目录
配置uring Gateway Devices
大型网络的ESP校园包括服务聚合层中的网关群集。在这种设计中,WLAN将隧道连接到网关,以利用该平台上可用的高级策略执行和防火墙功能。实现网关聚类以确保高可用性和吞吐量。
本节介绍如何使用Aruba Central和Zero Touch Provisioning(ZTP)过程部署网关。下表中的信息包括以下过程中使用的VLAN和IP地址。
示例:IP地址和VLAN ID
| Name | IP address | Default gateway | VLAN.ID | VLAN.name | 门户VRRP Address |
|---|---|---|---|---|---|
| 7210-1 | 10.6.15.1.1/24 | 10.6.15.1. | 15 | MGMT | 10.6.15.1.3 |
| 7210-2 | 10.6.15.1.2/24 | 10.6.15.1. | 15 | MGMT | 10.6.15.1.4 |
配置ure Gateway VLANs
使用以下过程配置网关VLAN。
Example: VLANs for Gateways
| VLAN.Name | VLAN.ID |
|---|---|
| MGMT | 15 |
| 员工 | 103 |
| BLDG-MGMT. | 104 |
| 相机 | 105 |
| PRINTER | 106 |
| VISITOR | 112 |
| reake_auth. | 113 |
| xitchal_auth. | 114 |
| ZTP | 4094 |
警告:The Gateway VLANs need to be created prior to adding the port channels, so the Native VLAN and Allowed VLANs can be selected from the pull-down lists.
第1步On the Gateways tab, select theInterface选项卡,选择vlans.and then, in the lower left, click the+sign.
第2步On the New VLAN pop-up, implement the following settings, and then select保存Settings.
- VLAN.name:MGMT
- VLAN.ID/Range:15
Note:Named VLANs facilitate policy consistency between sites.
第3步对环境中的每个网关VLAN重复此过程。
Enable Physical Interfaces
Use this procedure to enable Gateway physical interfaces in a group for configuration.
The ESP Campus supports zero-touch provisioning (ZTP) of Gateway devices. ZTP requires physical interface configuration to be performed for Gateways at the group level. To simplify this configuration, the best practice is to standardize on a single Gateway model within each group.
警告:If a group level interface configuration is applied to a Gateway that does not have the specified physical interface, the Gateway will not be added to the group. The unsupported interface will need to be removed from the group configuration, if the Gateway is to be added.
第1步Navigate to中央和罗gin using administrator credentials.
第2步On the Aruba Central Account Home page, launch the网络运营应用程序。
第3步在过滤器下拉列表中,选择AOS10Group姓名。
Step 4从左侧菜单中,选择the设备s选项卡,选择门户stab and in the upper right, select配置.
Step 5在网关页面上,选择Interfacetab, and then the港口tab.
Step 6在端口表的底部,单击+sign.
Step 7On the New Port popup, select the checkbox next to the interface name, and then click保存Settings.
配置ure Port Channels
Use the following procedure to configure Gateway port channels.
在正常和性能是优先级的部署中,网关连接的最佳实践是在多机箱滞后(MC-LAG)上使用LACP连接到支持Aruba VSX功能的一对开关。LACP在网关上启用作为端口通道配置的一部分。
When a Gateway is deployed using ZTP it does not have an LACP configuration initially. To accommodate this during the provisioning process, LACP Fallback is enabled on the switch. An example configuration for VSX MC-LAG is below:
界面滞后11多机箱描述7210-1没有关闭无路由VLAN Trunk本机1 VLAN中继允许所有LACP模式Active LacP倒退!接口LAG 12多机箱描述7210-2无关断没有路由VLAN Trunk本机1 VLAN中继允许所有LACP模式Active LacP倒退Note:当LACP谈判失败,LACP撤退switch ports to function as standard access/trunk ports until LACP functions.
上面的配置段示出了上下文中LACP返回命令的实现。有关完整的交换机配置,请参阅本指南的早期部分。
第1步在过滤器下拉列表中,选择AOS10Group姓名。
第2步从左侧菜单中,选择the设备s选项卡,选择门户stab and in the upper right, select配置.
第3步在网关页面上,选择Interfacetab, and then the港口tab.
Step 4From the Port Channel section, click the+sign.
Step 5在新端口通道弹出窗口上,选择下一个可用的PC-nID; in this examplePC-0. Then click保存Settings.
Step 6在pc-nsection, implement the following settings.
- Protocol:LACP
- LACP模式:Passive
- Port Members:ClickEdit, select port channel ports under可用的, use the right arrow to move them toSelected,然后单击好的.
- 管理状态:checkmark
- Trust:check-mark
- 政策:留空
- Mode:树干
- Native VLAN:4094
- 允许的vlans:15,102-106,112-114,4094
- Jumbo MTU:checkmark
Note:允许的VLAN是从配置VLAN接口过程中创建的网关VLAN的下拉菜单选择。
Step 7At the bottom of the page, expandShow advanced options, implement the following settings, and then click保存Settings.
