ArubaOS-Switch Tunneled Node

Slides:



Advertisements
Similar presentations
Mitigating Layer 2 Attacks
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Chapter 9: Access Control Lists
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Course 301 – Secured Network Deployment and IPSec VPN
WiNG 5.3.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Module 3: Planning and Troubleshooting Routing and Switching.
Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.
Altai Certification Training Backend Network Planning
Network Admin Course Plan Accede Institute Of Science & Technology.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 NGWC – Central Webauth (CWA) using ISE 3850 and 5760 Viten Patel – RTP Wireless.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
What’s New in Fireware v11.9.5
Chapter 8: Virtual LAN (VLAN)
Cisco 3 - LAN Perrine. J Page 110/20/2015 Chapter 8 VLAN VLAN: is a logical grouping grouped by: function department application VLAN configuration is.
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Part V: Monitoring Campus Networks.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
K. Salah1 Security Protocols in the Internet IPSec.
Model: DS-600 5x 10/100/1000Mbps Ethernet Port Centralized WLAN management and Access Point Discovery Manages up to 50 APs with access setting control.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.
Security fundamentals
Wireless Ethernet Programming
Instructor Materials Chapter 7: Access Control Lists
Instructor Materials Chapter 4: Access Control Lists
Virtual Local Area Networks or VLANs
Instructor Materials Chapter 6: VLANs
Encryption and Network Security
Implementing Network Access Protection
Planning and Troubleshooting Routing and Switching
Configuring and Troubleshooting Routing and Remote Access
Managing IP Traffic with ACLs
Wireless Modes.
NAT , Device Discovery Chapter 9 , chapter 10.
Virtual LANs.
Instructor & Todd Lammle
Chapter 4: Access Control Lists (ACLs)
2018 Valid Cisco Exam Dumps IT-Dumps
Cisco Real Exam Dumps IT-Dumps
Routing and Switching Essentials v6.0
* Essential Network Security Book Slides.
Server-to-Client Remote Access and DirectAccess
Chapter 4: Access Control Lists
Access Control Lists CCNA 2 v3 – Module 11
CCNA 3 v3 JEOPARDY Module 8 CCNA3 v3 Module 8 K. Martin.
CCNA 3 v3 JEOPARDY Module 8 CCNA3 v3 Module 8 K. Martin.
NTHU CS5421 Cloud Computing
SurfCFCC Secure Wireless Access For Students, Faculty, and Staff.
Chapter 2: Scaling VLANs
Cisco networking CNET-448
TCP/IP Protocol Suite and IP Addressing
Chapter 10: Advanced Cisco Adaptive Security Appliance
ACCESS CONTROL LIST Slides Prepared By Adeel Ahmed,
Agenda Comware 5 and Comware 7 device based AAA:
VLANS The Who, What Why, And Where's to using them
What’s New In WatchGuard Wi-Fi Cloud v8.6
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

ArubaOS-Switch Tunneled Node Justin Noonan – Global TME Ruben Iglesias – Global TME July 2016

Introduction

What is Tunneled Node? Tunneled Node Per-port tunnel GRE Extends the AP-controller tunneling scheme to the access switches Per-port tunnel A single GRE tunnel transports all traffic to/from “tunneled” interfaces Traffic from other interfaces is forwarded normally by the switch Management and control traffic is NOT tunneled GRE Policy enforcement Tunneled-node can be applied up to 120 physical ports. Products 5400R switch series with v2 and v3 modules 3810 switch series 3800 switch series 2930F switch series 2920 switch series

Use case: Unified Policy Enforcement WWW WAN / VPNs ClearPass Policy Manager 3rd Party Directory Svc Local controller Policy enforcement (CPPM, Skype for Business, etc.) Guest mgmt Device profiling Core Switch (VSF/IRF) 3rd party MDM Skype for Business (Lync Edge server) SDN/API WLAN Tunnel Wired LAN Tunnel LAN

Tunneled Node Testing

Generic layout Mobility controllers: Aruba 72xx / 70xx Core switch: Tunnel Core switch: 5400R / 10500 Access switches: 3810, etc.

