CXW02 - Dynamic Segmentation - Lab Guide

LAB GUIDE
Dynamic Segmentation
ARUBA AOS-CX SWITCHING WORKSHOP
© 2021 Aruba, a Hewlett Packard Enterprise company

LAB GUIDE
Aruba AOS-CX Dynamic Segmentation
TABLE OF CONTENTS
INTRODUCTION ........................................................................................................................................... 3
LAB ACTIVITY 1: SETTING UP VSF STACKING FOR CLIENT ACCESS ................................................. 8
LAB ACTIVITY 2: CONFIGURE THE AGGREGATION SWITCH (8325-A) ............................................... 13
LAB ACTIVITY 3: AUTHENTICATION ....................................................................................................... 18
LAB ACTIVITY 4: DOWNLOADABLE USER ROLES ............................................................................... 26
LAB ACTIVITY 5: USER-BASED TUNNELING ......................................................................................... 32
LAB ACTIVITY 6: TROUBLESHOOTING .................................................................................................. 39
LAB ACTIVITY 7: AOS-CX ADMIN AUTHENTICATION TACACS+ ......................................................... 42
APPENDIX: CLEARPASS CONFIGURATION ........................................................................................... 44
APPENDIX: SOLUTION TO THE TROUBLESHOOTING LAB .................................................................. 49
Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 2

LAB GUIDE
LAB GUIDE
INTRODUCTION
OBJECTIVE
At the end of this workshop, you will be able to implement the fundamentals of access control and dynamic segmentation in a
campus network based on Aruba CX Switches, Aruba ClearPass Policy Manager and Mobility Controller Gateways.
OVERVIEW
Scenario
Figure 1. Aruba CX collapsed core campus network
LAB NETWORK LAYOUT

This workshop uses the following equipment that will allow you to implement the different components of a secure access
solution:
• Two 6300 switches for the access layer
• One 8325 switch for the aggregation layer
• One 7005 mobility controller (in standalone mode)
• One (shared) ClearPass server
On this network you will be able to configure:
• MAC authentication
• 802.1X authentication
• Local and downloadable user roles
• User based tunneling

LAB GUIDE
Figure 2. Lab-group Kit for this workshop
IMPORTANT
• The port numbers of the 6300-B switch will change from 1/1/x to 2/1/x at the end of the VSF stack setup.
• Both 8325 switches have 48 25GbE SFP28 ports, however, all inter-switch connections are 10 GbE SFP+ DAC cables. To
enable these cables/transceivers, the speed on the ports will have to be changed to 10Gbps. On the 6300 switches, this
step is not necessary as they recognize SFP56, SFP28, and SFP+ automatically. This will be done in the next steps.
• The MC 7005 Gateway and the ClearPass server have already been configured. You will have access to review the
configuration.

LAB GUIDE
CONNECTING TO THE LAB ENVIRONMENT

To access the lab environment, go to https://gw.vlabs.hpe.com/ and use the credentials provided by the instructor.
Note: if you are not using a US keyboard, use the “Keyboard” selector when connecting to select the appropriate layout.
Logging in will open a remote desktop session to the Win 10 client (see Figure 2).
Your labs login name includes a unique number at the end, for example 12345user8. Remember that number as it will be used
in many configurations, for example in this VLAN ID: vlan X5, X is your user number and the VLAN ID would be 85.
It is recommended to switch off the system sounds if they annoy you. To do that, click in the Windows menu button, type
Sounds to find the ‘Change system sounds’ configuration. From there select the sound scheme ‘No Sounds’:
If you experience a hung terminal session (serial console), try to enter Ctrl-C (Mac: Cmd-C) followed by a few time Enter to make
it responding again.
If you are on a Mac, the Shift/Alt/CMD key sometimes get stuck in the VM. If that happens, you don’t see the characters you type
appear, but windows pop up. If you experience this: press Shift, after that Control, then Option, and finally Command, each key
one at a time to get the status ‘reset’. After that, you can type normal again.
Also, on a Mac:
- the Control key will be the Windows key in the VM
- the Option key will be the ALT key in the VM
- the Command key will be the Ctrl key in the VM

LAB GUIDE
This VM has four Ethernet adapters:
Adapter Name Purpose
DO NOT MODIFY This is the NIC that provides you RDP connection to the Win 10 Client
IMPORTANT: do not modify it!
2930 Not used in this lab
3810-OOBM Connection to the out-of-band network. It gives you access to:
• Each switch’s management port

