Table of contents
Wired Access
The access layer provides layer 2 connectivity to the network for wired and wireless devices. It plays an important role in protecting users, application resources, and the network itself from human error and malicious attacks. This protection includes controlling which devices are allowed on the network, making sure the devices cannot provide unauthorized services to end users, and preventing unauthorized devices from taking over the role of other devices on the network.
Configuring the Access Switch Groups
以下过程描述通过UI组的单个和堆叠访问层交换机的配置。以前,描述了交换机的基本配置Switch Group Configurationsection of this guide. The following procedure completes the switch configuration using an Aruba Central UI Group.
下图显示了ESP校园中的访问交换机。
Wired Access
配置独立交换机
将独立交换机连接到网络段,该网段可以接收DHCP租赁,其中包括DNS服务器和朝向互联网的有效路由。Aruba CX 6000系列交换机是出厂配置,以请求任何前面板接口或专用管理端口的DHCP。一旦新的交换机可以到达中央,它将根据购买时的信息自动与正确的组织相关联。
Configure a Switch Stack
Follow this procedure to configure a group of switches for VSF stacking. Begin by cabling the stack using ports 25 and 26 on 24-port models or ports 49 and 50 on 48-port models. Connect one switch in the stack to a network with DHCP service proving Internet reachability. This switch will be the stack conductor once the stack is formed.
Note:Aruba CX 6300和6200型号的支持VSF堆叠仅支持。
A switch must already be added to a group before VSF configuration can continue.
Step 1Navigate toCentraland login using administrator credentials.
Step 2在Aruba Central账户主页上,推出Network Operations应用程序。
Step 3在过滤器下拉列表中,选择全球的, if it is not already selected, and then from the left menu, select组织.
Step 4展开未经安全的设备group, highlight the switch directly connected to the network, and then click the移动设备窗口右下方的按钮。
Step 5来自Destination group下拉,选择正确的访问切换Group对于堆栈,然后单击Move.
Step 6在过滤器下拉列表中,选择the access switchGroupname, and then from the left menu, select设备.
Step 7In the upper right of the Switches page, selectConfig.
Step 8在系统磁贴的交换机页面上,选择堆叠.
Step 9Create a new VSF stack by clicking theplus (+)sign in the upper right of the table.
Step 10On the Create VSF Stack window, implement the following settings, and then selectSAVE.
- 开关系列:6300
- Conductor:6300
- Link 1 Port(s):25
- 链接2端口:26
- Split Mode detect:Unchecked
Step 11A VSF stack named with the serial number of the switch selected above is now listed in VSF Stacking with a single conductor.
Step 12Wait approximately 5 minutes for the stack to self-configure, refresh theVSF Stacking页面,并确认所有堆栈成员现在present.
Step 13At the right side of a member row, click the Edit icon,查看盒子Standby conductor, and then clickSave.
Configure the Uplink LAG Interface
Configure link aggregation groups (LAGs) on redundant links to the aggregation switches for fault tolerance and increased capacity. By default, the uplink trunks use source and destination IP address, protocol port number, and device MAC addresses to load-balance traffic between grouped physical links.
Step 1Connect a second link to the standalone switch or VSF stack.
Step 2Return to the Switches page by clicking the left arrow in the top left corner of the device table, and then selectPorts & Links Aggregationsin the Interfaces tile.
Step 3When configuring a LAG on a switch stack, select a stack from the group device list and proceed with configuration at the device level.
Step 4To add a new LAG interface, in the upper right corner of the ports table, click the+ (plus)符号。
Step 5在“添加滞后窗口”,实现以下设置,然后单击添加.
- 姓名:leag1.
- 描述:Upllink to AGG01
- 港口成员:1/1/28, 2/1/28
- Speed Duplex:Auto
- 路由:禁用
- Admin up:检查
- Aggregation Mode:LACP passive
验证滞后操作
Step 6Open a Remote Console window, type the commandshow lag 1,然后按Enter键。下面显示的输出表示健康的两个端口滞后。
为该组启用MultiEdit
Step 1In the upper left of the Switches page, move the slider right to enableMultiEdit.
Step 2选择用于编辑的设备,然后在右下角弹出,单击EDIT CONFIG.