Tested layer 2 layout Intranet / Internet 10500 3810 MAS 3500 LAG1 TRK1 2/4/0/2 0/0/0 7010 MC (DHCP Server for VLAN 200) 0/0/2 1/4/0/2 R V10 Def V200 Tunnel 10.2.200.1 10.2.200.7 10.2.10.11 10.2.10.11 10.2.10.3 10.2.10.25

Tested routed layout Intranet / Internet Core switch: 10500 3810 MAS 3500 LAG1 TRK1 2/4/0/2 0/0/0 7010 MC (DHCP Server for VLAN 200) 0/0/2 1/4/0/2 R V10 Def V200 V11 Tunnel 10.2.200.1 10.2.200.7 10.2.11.1 10.2.10.1 10.2.10.11 10.2.11.3 10.2.11.25

Tested filtered layout acl number 3001 rule 20 permit icmp rule 50 permit gre rule 51 permit tcp destination-port eq 8080 rule 52 permit tcp destination-port eq www rule 53 permit tcp destination-port eq 4343 rule 54 permit udp destination-port eq tftp rule 55 permit udp destination-port eq 21 rule 56 permit udp destination-port eq syslog rule 57 permit udp destination-port eq 443 rule 58 permit udp destination-port eq 22 rule 59 permit udp destination-port eq 23 rule 60 permit udp destination-port eq 8211 rule 100 deny ip Tested filtered layout interface GigabitEthernet1/4/0/2 port link-mode bridge port link-type trunk port trunk permit vlan 1 10 200 packet-filter 3001 outbound Intranet / Internet 10500 3810 MAS 3500 LAG1 TRK1 2/4/0/2 0/0/0 7010 MC 0/0/2 1/4/0/2 R V10 Def V200 V11 Tunnel Port 8211 is the PAPI (Aruba Proprietary) protocol – For more information go to https://arubapedia.arubanetworks.com/arubapedia/index.php/PAPI Tunneled-Node uses ports 50 (GRE) and 8211 (PAPI)

Tunneled Node and NAT: Not Supported DC Router Tunneled note Public IPs Mobility controllers Private IPs

Remote Tunneled Node Remote controller: not recommended NAT NAT Router Router Mobility controllers Tunneled note Private IPs Private IPs Use local controller for tunneled node NAT NAT Router Router Local controller Mobility controllers Tunneled node Private IPs Private IPs

Tunneled Node Configuration

Tunneled Node Configuration – Switch Configuration Steps Step 1: Setup Tunneled-Node-Server IP address (Aruba Mobility Controller) Aruba-Stack-3810M(config)# tunneled-node-server controller-ip 10.2.10.11 Optional: Setup Backup Controller IP Aruba-Stack-3810M(config)# tunneled-node-server backup-controller-ip 10.2.10.12 Optional: Set Tunneled-Node Keepalive timer – Set time interval between keepalive messages (Default = 8) Aruba-Stack-3810M(config)# tunneled-node-server keepalive interval <1-8> Configure the time interval between two successive keepalive messages sent to the controller. Step 2: Enable Tunneled-Node on interface Aruba-Stack-3810M(config)# interface 1/23 Aruba-Stack-3810M(eth-1/23)# tunneled-node-server Step 3: Check to see if Tunneled-Node is complete Aruba-Stack-3810M(config)# show tunneled-node-server state Tunneled Node Port State Active Controller IP Address : 10.2.10.11 Port State ------ ------------------------- 2/23 Complete

Tunneled Node Configuration – Statistic View Aruba-Stack-3810M(config)# show tunneled-node-server statistics Tunneled Node Statistics Port : 2/23 Control Plane Statistics Bootstrap packets sent : 1 Bootstrap packets received : 1 Bootstrap packets invalid : 0 Tunnel Statistics Rx Packets : 302 Tx Packets : 0 Rx 5 Minute Weighted Average Rate (Pkts/sec) : 0 Tx 5 Minute Weighted Average Rate (Pkts/sec) : 0 Aggregate Statistics Heartbeat packets sent : 56607 Heartbeat packets received : 56607 Heartbeat packets invalid : 0 Fragmented Packets Dropped (Rx) : 0 Packets to Non-Existent Tunnel : 0 MTU Violation Drop : 0

Tunneled Node Configuration – 3810M switch ip route 0.0.0.0 0.0.0.0 10.2.11.1 tunneled node-server controller-ip 10.2.10.11 exit interface 1/21 interface 1/23 interface 1/24 vlan 11 name "VLAN11" untagged Trk1 ip address 10.2.11.3 255.255.255.0 exit vlan 200 name "VLAN200" untagged 1/21,1/23-1/24 tagged 1/1,Trk1 no ip address ip helper-address 10.1.0.195 jumbo Note: The Mobility Access Switch will establish a single GRE tunnel between it and a Mobility Controller for Tunneled Node operation. However from the perspective of the Mobility Controller, each Tunneled Node port from a single switch/stack will appear as an individual tunnel and consume tunnel resources as such.

