a group for the small branch deployment.
Step 1 In the left navigation pane, select Organization.
Step 2 Select the Groups tile.
Step 3 Click the + (plus sign) to create a New Group.
Step 4 Check the Box for Access Points and Switching
Step 5 Name the group: BR-ECE-SDW-M
Step 6 Click the toggle to enable templates.
Step 7 Click Next
Step 8 Change the group to only allow AOS-CX.
Step 9 Click Add
Assign Switches to Group
Step 1 On the Organization page, select Device Preprovisioning.
Step 2 In the Serial Column enter in the serial number of the switch.
Step 3 Select the switch, then click the Item Selected button.
Step 4 In the Assign a Group ** window, select the **BR-ECE-SDW-M group created previously.
Step 5 Click Move.
Step 6 Click Ok.
Step 7 Repeat this Process for each switch.
Note: If Devices have reached out to central already they will be in the unprovsioned Group where they can also be selected and moved to the correct Group.
Switch Serial | Switch Mac |
---|---|
SG21KN503J | BC:D7:A5:C3:19:00 |
SG21KN5042 | BC:D7:A5:C3:A9:00 |
SG0BKW506F | 8C:85:C1:50:D0:80 |
SG0BKW5077 | 8C:85:C1:50:C2:40 |
Set Firmware Compliance
Step 1 In the left pane click Global, and select the BR-ECE-SDW-S group.
Step 2 In the left pane Select Firmware .
Step 3 Click the Switches tab in the group, then Click the Gear icon to set the compliance.
Step 4 Set the AOS-CX Firmware Policy to 10.11.1005.
Step 5 Click Save, then Click Ok
Creating Switch Template Configuration
The configuration options that should be included in a switching template are shown below. These configuration items are in template format. The value of the variables is identified in the table below the configuration.
interface Vlan 10
ip address %VLAN_IP%
Switch Name | %VLAN_IP% Variable Input |
---|---|
Example-SW-01 | 10.0.0.2 |
Example-SW-02 | 10.0.0.2 |
The full configuration template file, with variables, is included in the “Branch Access Switch Configuration” section. Uplink ports used in the document differ from other branch deployments and must be adjusted to fit those environments.
Configure the Access Base Features
Use this procedure to configure the access switch base features. The base features include the host name, management user account, banner MOTD, NTP, DNS, TACACS, and AAA.
In the configuration template, perform the following steps:
Step 1 Configure the switch host name.
hostname %HOSTNAME%
Step 2 Configure the management user account.
user admin group administrators password plaintext <password>
Note: There must be an admin user account for CLI access to the switch.
Step 3 Configure the login banner. The banner MOTD is normally used as a legal disclaimer to notify users logging into the network that only authorized access is allowed. Consult your own legal team to define the banner MOTD. An example is shown below.
banner motd $
**********************************************************
NOTICE TO USERS
This is a private computer system and is the property of Aruba Networks. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy while connected to this system.
...
Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use of this system, you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
***********************************************************
$
Note: When setting the banner, a delineator breaks the switch from the MOTD context. In this example, the delineator is “$”.
Step 4 Configure the NTP servers and time zone.
ntp server 10.2.120.98 iburst version 3
ntp server 10.2.120.99 iburst version 3
clock timezone us/pacific
Step 5 Configure the DNS servers and domain name.
ip dns host 10.2.120.98
ip dns host 10.2.120.99
ip dns domain-name Example.local
Configure the Access VLANs
In order to provide client devices with network connectivity, access switches must have the same VLANs as the branch gateways. The access switches also have an additional layer 3 interface for the management VLAN. IGMP, DHCP snooping, and ARP inspection are enabled.
IGMP snooping prevents hosts on a local network from receiving traffic for a multicast group they have not explicitly joined. The feature provides layer 2 switches with a mechanism to prune multicast traffic from ports that do not contain an active multicast listener.
DHCP snooping is enabled globally and enabled for each VLAN to snoop DHCP packets. DHCP snooping prevents DHCP starvation attacks and rogue DHCP servers from servicing requests on the network.
