Aruba SD-Branch Gateway: NAT Traffic from Public IP to Private IP

If you’re adding a NAT port for any additional services besides HTTP/HTTPS or SSH traffic, additional ports have to be ‘allow listed’ under:

Group -> Devices -> Gateways ->Security -> Advanced -> ACL Allowlist

For ports using TCP, set protocol 6, and for UDP ports, use protocol 17 when adding additional rules.

This must be done in addition to modifying the WAN uplink policy with your destination NAT ACL.

Use LetsEncrypt to Generate a Wildcard Certificate

Create a CPPM server certificate for captive portal.

First, generate a wildcard via certbot:

In Ubuntu, execute following:

sudo apt update 
sudo apt install letsencrypt

sudo certbot certonly --manual --preferred-challenges dns --server

Before you convert your certificates into a p12 file format, download the PEM files for a different RSA CA trust chain for your public and private key. I used ISRG Root X1, found =>

On the same page, download the corresponding Lets Encrypt R3 intermediate certificate to complete the trust chain.

Combine the root and intermediate certificates to create the new chain in text editor: intermediate first, root last.

Using the new chain file, run the following openssl command

openssl pkcs12 -export -out keycert.p12 -inkey privkey.pem -in cert.pem -certfile new-chain.pem

The p12 file should work for a RSA server certificate.

To create the a server certificate accepted by a Aruba IAP, you’ll need to manually combine the PEM files in a text editor. IAPs do not accept .p12 files, but do accept PEM. Order is the following:

  1. server [cert.pem]
  2. chain [intermediate, CA]
  3. private key

Aruba SD-Branch – Factory Reset and Initial Provisioning Debug Commands

Guidelines for factory resetting gateways or accessing the CLI during provisioning has changed quite a bit over the last few months. On a factory default gateway, you can log into the CLI with the following

If presented with the activate wizard, type: intdbg

If you have a username/password:

Username : branchsupport
Password: <mac address in lowercase with colons>

Factory Reset a Gateway

Easiest way if you have physical access is to hold down the reset button for 15 seconds

Unless its a model with no button. Last resort is to just format the boot partition via cpboot

format 0:2

Although, if you’re down this far the rabbit hole, I would contact TAC or an SE at this point.


Troubleshooting Aruba SD-Branch DPS Policy

Commands for general telemetry

show wan session-counters 
show wan policy-list
show datapath wan probestats
show wan threshold-stats
show uplink stats
show user
show datapath session table | include <user ip>

In case you need to make sure things are still running

show boot history
show switchinfo
show process monitor statistics

AOS-S: Transceiver information

To display detailed interface transceiver diagnostic information, issue the following command:

(host) #show interface gigabitethernet 0/1/1 transceiver detail

To display detailed stacking interface transceiver diagnostic information, issue the following command:

(host) #show stacking interface stack 0/1 transceiver detail

To display basic transceiver information, issue the following command:

(host) #show interface transceiver brief 
#or... for a summary
#show tech transceivers

ArubaOS and Aruba SD-Branch Gateway: Packet Capturing on the Gateway’s CLI

packet-capture controlpath udp all
packet-capture copy-to-flash controlpath-pcap

To Download

copy flash: <filename> tftp: <host> <destfilename>

To turn off

no packet-capture

To send to remote client with Wireshark. Make sure windows firewall is turned off.

Once the destination is set, the pcap will be streamed to the destination IP. Its assumed the client IP has permissions to receive traffic from the VLAN.

#get client mac
show user
#check if pcap is running
show packet-capture
#reset packet capture buffer
packet-capture reset-pcap datapath-pcap
#set target client
packet-capture datapath mac <clientmac addr> all
#set destination for pcap stream
packet-capture destination ip-address <client ip address>

Aruba Instant: IAP Packet Capture or Pcap

Get the BSSID first, part of pcap start command.

show ap monitor status

Start Pcap. @IPofcomputer is the ip address of the client that’s receiving the pcap stream.

pcap start BSSID @IPofcomputer UDPPort format size

Get pcap status

show pcap status

Stop pcap

pcap stop <bssid> <id>


AOS-Switch PCAP with a SPAN port

Create “mirror” and interface to be used as the “SPAN” port or port used for packet capture. In this case port 8 will be used to receive packet captures

mirror 1 port 8

Mark ports to be monitored by SPAN port. Traffic from these ports will copied to the SPAN port for capture. In this example, interface or Ethernet port 1 will duplicate its traffic to the “mirror” or span port 1.

interface 1
monitor all both mirror 1

Connect a laptop to interface 8 on the switch and use wire shark or your PCAP client of choice to analyze traffic.

Aruba SD-Branch: Notes on Staging Dynamic Segmentation

These are a few notes that helped me configure tunneled node in a SD-Branch deployment

Access Switches on AOS Switch

The three types of VLANs:

Transit VLAN for GRE Tunnels – Keep in mind that the trunk ports for your APs and Switch to Switch uplinks should have the transit VLAN configured. (Jumbo frame, ip dhcp-client set)

Untagged (Native) VLAN for Client Access Ports – Some people leave it on VLAN 1 for various reasons. This is typically the “quarantine VLAN”. However, the VLAN ID and the initial role should be standardized. (no ip address, jumbo, ip helper address)

Client VLANs with no ip address – These VLANs are strictly layer 2 with no ip address. These are for segmenting clients into different subnets. Switch settings should be jumbo. (no ip address, jumbo, ip helper address)

Access Switch Protocol

This isn’t the official Aruba standard, but just a personal preference for standardizing access switch configuration.

SFP Ports and port 1 – set as switch to switch uplinks with transit VLAN as untagged.

Check and make sure client VLANs are set

Set native VLAN for client access ports

Set tunneled-node-server settings, and set interfaces between first and last as tunneled-node-server

Gateway, ClearPass Policy Manager and Device Insight Configuration

Its assumed basic setup has been completed prior.

Policy Manager – Create roles, role mapping, enforcement profile/policy

Device Insight – update tagging to profiled devices

Policy Manager – update role mapping to device insight tagging

Gateway – Match roles from policy manager and update associated policies