- LLDP Transmission:Slide to right
- LLDP Reception:checkmark
配置ZTP VLAN
Use the following procedure to disable VLAN 4094 on the Gateway physical interfaces.
The Gateway has a factory configured native VLAN ID of 4094 on the interface used for making an initial connection to Central. However, a Gateway will not sync with Central until a system IP is assigned. This behavior allows for the configuration push, which disables VLAN 4094 when the Gateway is assigned a system IP address.
第1步On the门户spage, select theInterface选项卡,然后选择vlans.tab.
第2步向下滚动,选择该行4094, and then in the lower VLAN IDs section, click theVLAN.排。
第3步On the IPv4 page, deselect theAdmin state:check box, and then click保存Settings.
配置默认网关
Use the following procedure to configure a default gateway on the Gateway device.
第1步On the Gateways tab, select the路由tab, and then theIP Routestab.
第2步Expand theStatic Default Gatewaysection, and then, at the bottom of the table, click the+sign.
第3步On the New Default Gateway page, enter the IP address, and then click保存Settings.
- Default Gateway IP:10.6.15.1.
配置网关基本功能
使用此过程配置网关的基本功能。基本功能包括主机名,VLAN IP地址和系统IP地址。
Note:In the Aruba ESP Campus design, most Gateway configuration is entered at the group level. An attempt to change a device property which is overridden at the group level will be indicated in the audit trail.
第1步在过滤器下拉列表中,选择AOS10Group姓名。
第2步从左侧菜单中,选择设备s, on the tab menu bar and then select门户s.
第3步从列表中选择一个新网关。
Note:An unnamed Gateway is listed with the system MAC address.
Step 4从左侧菜单中,选择设备,选择Interfacetab, and then thevlans.tab.
Step 5在VLAN表上,选择MGMTVLAN,然后,在较低的VLAN ID部分中,单击VLAN.排。
Step 6Scroll down to the IP Address Assignment section, implement the following settings, and then click保存Settings:
IP Assignment:Static
- IPv4 Address:10.6.15.1.1
- Netmask:255.255.255.0
- Force operational status UP:checkmark
Step 7On the Vlans table, select a different VLAN, and then in the lower VLAN IDs section, click theVLAN.排。
Step 8Scroll down to the IP Address Assignment section, implement the following settings, and then click保存:
- IP Assignment:Static
- IPv4 Address:10.6.103.11
- Netmask:255.255.255.0
- Force operational status UP:没有检查
Step 9Repeat the previous two steps for each additional VLAN in the environment.
第10步在网关页面上,选择Systemtab, and then theGeneraltab.
第11步在“基本信息”部分中,输入主机名,然后单击保存Settings.
警告:管理员密码从组设置继承。不要在设备级别更改它。
第12步Expand the System IP Address section, use theIPv4 addressdrop-down menu to select the VLAN with the Force operational UP setting, and then click保存.
- IPv4地址:VLAN 15 10.6.15.11
Note:设置系统IP地址后,网关将重新启动并下载其配置。这可能需要一些时间,可能需要多次重新启动所有要按下的配置。可以在审核日志中找到正在发生的状态。成功推送了配置后,网关将在“设备摘要”页面上显示同步的状态。
第13步为环境中的每个新网关重复此过程。
配置第2层网关聚类
使用此过程配置第2层网关聚类。
门户clustering provides load balancing across two or more devices, resulting in increased availability and throughput for users and endpoints. The Gateway VRRP IP addresses allow authorization servers such as ClearPass to make a Change of Authorization (CoA) request for a user anchored to a specific Gateway.
Note:COA需要对网关集群成员的VRRP地址正常工作。但是,自动群集创建不支持COA。
Example: Gateway VRRP IP addresses and VLANs
| 门户 | IP address | Multicast VLAN | VRRP IP address | VRRP VLAN |
|---|---|---|---|---|
| 7210-1 | 10.6.15.1.1 | 15 | 10.6.15.1.3 | 15 |
| 7210-2 | 10.6.15.1.2 | 15 | 10.6.15.1.4 | 15 |
第1步在过滤器下拉列表中,选择AOS10Group姓名。
第2步从左侧菜单中,选择设备s,选择门户stab, and then, in the top right, click配置.
第3步在右上角,选择Advanced Mode, and then select theHigh Availabilitytab.
Step 4Confirm the Cluster mode自动的slider is to the left.
Step 5At the bottom of the Clusters table, click the+sign and implement the following settings.
- Manual cluster configuration:Slide to right
- 群集名称:服务-7210.
- 动态授权(COA):Slide to right
Step 6At the bottom of the门户s in Clustertable, click the+sign and implement the following settings.
- 门户:7210-1
- VRRP IP:10.6.15.1.3
Step 7点击+sign again and implement the following settings.
- 门户:7210-2
- VRRP IP:10.6.15.1.4
Step 8Scroll down, implement the following settings, and then click保存Settings.
- 组播VLAN:15
- VRRP VLAN:15
- VRRP ID:15
- VRRP Passphrase:passphrase
Note:Cluster changes disrupt client traffic and should be done during a maintenance window.