Configuring Gateway Devices

The ESP Campus for large networks includes a Gateway cluster in the services aggregation layer. In this design, WLANs are tunneled to the Gateways to take advantage of advanced policy enforcement and firewall capabilities available on that platform. Gateway clustering is implemented to ensure high availability and throughput.

This section describes how to deploy a Gateway using Aruba Central and the Zero Touch Provisioning (ZTP) process. The information from the following table includes the VLANs and IP addresses used in the procedures below.

Example: IP addresses and VLAN ID

Configure Gateway VLANs

Use the following procedure to configure Gateway VLANs.

Example: VLANs for Gateways

Caution:The Gateway VLANs need to be created prior to adding the port channels, so the Native VLAN and Allowed VLANs can be selected from the pull-down lists.

年代tep 1On the Gateways tab, select theInterfacetab, selectVLANsand then, in the lower left, click the+sign.

年代tep 2On the New VLAN pop-up, implement the following settings, and then select年代ave Settings.

• VLAN name:MGMT
• VLAN ID/Range:15

Note:Named VLANs facilitate policy consistency between sites.

年代tep 3Repeat this procedure for each Gateway VLAN in the environment.

Enable Physical Interfaces

Use this procedure to enable Gateway physical interfaces in a group for configuration.

The ESP Campus supports zero-touch provisioning (ZTP) of Gateway devices. ZTP requires physical interface configuration to be performed for Gateways at the group level. To simplify this configuration, the best practice is to standardize on a single Gateway model within each group.

Caution:If a group level interface configuration is applied to a Gateway that does not have the specified physical interface, the Gateway will not be added to the group. The unsupported interface will need to be removed from the group configuration, if the Gateway is to be added.

年代tep 1Navigate toCentraland login using administrator credentials.

年代tep 2On the Aruba Central Account Home page, launch theNetwork Operations应用程序。

年代tep 3In the filter drop-down list, select an AOS10Groupname.

年代tep 4From the left menu, select theDevicestab, select theGatewaystab and in the upper right, selectConfig.

年代tep 5On the Gateways page, select theInterfacetab, and then thePortstab.

年代tep 6At the bottom of the Ports table, click the+sign.

年代tep 7On the New Port popup, select the checkbox next to the interface name, and then click年代ave Settings.

Configure Port Channels

Use the following procedure to configure Gateway port channels.

In deployments where uptime and performance are priorities, the best practice for Gateway connectivity is to use LACP on a multi-chassis LAG (MC-LAG) connected to a pair of switches supporting the Aruba VSX feature. LACP is enabled on the Gateway as part of the Port Channel configuration.

When a Gateway is deployed using ZTP it does not have an LACP configuration initially. To accommodate this during the provisioning process, LACP Fallback is enabled on the switch. An example configuration for VSX MC-LAG is below:

interface lag 11 multi-chassis description 7210-1 no shutdown no routing vlan trunk native 1 vlan trunk allowed all lacp mode active lacp fallback ! interface lag 12 multi-chassis description 7210-2 no shutdown no routing vlan trunk native 1 vlan trunk allowed all lacp mode active lacp fallback

Note:When LACP negotiation fails, LACP Fallback allows switch ports to function as standard access/trunk ports until LACP functions.
The above configuration snippet illustrates the implementation of the LACP Fallback command in context. Refer to earlier sections of this guide for complete switch configuration.

年代tep 1In the filter drop-down list, select an AOS10Groupname.

年代tep 2From the left menu, select theDevicestab, select theGatewaystab and in the upper right, selectConfig.

年代tep 3On the Gateways page, select theInterfacetab, and then thePortstab.

年代tep 4From the Port Channel section, click the+sign.

年代tep 5On the New port channel popup, select the next available PC-nID; in this examplePC-0. Then click年代ave Settings.

年代tep 6In the PC-nsection, implement the following settings.

• Protocol:LACP
• LACP Mode:Passive
• Port Members:ClickEdit, select port channel ports underAvailable, use the right arrow to move them to年代elected, and then clickOK.
• Admin State:checkmark
• Trust:check-mark
• Policy:Leave empty
• Mode:Trunk
• Native VLAN:4094
• Allowed VLANS:15, 102-106,112-114,4094
• Jumbo MTU:checkmark

Note:The Allowed VLANs are a drop-down menu choice from the Gateway VLANs created in the Configure VLAN Interfaces procedure.

年代tep 7At the bottom of the page, expand年代how advanced options, implement the following settings, and then click年代ave Settings.

• LLDP Transmission:年代lide to right
• LLDP Reception:checkmark

Configure the ZTP VLAN

Use the following procedure to disable VLAN 4094 on the Gateway physical interfaces.

