Category Archives: Uncategorized

Troubleshooting Aruba SD-Branch DPS Policy

Commands for general telemetry

show wan session-counters 
show wan policy-list
show datapath wan probestats
show wan threshold-stats
show uplink stats
show user
show datapath session table | include <user ip>

In case you need to make sure things are still running

show boot history
show switchinfo
show process monitor statistics

AOS-S: Transceiver information

To display detailed interface transceiver diagnostic information, issue the following command:

(host) #show interface gigabitethernet 0/1/1 transceiver detail

To display detailed stacking interface transceiver diagnostic information, issue the following command:

(host) #show stacking interface stack 0/1 transceiver detail

To display basic transceiver information, issue the following command:

(host) #show interface transceiver brief 
#or... for a summary
#show tech transceivers

ArubaOS and Aruba SD-Branch Gateway: Packet Capturing on the Gateway’s CLI

packet-capture controlpath udp all
packet-capture copy-to-flash controlpath-pcap

To Download

copy flash: <filename> tftp: <host> <destfilename>

To turn off

no packet-capture

To send to remote client with Wireshark. Make sure windows firewall is turned off.

Once the destination is set, the pcap will be streamed to the destination IP. Its assumed the client IP has permissions to receive traffic from the VLAN.

#get client mac
show user
#check if pcap is running
show packet-capture
#reset packet capture buffer
packet-capture reset-pcap datapath-pcap
#set target client
packet-capture datapath mac <clientmac addr> all
#set destination for pcap stream
packet-capture destination ip-address <client ip address>

Aruba Instant: IAP Packet Capture or Pcap

Get the BSSID first, part of pcap start command.

show ap monitor status

Start Pcap. @IPofcomputer is the ip address of the client that’s receiving the pcap stream.

pcap start BSSID @IPofcomputer UDPPort format size

Get pcap status

show pcap status

Stop pcap

pcap stop <bssid> <id>


AOS-Switch PCAP with a SPAN port

Create “mirror” and interface to be used as the “SPAN” port or port used for packet capture. In this case port 8 will be used to receive packet captures

mirror 1 port 8

Mark ports to be monitored by SPAN port. Traffic from these ports will copied to the SPAN port for capture. In this example, interface or Ethernet port 1 will duplicate its traffic to the “mirror” or span port 1.

interface 1
monitor all both mirror 1

Connect a laptop to interface 8 on the switch and use wire shark or your PCAP client of choice to analyze traffic.

Aruba SD-Branch: Notes on Staging Dynamic Segmentation

These are a few notes that helped me configure tunneled node in a SD-Branch deployment

Access Switches on AOS Switch

The three types of VLANs:

Transit VLAN for GRE Tunnels – Keep in mind that the trunk ports for your APs and Switch to Switch uplinks should have the transit VLAN configured. (Jumbo frame, ip dhcp-client set)

Untagged (Native) VLAN for Client Access Ports – Some people leave it on VLAN 1 for various reasons. This is typically the “quarantine VLAN”. However, the VLAN ID and the initial role should be standardized. (no ip address, jumbo, ip helper address)

Client VLANs with no ip address – These VLANs are strictly layer 2 with no ip address. These are for segmenting clients into different subnets. Switch settings should be jumbo. (no ip address, jumbo, ip helper address)

Access Switch Protocol

This isn’t the official Aruba standard, but just a personal preference for standardizing access switch configuration.

SFP Ports and port 1 – set as switch to switch uplinks with transit VLAN as untagged.

Check and make sure client VLANs are set

Set native VLAN for client access ports

Set tunneled-node-server settings, and set interfaces between first and last as tunneled-node-server

Gateway, ClearPass Policy Manager and Device Insight Configuration

Its assumed basic setup has been completed prior.

Policy Manager – Create roles, role mapping, enforcement profile/policy

Device Insight – update tagging to profiled devices

Policy Manager – update role mapping to device insight tagging

Gateway – Match roles from policy manager and update associated policies

Active Directory and LDAP Queries

Query Examples

Example 2

<filter> ::= '(' <filtercomp> ')'
<filtercomp> ::= <and> | <or> | <not> | <item><and> ::= '&' <filterlist>
<or> ::= '|' <filterlist>
<not> ::= '!' <filter>
<filterlist> ::= <filter> | <filter> <filterlist>
<item>::= <simple> | <present> | <substring>
<simple> ::= <attr> <filtertype> <value><filtertype> ::= <equal> | <approx> | <ge> | <le>
<equal> ::= '='
<approx> ::= '~='
<ge> ::= '>='
<le> ::= '<='
<present> ::= <attr> '=*'
<substring> ::= <attr> '=' <initial> <any> <final>
<initial> ::= NULL | <value><any> ::= '*' <starval>
<starval> ::= NULL | <value>'*' <starval>
<final> ::= NULL | <value>

AD Schema

Subnet Size Blocks

Addresses Hosts Netmask Amount of a Class C


Subnet Mask Cheat Sheet

ClearPass and Mac Auth Expiration Time

The default ClearPass service for Mac Auth uses the MAC-Auth Expiry attribute for determining if the expire time for when the account is expires. However, the default expire timestamp in Guest uses the expiry_time attribute in the Guest User Repository, and the default ClearPass Service Template does not include the necessary Authorization sources to make Mac Auth service functional. Nor does the Mac-Auth Expiry ever get set by a default service template in the endpoints repository.

To make this work, setting the attribute in the endpoint repository is required.

For the post_auth profile, set the Mac-Auth Expiry

%{Authorization:[Time Source]:Now Plus 2hrs}

You can also use the Guest user repository Expire Time attribute.

%{Authorization:[Guest User Repository]:ExpireTime}

In order for these sources to be available, you must add the Time Source to the authorization tab of the service.

Mac authentication must be enabled or configured on ArubaOS. For Instant, its a checkbox in the security settings for the network configuration. For ArubaOS, you must setup mac authentication under AAA profiles.

Instant Mac Auth Setting
Controller Based WLAN AOS8

If adding a custom expiration length to an account is required, this can be done by editing the default expire after attribute in the Guest Registration form or adding a custom Time Attribute to the Time Source.

ClearPass Guest and Expire_after attribute
Custom Time Attribute to Time Source