ARP inspection is enabled under the VLAN, but does not take effect unless DHCP snooping also is enabled. ARP inspection stops man-in-the-middle attacks caused by ARP cache poisoning.
VLAN ID | Description |
---|---|
100 | MGMT VLAN |
101 | Employee |
102 | Camera |
103 | IOT |
104 | Guest |
105 | Reject |
106 | Critical |
107 | Quarantine |
In the configuration template, assign the following configuration:
Step 1 Configure DHCP snooping globally.
dhcpv4-snooping
Step 2 Configure the access VLANs, enable DHCP/IGMP snooping, and enable ARP inspection.
vlan 100
name MGMT
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 101
name EMPLOYEE
dhcpv4-snooping
arp inspection
ip igmp snooping enable
...
vlan 107
name QUARANTINE
dhcpv4-snooping
arp inspection
ip igmp snooping enable
Step 3 Configure the layer 3 interface VLAN.
interface vlan 100
description MGMT
ip dhcp
Note: The IP DHCP command can only be applied to one VLAN interface. The template will fail to apply if multiply Interface VLANs have this configuration.
Configure Device Profiles
Device profiles detect APs dynamically and configure the attached port properly for device management and for tagging the bridged SSIDs. This assists network operators by eliminating manual configuration of ports to which APs are connected.
Device profiles are applied in three steps. First, configure the role to identify the AP, as well as the port tagging. Second, define the LLDP group, which uses LLDP to glean the device OUI to identify if the device is an Aruba AP. Last, associate the role and LLDP group in a device profile configuration.
Note: This procedure can be skipped if ClearPass is used to authenticate Aruba APs.
On each access switch, perform the following steps:
Step 1 Configure the Aruba-AP Role. Create the role, set the authentication mode, set the native VLAN, and define the allowed VLANs.
port-access role ARUBA-AP
auth-mode device-mode
vlan trunk native 100
vlan trunk allowed 100,101,104-107
Step 2 Configure the LLDP group. Create the group and identify the Aruba AP OUIs.
port-access lldp-group AP-LLDP-GROUP
seq 10 match vendor-oui 000b86
seq 20 match vendor-oui D8C7C8
seq 30 match vendor-oui 6CF37F
seq 40 match vendor-oui 186472
seq 50 match sys-desc ArubaOS
Note: The LLDP group identifies the Aruba APs and sets the system-description at the end as a catchall for future APs.
Step 3 Configure the device profile. Create the profile, enable it, then associate it with the role and LLDP group created previously.
port-access device-profile ARUBA_AP
enable
associate role ARUBA-AP
associate lldp-group AP-LLDP-GROUP
Configure RADIUS
Use this procedure to configure the RADIUS servers for the access switch.
Access switches authenticate devices attempting to connect to the network. The two most common methods to authenticate users are 802.1x and MAC-based authentication. This design supports both methods, as well as dynamic authorization that allows the AAA server to change the authorization level of the device connected to the switch.
RADIUS tracking is enabled to verify the status of the client and server. The configuration also includes user roles for rejected clients and RADIUS failure scenarios.
On each access switch, perform the following steps:
Step 1 Configure the RADIUS servers, enable RADIUS dynamic authorization, and track client IP addresses with probes.
radius-server host 10.2.120.94 key plaintext <Password>
radius-server host 10.2.120.95 key plaintext <Password>
radius dyn-authorization enable
client track ip update-method probe
Step 2 Configure AAA for 802.1x and MAC authentication.