The Gateway has a factory configured native VLAN ID of 4094 on the interface used for making an initial connection to Central. However, a Gateway will not sync with Central until a system IP is assigned. This behavior allows for the configuration push, which disables VLAN 4094 when the Gateway is assigned a system IP address.

年代tep 1On theGatewayspage, select theInterfacetab, and then select theVLANstab.

年代tep 2年代croll down, select the row for4094, and then in the lower VLAN IDs section, click theVLANrow.

年代tep 3On the IPv4 page, deselect theAdmin state:check box, and then click年代ave Settings.

配置默认网关

Use the following procedure to configure a default gateway on the Gateway device.

年代tep 1On the Gateways tab, select theRoutingtab, and then theIP Routestab.

年代tep 2Expand the年代tatic Default Gatewaysection, and then, at the bottom of the table, click the+sign.

年代tep 3On the New Default Gateway page, enter the IP address, and then click年代ave Settings.

• Default Gateway IP:10.6.15.1

Configure the Gateway Base Features

Use this procedure to configure the base features of the Gateway. The base features include the hostname, VLAN IP addresses, and the System IP address.

Note:In the Aruba ESP Campus design, most Gateway configuration is entered at the group level. An attempt to change a device property which is overridden at the group level will be indicated in the audit trail.

年代tep 1In the filter drop-down list, select an AOS10Groupname.

年代tep 2From the left menu, selectDevices, on the tab menu bar and then selectGateways.

年代tep 3年代elect a new Gateway from the list.

Note:一位不愿透露姓名的网关列出系统的MACddress.

年代tep 4From the left menu, selectDevice, select theInterfacetab, and then theVLANstab.

年代tep 5On the VLANs table, select theMGMTVLAN, and then, in the lower VLAN IDs section, click theVLANrow.

年代tep 6年代croll down to the IP Address Assignment section, implement the following settings, and then click年代ave Settings:

• IP Assignment:年代tatic

• IPv4 Address:10.6.15.11
• Netmask:255.255.255.0
• Force operational status UP:checkmark

年代tep 7On the Vlans table, select a different VLAN, and then in the lower VLAN IDs section, click theVLANrow.

年代tep 8年代croll down to the IP Address Assignment section, implement the following settings, and then click年代ave:

• IP Assignment:年代tatic
• IPv4 Address:10.6.103.11
• Netmask:255.255.255.0
• Force operational status UP:un-checked

年代tep 9Repeat the previous two steps for each additional VLAN in the environment.

年代tep 10On the Gateway page, select the年代ystemtab, and then theGeneraltab.

年代tep 11In the Basic Info section, enter theHostname, and then click年代ave Settings.

Caution:The admin password is inherited from the Group settings. Do not change it at the device level.

年代tep 12Expand the System IP Address section, use theIPv4 addressdrop-down menu to select the VLAN with the Force operational UP setting, and then click年代ave.

• IPv4 address:VLAN 15 10.6.15.11

Note:The Gateway will reboot and download its configuration once the System IP address is set. This may take some time and may require multiple reboots for all the configuration to be pushed. A status of what is happening can be found in the audit log. Once the configuration has been successfully pushed, the Gateway will show a status of in-sync on the device summary page.

年代tep 13Repeat this procedure for each new Gateway in the environment.

Configure Layer 2 Gateway Clustering

Use this procedure to configure Layer 2 Gateway clustering.

Gateway clustering provides load balancing across two or more devices, resulting in increased availability and throughput for users and endpoints. The Gateway VRRP IP addresses allow authorization servers such as ClearPass to make a Change of Authorization (CoA) request for a user anchored to a specific Gateway.

Note:VRRP Addresses on Gateway cluster members are required for CoA to work correctly. However, automatic cluster creation does not support CoA.

Example: Gateway VRRP IP addresses and VLANs

年代tep 1In the filter drop-down list, select an AOS10Groupname.

年代tep 2From the left menu, selectDevices, select theGatewaystab, and then, in the top right, clickConfig.

年代tep 3在右上角,选择Advanced Mode, and then select theHigh Availabilitytab.

年代tep 4Confirm the Cluster modeAutomaticslider is to the left.

年代tep 5At the bottom of the Clusters table, click the+sign and implement the following settings.

• Manual cluster configuration:年代lide to right
• Cluster name:年代ERVICES-7210
• Dynamic Authorization (CoA):年代lide to right

年代tep 6At the bottom of theGateways in Clustertable, click the+sign and implement the following settings.

• Gateway:7210-1
• VRRP IP:10.6.15.13

年代tep 7Click the+sign again and implement the following settings.

• Gateway:7210-2
• VRRP IP:10.6.15.14

年代tep 8年代croll down, implement the following settings, and then click年代ave Settings.

• Multicast VLAN:15
• VRRP VLAN:15
• VRRP ID:15
• VRRP Passphrase:passphrase

Note:Cluster changes disrupt client traffic and should be done during a maintenance window.