Aruba SD-Branch: Notes on Staging Dynamic Segmentation

These are a few notes that helped me configure tunneled node in a SD-Branch deployment

Access Switches on AOS Switch

The three types of VLANs:

Transit VLAN for GRE Tunnels – Keep in mind that the trunk ports for your APs and Switch to Switch uplinks should have the transit VLAN configured. (Jumbo frame, ip dhcp-client set)

Untagged (Native) VLAN for Client Access Ports – Some people leave it on VLAN 1 for various reasons. This is typically the “quarantine VLAN”. However, the VLAN ID and the initial role should be standardized. (no ip address, jumbo, ip helper address)

Client VLANs with no ip address – These VLANs are strictly layer 2 with no ip address. These are for segmenting clients into different subnets. Switch settings should be jumbo. (no ip address, jumbo, ip helper address)

Access Switch Protocol

This isn’t the official Aruba standard, but just a personal preference for standardizing access switch configuration.

SFP Ports and port 1 – set as switch to switch uplinks with transit VLAN as untagged.

Check and make sure client VLANs are set

Set native VLAN for client access ports

Set tunneled-node-server settings, and set interfaces between first and last as tunneled-node-server

Gateway, ClearPass Policy Manager and Device Insight Configuration

Its assumed basic setup has been completed prior.

Policy Manager – Create roles, role mapping, enforcement profile/policy

Device Insight – update tagging to profiled devices

Policy Manager – update role mapping to device insight tagging

Gateway – Match roles from policy manager and update associated policies