These are a few notes that helped me configure tunneled node in a SD-Branch deployment
Access Switches on AOS Switch
The three types of VLANs:
Transit VLAN for GRE Tunnels – Keep in mind that the trunk ports for your APs and Switch to Switch uplinks should have the transit VLAN configured. (Jumbo frame, ip dhcp-client set)
Untagged (Native) VLAN for Client Access Ports – Some people leave it on VLAN 1 for various reasons. This is typically the “quarantine VLAN”. However, the VLAN ID and the initial role should be standardized. (no ip address, jumbo, ip helper address)
Client VLANs with no ip address – These VLANs are strictly layer 2 with no ip address. These are for segmenting clients into different subnets. Switch settings should be jumbo. (no ip address, jumbo, ip helper address)
Access Switch Protocol
This isn’t the official Aruba standard, but just a personal preference for standardizing access switch configuration.
SFP Ports and port 1 – set as switch to switch uplinks with transit VLAN as untagged.
Check and make sure client VLANs are set
Set native VLAN for client access ports
Set tunneled-node-server settings, and set interfaces between first and last as tunneled-node-server
Gateway, ClearPass Policy Manager and Device Insight Configuration
Its assumed basic setup has been completed prior.
Policy Manager – Create roles, role mapping, enforcement profile/policy
Device Insight – update tagging to profiled devices
Policy Manager – update role mapping to device insight tagging
Gateway – Match roles from policy manager and update associated policies