以下步骤提供了一大块配置,可以将其粘贴到MultiEdit窗口中。在配置块中粘贴后,右键单击任何设备特定值。右侧将显示修改参数窗口,允许输入各个设备值。
Configure Custom MTU and Features on the Uplink
A custom MTU must be set to ensure efficient transport of jumbo frames. ARP Inspection and DHCP Snooping are enabled to facilitate security services within the network.
来自group level, add the following configuration to the uplink interface:
Step 1Configure a large MTU to match the aggregation switch, then enable ARP inspection and DHCPv4 snooping trust.
interface lag 1 description Uplink_AGG mtu 9198 ... arp inspection trust dhcpv4-snooping trust警告:DHCP snooping and ARP inspection must be trusted on the LAG interface to allow clients to receive DHCP addresses from the centralized DHCP servers on the network.
Configure the Access VLANs
使用权switches are configured with the same VLANs created on the aggregation switches in addition to an in-band management interface and a VLAN for User-Based Tunnelling (UBT).
DHCP snooping and ARP inspection must both be enabled to inspect traffic, prevent common attacks, and facilitate DHCP services across subnets. IGMP snooping is enabled and is required for Dynamic Multicast Optimization (DMO) to work.
Note:必须在全局和每个VLAN下启用DHCP Snooping。ARP检查仅在VLAN下启用,但除非也启用了DHCP Snooping,否则不会生效。
Example: Access VLANs
| VLAN Name | ztp_native. | EMPLOYEE | 相机 | PRINTER | reake_auth. | xitchal_auth. | MGMT. | UBT_CLIENT |
|---|---|---|---|---|---|---|---|---|
| VLAN ID | 2 | 3 | 5 | 6 | 13 | 14 | 15 | 4000 |
Enable DHCP snooping and create VLANs at the Group level.
Step 1在全球启用DHCP Snooping。
dhcpv4-snoopingStep 2Enable DHCP snooping, ARP inspection and IGMP snooping on each VLAN.
vlan 2 name ZTP_NATIVE dhcpv4-snooping arp inspection ip igmp snooping enable ... vlan 4000 name UBT_CLIENT dhcpv4-snooping arp inspection ip igmp snooping enable警告:The access switch VLANs must match the aggregation switch VLANs to allow the access devices to reach their default gateway.
Step 3Create a layer 3 interface on each VLAN and configure the same MTU size used in the aggregation layer.
interface vlan 2 description ZTP_Native ip mtu 9198 ip address 10.2.15.5/24 ... vlan 15 description MGMT ip mtu 9198 ip address 10.15.15.5/24Note:When using MultiEdit at the group level, right-click device specific values to set values for individual devices in the group.
Step 4Configure the default route in the management VLAN. Add the static route for the active gateway IP address in VLAN 15.
IP路线0.0.0.0 / 0 10.2.15.1Note:The access switch must have a default route in the management VLAN for reachability to network services like Central, TACACS, RADIUS, and NTP servers.
Configure Spanning Tree
Spanning tree is enabled globally on each access switch as a loop prevention mechanism. Supplemental features like admin-edge, root guard, BPDU guard, and TCN guard are enabled on appropriate interfaces to ensure spanning tree runs effectively.
来自group level, add the following configuration:
Step 1Configure spanning tree globally. Enable Rapid Per VLAN Spanning Tree for the access VLANs.
跨越树模式RPVST跨越树跨越树优先级0生成树VLAN 1-3,5-6,13-15Step 2Configure the port level spanning tree features and loop-protect on each access interface.
interface 1/1/1 description ACCESS_PORT no shutdown no routing vlan access 1 spanning-tree bpdu-guard spanning-tree port-type admin-edge spanning-tree root-guard spanning-tree tcn-guard loop-protect loop-protect action tx-disableVerify Spanning Tree
Step 3Open a Remote Console window, type the commandshow spanning-tree summary root,然后按Enter键。下面显示的输出表示健康的RPVST配置状态。
Configure RADIUS and UBT
Use this procedure to configure the RADIUS servers and UBT for the access switch.