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
Step 3 Configure local user roles, set the authentication mode, and set the VLAN.
port-access role EMPLOYEE
reauth-period 120
vlan access 101
port-access role CAMERA
reauth-period 120
vlan access 102
port-access role IOT
reauth-period 120
vlan access 103
port-access role GUEST
reauth-period 120
vlan access 104
port-access role REJECT
reauth-period 120
vlan access 105
port-access role CRITICAL
reauth-period 120
vlan access 106
port-access role QUARANTINE
reauth-period 120
vlan access 107
Step 4 Configure AAA authentication on the access ports. Set the client limit, configure 802.1x/MAC authentication, set the authentication order, and configure critical role and the rejection role. Adjust the EAPOL timeout, max requests, and max retry defaults.
interface 1/1/1
description ACCESS_PORT
no shutdown
no routing
vlan access 1
aaa authentication port-access client-limit 5
aaa authentication port-access auth-precedence dot1x mac-auth
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
enable
Note: EAPOL timeout: The amount of time the switch waits for EAP responses before identifying a packet as lost.
Max EAPOL requests: The number of requests the interfaces can have at one time.
Max retries: The number of times the switch tries to authenticate the device.
Configure Spanning Tree
Spanning tree is enabled globally on each access switch as a loop prevention mechanism. Supplemental features such as admin-edge, root guard, BPDU guard, and TCN guard are enabled on appropriate interfaces to ensure that spanning tree runs effectively.
On each access switch, perform the following steps:
Step 1 Configure spanning tree globally and enable Rapid Per VLAN Spanning Tree for the access VLANs.
spanning-tree mode rpvst
spanning-tree
spanning-tree priority 8
spanning-tree vlan 100-107
Step 2 Configure the supplemental spanning tree features.
interface 1/1/1
description ACCESS_PORT
no shutdown
no routing
vlan access 1
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
spanning-tree root-guard
spanning-tree tcn-guard
loop-protect
loop-protect action tx disable
Step 3 The final access port configuration should look like the following:
interface 1/1/1
description ACCESS_PORT
no shutdown
no routing
vlan access 1
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
spanning-tree root-guard
spanning-tree tcn-guard
loop-protect
loop-protect action tx disable
aaa authentication port-access client-limit 5
aaa authentication port-access auth-precedence dot1x mac-auth
aaa authentication port-access critical-role CRITICAL
aaa authentication port-access reject-role REJECT
aaa authentication port-access dot1x authenticator
eapol-timeout 30
max-eapol-requests 1
max-retries 1
enable
aaa authentication port-access mac-auth
enable
Step 4 Repeat the full interface configuration for each access port.
Configure Aggregation Uplink Ports
Each switch has an uplink connection to both gateways. Each uplink is a trunk with the allowed VLANs of 100-107. The native VLAN for the trunk is VLAN 100. Each uplink has DHCP Snooping trust allowed and ARP inspection trust enabled.
Step 1 Configure the uplink interfaces, then set the native VLAN and the allowed VLANs on the trunk.
interface 1/1/24
description Uplink_GW
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
interface 2/1/24
description Uplink_GW
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
Step 2 Configure ARP inspection trust and DHCP snooping trust.
interface 1/1/24
description Uplink_GW
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
arp inspection trust
dhcpv4-snooping trust
interface 2/1/24
description Uplink_GW
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
arp inspection trust
dhcpv4-snooping trust
Configure Aggregation Downlink Ports
The Aggregation switch will have a LAG going to the downstream access switches, the page should have VLANs 100-107. The native VLAN for the trunk is VLAN 100. Each uplink should also have LACP fallback configured to allow the access switches to ZTP.
Note: The following configuration will only be applied to the Aggregation switch template.
On each access switch, perform the following steps:
Step 1 Configure a LAG. Enable DHCP snooping and ARP inspection, then set the native VLAN and the allowed VLANs on the LAG.
interface lag 1
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
arp inspection trust
dhcpv4-snooping trust
lacp mode active
lacp fallback-static
interface lag 2
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
arp inspection trust
dhcpv4-snooping trust
lacp mode active
lacp fallback-static
Step 2 Configure the access switch Downlink interface.
interface 1/1/21
description ACCESS_SW01
no shutdown
no routing
lag 1
interface 1/1/22
description ACCESS_SW02
no shutdown
no routing
lag 2
interface 2/1/21
description Uplink_1
no shutdown
no routing
lag 1
interface 2/1/22
description Uplink_2
no shutdown
no routing
lag 2
Caution: If DHCP Snooping and ARP inspection trust are not enabled, clients cannot get an IP address and connect to the network.