• NetEdit Server
6300 Connection to port 1/1/1 on the 6300-A switch. You will use this
interface to test connectivity in the PREPARE the WINDOWS CLIENT
section of the activity.
Once logged in open MTPuTTY or PuTTY open the console of the following devices: 6300-A, 6300-B, 8325-A and 8325-B.
Note: if while opening MTPuTTY you are prompted for the location of PuTTY, find it here: C:\Program Files\PuTTY
Copy/Paste to/from the lab environment
In order to use copy/paste between the labs and your local computer, use the clipboard function in the left menu bar:
will pop up a window that holds the clipboard content, and where you can paste content from your local system to the
clipboard in the lab VM. You can use this to get the switch configuration after you finished your labs, for later reference.
Exiting the lab environment

If at any point you need to close the session: Click on the X button located at the bottom on the left margin menu
These steps will guarantee that next time you connect you will be able to access the lab environment without difficulty.
INITIAL CONFIGURATION
All switches are preconfigured with the following parameters and states:
• Username: admin Password: admin
• CLI session expiration: disabled
• Management interface:
• Enabled

LAB GUIDE
• IP Address: static in subnet 10.251.X.0 (where X is the Labgroup number)

• SSH Server and HTTPS server: enabled on the management VRF
• REST Interface: enabled in read/write mode
IMPORTANT
All switches have been preconfigured with:
• username: admin
• password: admin
The MC 7005 has been preconfigured with:
• username: admin
• password: password
The ClearPass server has been preconfigured with: a read-only account:
• username: readonly
• password: readonly

LAB GUIDE
LAB ACTIVITY 1: SETTING UP VSF STACKING FOR CLIENT ACCESS

Note that this lab activity is required to get a working environment for the Dynamic Segmentation labs, but are not relevant for
the understanding of dynamic segmentation. Please quickly escalate to the instructors if you get stuck in this lab to make sure
you have enough time for the Dynamic Segmentation labs.
This activity assumes that you are familiar with the VSF technology. For more information read the VSF Best Practices White
Paper provided along with this lab guide.
To start:
• Open the consoles of the both 6300 switches

• Hit enter to get the login prompt
• Login using:
• User: admin and password: admin
Verify the link between the 6300 switches
Figure 3. 6300 to 6300 Link
On each console enter:

show interface transceiver
and find the ports with the same transceiver type and serial number:
Note: in this step you are taking advantage of using DAC cables, that show the same serial number at both ends.
6300-A 6300-B
--------------------------------------------------------------- ---------------------------------------------------------------
Port Type Product Serial # Part # Port Type Product Serial # Part #
--------------------------------------------------------------- ---------------------------------------------------------------
1/1/26 SFP56DAC0.65 R0M46A CN91KKD01P 8121-1715 1/1/25 SFP56DAC0.65 R0M46A CN91KKD01P 8121-1715
1/1/27 SFP+DAC1 J9281B CN2295L32P 8121-1151 1/1/27 SFP+DAC1 J9281D CN89KBZBHR 8121-1300
1/1/28 SFP+DAC1 J9281B CN2295L33H 8121-1151 1/1/28 SFP+DAC1 J9281D CN89KBZBDT 8121-1300
You can also verify the actual connection with the show lldp neighbor-info command:
On each console enter:

show lldp neighbor-info
6300-A
PN1-6300-A# show lldp neighbor-info

LLDP Neighbor Information
=========================
Total Neighbor Entries : 2
Total Neighbor Entries Deleted : 0
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 0
LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME
-------------------------------------------------------------
1/1/25 88:3a:30:92:d5:00 1/1/26 1/1/26 120 PN2-
6300-B
1/1/26 88:3a:30:92:c4:00 1/1/25 1/1/25 120 PN2-
6300-B
mgmt 1c:98:ec:9e:6b:45 4 1/4 120 3810-Stk-OOBM

LAB GUIDE
If the connection is not between 6300-A 1/1/26 and 6300-B 1/1/25, make a note. You will need the correct port numbers to
setup the VSF link.
The config examples will follow that the 6300-A has port 1/1/26 connected to port 1/1/25 on the 6300-B. If you see different
values, please report to your instructor and be careful when entering the commands that you use the correct port numbers in
your lab situation.
Prepare the VSF Auto-stacking

The VSF auto-stacking process will be triggered by entering the CLI command on the 6300-A (the one with the highest VSF-link
candidate port number). However, VSF auto-stacking:
• requires that both switches are in default configuration
• however, as you have seen, they have an initial configuration
• the way to overcome this issue is different on the 6300-A and the 6300-B
• you will start by preparing the 6300-B to receive the VSF join message
On the 6300-B
• In the next steps you will
• Verify that the 6300-B is not eligible for VSF auto-join (it has a non-default configuration)
• Force eligibility
• Verify the change
Note: lines that start with “!” are comments in the CLI scripts and do not need to be entered in the console.
show vsf
Force Autojoin : Disabled
Autojoin Eligibility Status: Not Eligible
MAC Address : 88:3a:30:92:d5:00
Secondary :
Topology : Standalone
Status : No Split
Split Detection Method : None
Mbr Mac Address type Status