访问交换机验证试图连接到网络的设备。验证用户的两个最常用方法是802.1X的请求者或基于MAC的身份验证。该设计支持两者以及动态授权,允许AAA服务器更改连接到交换机的设备的授权级别。
RADIUS跟踪已启用以确保客户端和服务器的状态。配置还将利用拒绝客户端和RADIUS故障方案的用户角色。半径和用户角色的配置与UBT一起携手,因此该部分还涵盖了UBT配置。
Step 1Configure the RADIUS servers. Enable RADIUS dynamic authorization and track client IP addresses with probes.
Radius-Server Host 10.2.120.94键明文<密码> RADIUS-Server主机10.2.120.95密钥明文<密码> RADIUS DYN授权启用客户端跟踪IP更新方法探测Step 2Configure AAA for 802.1X and MAC authentication.
AAA身份验证端口访问DOT1X身份验证器启用AAA身份验证端口访问MAC-AUTH启用Step 3Configure UBT to tunnel traffic to the Gateways. Define the UBT client VLAN and create the UBT zone in the default VRF. Connect to a pair of Gateways for the primary and backup tunnels.
UBT Client VLAN:4000
UBT Zone:Aruba
ubt-client-vlan 4000 ubt区ruba vrf default primary-controller ip 10.6.15.11 backup-controller ip 10.6.15.12 enableStep 4Configure local user roles. Create the user role and, if the VLAN is tunneled, set the gateway zone and gateway role. If the VLAN is not tunneled, set the authentication mode or the reauthorization period and the local VLAN.
port-access role BLDG-MGMT gateway-zone zone Aruba gateway-role EXAMPLE-BLDG-MGMT port-access role GUEST gateway-zone zone Aruba gateway-role EXAMPLE-GUEST port-access role ARUBA-AP auth-mode device-mode vlan access 15 port-access role CRITICAL_AUTH reauth-period 120 vlan access 14 port-access role REJECT_AUTH reauth-period 120 vlan access 13Note:Special-case local user roles, like Aruba-AP, Critical Auth, and Reject, are not tunneled to Gateways.
Step 5Configure AAA authentication on the access ports. Set the client limit, configure 802.1X, and MAC authentication, and set the authentication order. Set the critical role and the rejection role to use special case user roles with local VLANs. Adjust the EAPOL timeout, max requests, and max retry defaults.
interface 1/1/1 description ACCESS_PORT no shutdown no routing vlan access 1 aaa authentication port-access client-limit 5 aaa authentication port-access auth-precedence dot1x mac-auth aaa authentication port-access critical-role CRITICAL_AUTH aaa authentication port-access reject-role REJECT_AUTH aaa authentication port-access dot1x authenticator eapol-timeout 30 max-eapol-requests 1 max-retries 1 enable aaa authentication port-access mac-auth enableVerify RADIUS
Step 6Open a Remote Console window, type the commandshow radius-server,然后按Enter键。The output shown below indicates a healthy RADIUS server configuration.
Verify UBT
Step 7Open a Remote Console window, type the commandshow ubt status,然后按Enter键。下面显示的输出表示健康的UBT配置状态。
Configure Device Profiles
创建一个动态检测Aruba AP的设备配置文件,将它们放入管理VLAN中,并允许本地桥接VLAN。
Note:This procedure is unnecessary if ClearPass will authenticate Aruba APs.
Step 1配置Aruba-AP角色。创建角色,设置身份验证模式,设置本机VLAN,并定义允许的VLAN。
port-access role ARUBA-AP auth-mode device-mode vlan trunk native 15 vlan trunk allowed 1-3,5-6,13-15Note:The Aruba-AP role identifies the AP’s VLAN and what VLANs are bridged locally.
Step 2配置LLDP组。创建组并识别Aruba AP Ouis。
port-access lldp-group AP-LLDP-GROUP seq 10 match vendor-oui 000b86 seq 20 match vendor-oui D8C7C8 seq 30 match vendor-oui 6CF37F seq 40 match vendor-oui 186472 seq 50 match sys-desc ArubaOSNote:The LLDP group identifies the Aruba APs and sets the system-description at the end as a catchall for future APs.
Step 3配置设备配置文件。创建配置文件,启用它,然后将其与先前创建的角色和LLDP组关联。
port-access device-profile ARUBA_AP enable associate role ARUBA-AP associate lldp-group AP-LLDP-GROUP设备in the group will automatically synchronize the new configuration. Synchronization status will be updated on the Configuration Status page and step execution is observed by, on the left-hand menu, clickingAudit Trail.