DHCP snooping and ARP inspection must be trusted on the LAG interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.
Configure Access Uplink Ports
Each switch has a Link Aggregation Group (LAG) connection to the aggregation switches. Each uplink is a trunk with the allowed VLANs of 100-107. The native VLAN for the trunk is VLAN 100. Each uplink has DHCP Snooping trust allowed and ARP inspection trust enabled.
Note: The following configuration will only be applied to the Access switch template.
On each access switch, perform the following steps:
Step 1 Configure a LAG. Enable DHCP snooping and ARP inspection, then set the native VLAN and the allowed VLANs on the LAG.
interface lag 1
no shutdown
no routing
vlan trunk native 100
vlan trunk allowed 100-107
arp inspection trust
dhcpv4-snooping trust
lacp mode active
Step 2 Configure the uplink interface.
interface 1/1/23
description Uplink_1
no shutdown
no routing
lag 1
interface 1/1/24
description Uplink_2
no shutdown
no routing
lag 1
Caution: If DHCP Snooping and ARP inspection trust are not enabled, clients cannot get an IP address and connect to the network.
DHCP snooping and ARP inspection must be trusted on the LAG interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.
Applying the Template Configuration
After the template configuration is created, it must be placed into Central. This procedure walks through steps to get the configuration template into central.
Step 1 Go to Global > Groups. In the Groups list, select BR-ECE-SDW-M.
Step 2 On the Switches List page at the top right, click Config.
Step 3 On the Switches Template section at the top right, click the + (plus sign) symbol.
Step 4 On the Add Template window in the Basic Info section, assign the following settings, then click Next.
- Template Name: AGG-BR-Config
- Device Type: Aruba CX
- Model: 6300
- Part Name: All
- Version: All
Step 5 In the Edit Template section, paste the access configuration in the box, then click SAVE.
Step 6 On the Switches Template section at the top right, click the + (plus sign) symbol.
Step 7 On the Add Template window in the Basic Info section, assign the following settings, then click Next.
- Template Name: ACC-BR-Config
- Device Type: Aruba CX
- Model: 6200
- Part Name: All
- Version: All
Step 8 In the Edit Template section, paste the access configuration in the box, then click SAVE.
Caution: All variables must be enclosed with percent “%” symbols.
Upload the Access Switch Variables
Use this procedure to upload the variables for the access switches into Central.
Step 1 On the Devices > Switches page, select the Variables tab, then click DOWNLOAD SAMPLE VARIABLES FILES.
Step 2 Open the CSV file in an editor, enter the proper value for each variable, and enter Y in the modified column. Save the file on your computer.
Switch Serial | Switch Mac | %HOSTNAME% Variable Input |
---|---|---|
SG21KN503J | BC:D7:A5:C3:19:00 | CHIBR-ECE1-CR1-1 |
SG21KN5042 | BC:D7:A5:C3:A9:00 | CHIBR-ECE1-CR1-2 |
SG0BKW506F | 8C:85:C1:50:D0:80 | CHIBR-ECE1-AC1-1 |
SG0BKW5077 | 8C:85:C1:50:C2:40 | CHIBR-ECE1-AC2-2 |
Note: Once switches are stacked its only need to enter the value of one of the stack members, adding a second member is
Step 3 On the Variables tab, click Upload Variables Files, find the updated CSV file on your computer, then click Open.
Step 4 Go to Devices > Switches > List and verify that the switches are In sync.
Assign Switches to Site
The following procedure assigns switches to a site. Creating sites was shown in the “preparing to Deploy” section of the guide.
Step 1 Go to Organization and select Site
Step 2 Unassigned devices and then use the Name filter to find the switches.
Step 3 Shift Click to select multiply switches, then drag them to the appropriate site.
Step 4 When the confirmation popup appears, Click Yes.