Tunneled Node Configuration - MAS 3500 switch ! interface vlan "11" ip address 10.2.11.25 255.255.255.0 ip-profile default-gateway 10.2.11.1 0 interface-profile switching-profile "10500 link" access-vlan 11 native-vlan 10 trunk allowed vlan 10 interface-profile switching-profile "TunneledPorts" access-vlan 200 native-vlan 200 trunk allowed vlan 200 interface-profile tunneled node-profile "default" controller-ip 10.2.10.11 ! interface gigabitethernet "0/0/0" switching-profile "10500 link" interface gigabitethernet "0/0/23" tunneled node-profile "default" switching-profile "TunneledPorts" interface gigabitethernet "0/0/24" interface gigabitethernet "0/0/25" switching-profile "TunneledPorts“

Tunneled Node Status – Aruba Mobility Controller Note: Tunnel is automatically created when Tunneled-Node is enabled on switch interface

Tunneled Node Configuration – Mobility Controller 1 2 3

ClearPass Authentication – Controller Wired Access Profile Example Controller AAA config : aaa rfc-3576-server "10.1.0.197" ! aaa authentication mac "default" aaa authentication dot1x "default" aaa authentication dot1x "NewDot1x" aaa authentication-server radius "10.1.0.197" host "10.1.0.197" key 6b63f476e437838c6a4ac563e07cd8a5e14166fd391049c5 nas-identifier "10.1.0.197" nas-ip 10.1.0.197 aaa server-group "CPPM" auth-server 10.1.0.197 aaa server-group "default" auth-server Internal set role condition role value-of aaa profile "CPPM-dot1x" authentication-dot1x "NewDot1x" dot1x-server-group "CPPM" rfc-3576-server "10.1.0.197" aaa profile "default" aaa authentication captive-portal "default" aaa authentication wispr "default" aaa authentication vpn "default" aaa authentication vpn "default-rap" aaa authentication mgmt aaa authentication stateful-ntlm "default" aaa authentication stateful-kerberos "default" aaa authentication stateful-dot1x aaa authentication wired profile "CPPM-dot1x" Ensure that the Wired Access profile in the Aruba Mobility Controller is configured correctly and enabled. This allows the controller to handle authentication when a client is plugged into a tunneled-node port on the switch CLI example: aaa authentication wired profile "CPPM-dot1x"

ClearPass Authentication – Client View Windows Client is plugged into tunneled-node port Enter proper user credentials into 802.1x authentication settings Client will authenticate and receive IP address

ClearPass Authentication – Access Tracker Client user access can be monitored from the Access Tracker in ClearPass. Shows what source the user is authenticating with (i.e. RADIUS), which ClearPass service profile is being used, and whether the login was accepted or rejected.

Tunneled Node Frame Details When a port is configured for tunneled- node, ingress packets are encapsulated in an IP GRE frame which is then forwarded to the controller A unique GRE Key is needed – 1 to 1 Mapping: For the controller to uniquely identify GRE packet source port For the switch to send de-capsulated packet to particular port

What happens if? AP is plugged into Tunneled-Node port 3810 MAS S3500 Behavior: Tunnel in a tunnel Can cause a network performance issue Not an ideal scenario

Tunneled Node – Does not work with… Globally IP Multicast Routing Openflow QinQ Distributed Trunking Switch Meshing VXLAN Per VLAN IP addressing – manual & DHCP DHCP Snooping (IPv4/6) ARP Protect Per Port 802.1x/MAC Auth/Web Auth/LMA/Port Sec RA Guard MACSec DIPLD (IPv4/6) Port Trunking

Tunneled Node – Best Practices Recommendations: Avoid plugging access points into wired tunneled-node ports. This creates a “tunnel within a tunnel”, which can impact performance. Instead, set aside physical ports to use solely for access points and wired tunneled node ports (i.e. one block of ports for AP’s, one for wired tunneled node ports). Ensure that the wireless controller can handle the necessary bandwidth and number of tunnels (Max physical ports that can be used as tunnels is 120). Ensure that the Tunneled-Node VLAN is present and enabled on both the controller and switch. Ensure that enough licenses are on the controller to handle the tunneled-node ports within the network (1 switch with Tunneled-Node ports enabled = 1 license on controller) AP Ports Tunneled-Node Ports

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.