ID
--- ------------------- -------------- ---------------
1 88:3a:30:92:d5:00 JL668A Master
!
! force VSF auto-join
configure
vsf force-auto-join
! verify the change
show vsf
Force Autojoin : Enabled
Autojoin Eligibility Status: Eligible
MAC Address : 88:3a:30:92:d5:00
Secondary :
Topology : Standalone
Status : No Split

ID
--- ------------------- -------------- ---------------
1 88:3a:30:92:d5:00 JL668A Master

LAB GUIDE
Now the 6300-B is ready to join the stack when it receives the command from the 6300-A through its port 1/1/25.
On the 6300-A
The switch on which you will start the VSF process must be reset to the default configuration. Take the following steps:
! erase all non-VSF configurations
erase startup-config
! answer y at the prompt: Erase checkpoint startup-config?
! and reboot the switch
boot system primary
! at the following prompt
! Default boot image set to primary.
! Checking if the configuration needs to be saved...
! Do you want to save the current configuration (y/n)?
! answer n
!
! and then at the prompt
! This will reboot the entire switch and render it unavailable
! until the process is complete.
! Continue (y/n)?
! answer y
When the 6300-A completes the reboot process, you will notice that its prompt has changed to the default. Login using the
default credentials (username: admin, and no password). And without making any changes trigger the VSF auto-stack:
configure
vsf start-auto-stacking
This will configure links and secondary on master
Do you want to continue (y/n)? y

The 6300-B will reboot and join the stack. Monitor the process by entering on the 6300-A:
end
show vsf
repeat
The last command will repeat the previous one until you break the cycle with Ctrl-C (if you are using a MAC, use Command-C).
After some time the show vrf command output should look like:
Force Autojoin : Disabled
Autojoin Eligibility Status: Not Eligible
MAC Address : 88:3a:30:92:f4:80
Secondary : 2
Topology : Chain
Status : No Split

ID
--- ------------------- -------------- ---------------
1 88:3a:30:92:f4:80 JL668A Master
2 88:3a:30:92:95:00 JL668A Standby
Once the stack is complete, with both switches running, complete the initial configuration on the 6300-A:
auto-confirm
! The previous command automatically provides a “y” to any confirmation request prompt
configure
session-timeout 0
user admin password
! at the prompt enter the new password admin twice
! in the next commands replace the X with your user number for consistency
host PNX-6300-VSF

LAB GUIDE
! configure the management port

interface mgmt
ip static 10.251.X.4/24
default-gateway 10.251.X.254
end
PNX-6300-VSF# ping 10.251.X.254 vrf mgmt
PING 10.251.X.254 (10.251.X.254) 100(128) bytes of data.
108 bytes from 10.251.X.254: icmp_seq=1 ttl=255 time=0.459 ms
--- 10.251.X.254 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4103ms
rtt min/avg/max/mdev = 0.438/0.453/0.470/0.011 ms
write memory
IMPORTANT
Your labs login name included a unique number at the end, for example 12345user8.
This number will be used in many configurations, for example in this VLAN ID: vlan X5, X is your user number and the VLAN ID
would be 85. This notation can also be used in router IDs and IP addresses.
If you forgot that number, you can also find it in the prompt of your switches, for example: PNX-6300-A
Setting up the uplink

• On the VSF Stack 6300-A, configure the following elements: VLANs for the uplinks, uplink link aggregation group
Figure 4. VSF Stack Uplink
configure
! vlan X5 will be configured on the client ports
vlan X5
exit
! create a layer 2 LAG (#1) and map the VLANs and the uplink ports to it
interface vlan X5
ip address 10.1.X5.99/24
exit
! default route
ip route 0.0.0.0/0 10.1.X5.1
! configure the downlink ports to the client
interface 1/1/1,2/1/1
no shutdown
no routing
vlan access X5
exit
!
! create uplink LAG
interface lag 1
no shutdown
no routing
lacp mode active
vlan trunk allowed X5
exit
! use an interface range to simplify assigning ports to LAG 1

LAB GUIDE
! use an L2 MTU of 2048 Bytes to accommodate for tunneling to a gateway in later lab
interface 1/1/27,2/1/27
no shutdown
mtu 2048
lag 1
end
! save the configuration
write memory
! create a checkpoint
copy running checkpoint VSF

