Link Search Menu Expand Document
calendar_month 07-Mar-24

Microbranch AP Configuration

Deploying the HPE Aruba Networking SSE solution with your Microbranch AP deployments is just as easy as the Gateway deployment. You can deploy this configuration in all Centralized L2 and routed L3 modes of Microbranch WLANs as well. You’ll need to repeat the process above for the gateways to create a new Microbranch Group to Cloud Hub Connection and then download the CSV file with the tunnel details.

image-20230927011024223

SSE Tunnel Configuration

You’ll also need to repeat the SSE Tunnel configuration next and import the tunnel identity and PSK from the Central Group’s CSV/JSON file. After creating the tunnels and associating them to their location, apply the changes.

image-20230927011024223

Depending on the number of Microbranch AP’s the deployment should come up within a matter of minutes.

image-20230927011024223

You can also verify the tunnel formation inside of Aruba Central. Navigate to your Microbranch group and then select Devices > Access Points.

image-20230927011024223

Click on an AP and then navigate to Security. You can see both the primary and secondary tunnels have formed to the Axis Secure Web Gateway automatically.

image-20230927011024223

Nexthop Configuration for Microbranch Traffic

Once the tunnels are established, the next step is to make sure that the relevant traffic is forwarded through these tunnels to the Secure Web Gateway service. This is done by first creating a next hop list.

Navigate to your Microbranch Group config and then go to Tunnels & Routing>NextHop List. Click the ‘+’ sign under Nexthop table.

image-20230927011024223

Provide a Nexthop-list name and select IPsec Map. Then under the IPsec Map dropdown, select your primary SSE tunnel and set the priority to 128.

image-20230927011024223

Now select the NextHop List again and add the secondary IPsec tunnel with a priority of 100.

image-20230927011024223

Microbranch Policy-Based Routing Configuration

Once the NextHop list is created, the next step is to create a policy that will send only web traffic(http and https) through tunnels to the SSE. Everything else should be forwarded regularly.

Navigate to your Microbranch Group config and then Tunnels & Routing>Policy-Based Routing and then click ‘+’ under Policies.

image-20230927011024223

Create a new Policy and name the policy and then click OK. Now click the pencil icon to edit the policy. Click the ‘+ Plus’ sign to create a new policy rule. Create and order your rules as required for your deployment.

image-20230927011024223

Applying the PBR policy to relevant Roles or VLANs

Next step is to assign the previously created policies to the relevant Roles or VLANs. With all AOS10 WLAN’s, a default role is created at the same time as the SSID and shares the same name. Additional configuration can be performed and additional roles and policies can be applied to users. For the sake of simplicity, this document covers the basic user role assignment and configuration.

To apply the PBR policy to the user role, navigate to the Microbranch group configuration page and then click on Security>Policies & Access Control.

image-20230927011024223

From the Roles table, select the role you wish to utilize the PBR policy. Next in the Rules table, click the ‘+ Plus’ sign to select the policy to add.

image-20230927011024223

From the dropdown menu under Rule Type, select Policy-Based Routing and then select your Existing Policy ‘axis-mb-pbr’.

image-20230927011024223

There is no need to reorder the rules. You can simply save the policy and then proceed to testing it out in action.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.