LAB GUIDE
LAB ACTIVITY 2: CONFIGURE THE AGGREGATION SWITCH (8325-A)

Note that this lab activity is required to get a working environment for the Dynamic Segmentation labs, but are not relevant for
the understanding of dynamic segmentation. Please quickly escalate to the instructors if you get stuck in this lab to make sure
you have enough time for the Dynamic Segmentation labs.
Connection to the 6300 VSF Access Stack

On the 8325-A
• Start by logging in and changing the system interface group 1 speed to support the 10GbE SFP+ and 1 GbE RJ45
transceivers. As mentioned earlier, the ports are 25Gbps ports and need to be configured for 10Gbps.
auto-confirm
configure
session-timeout 0
system interface-group 1 speed 10
• Sync the core with NTP, and make it NTP server for the lab controller:
ntp vrf mgmt
no ntp server pool.ntp.org
ntp server 10.250.1.3 iburst
ntp enable
ntp master vrf default stratum 10
• Create all VLANs and the LAG to connect to the 6300 VSF Stack. A loopback interface will be used to test the 6300 VSF
default route
interface loopback 0
ip address 10.254.X.1/32
!
vlan X0-X5
exit
interface vlan X5
exit
!
! LAG to the 6300 VSF access stack
!
interface lag 12
no shutdown
no routing
lacp mode active
vlan trunk allowed X5
exit
!
no shutdown
mtu 2048
lag 12
end
write memory
!
• On the 6300 VSF, validate link aggregation between the access and the aggregation switches and IP connectivity.
show lacp interfaces
State abbreviations:
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
Actor details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State

LAB GUIDE
----------------------------------------------------------------------------------
1/1/27 lag1 26 1 ALFNCD 88:3a:30:92:f4:80 65534 1 up
2/1/27 lag1 90 1 ALFNCD 88:3a:30:92:f4:80 65534 1 up
Partner details of all interfaces:

----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/27 lag1 2 1 ALFNCD 90:20:c2:ba:18:00 65534 12
2/1/27 lag1 3 1 ALFNCD 90:20:c2:ba:18:00 65534 12
Test connectivity to core:
ping 10.1.X5.1
PING 10.1.X5.1 (10.1.X5.1) 100(128) bytes of data.
108 bytes from 10.1.X5.1: icmp_seq=1 ttl=64 time=0.171 ms
--- 10.1.X5.1 ping statistics ---

Test connectivity across core:
ping 10.254.X.1
PING 10.254.10.1 (10.254.X.1) 100(128) bytes of data.
--- 10.254.X.1 ping statistics ---

Connection to the MC7005
Figure 5. Connection between the aggregation switch and the mobility controller gateway
On the 8325
• Complete the IP addressing configuration on the VLAN interfaces

!
configure
interface vlan X0
!
interface vlan X3
!
interface vlan X4
!
interface vlan X5
exit
!
• Create the LAG to the controller.

LAB GUIDE
Notes:
• A single port will be connecting the 8325-A to the controller

• The equivalent port-group on the controller has already been created
!
interface lag 11
no shutdown
no routing
lacp mode active
vlan trunk allowed X3,X4
exit
interface 1/1/5
no shutdown
mtu 2048
lag 11
end
write memory
• Verify the connection to the controller
LACP State
show lacp interfaces
. . .
Actor details of all interfaces:
------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
------------------------------------------------------------------------------
1/1/5 lag11 6 1 ALFNCD 90:20:c2:ba:18:00 65534 11 up
. . .
Partner details of all interfaces:

------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
------------------------------------------------------------------------------
1/1/5 lag11 1 255 ASFNCD 20:4c:03:03:be:10 32768 2
. . .
IP connectivity
ping 10.1.X4.100

. . .

• Validate IP connectivity on the 6300 VSF Stack

ping 10.1.X4.100
. . .


LAB GUIDE
PREPARE THE WINDOWS CLIENT
The Ethernet Adapter “6300” is connected to the 6300 Stack port 1/1/1.
Configure the 6300 adapter and a route to the 10.0.0.0 network.

• To make sure we route traffic correctly in the labs, we have to put a static IP and route on the interface to the 6300.
• Open the Network and Sharing Center, and open the details of the “6300” adapter.
TECH-TIP: If you run: ncpa.cpl you will get into the screen that has all your interfaces, without the need to click through
several windows.
TECH-TIP: If you prefer command line over GUI, you can in Windows use the netsh command from an elevated (run as
Administrator) command prompt:
netsh interface ip set address name="6300" source=static 10.1.X5.200 255.255.255.0
• Assign
IP address: 10.1.X5.200
Mask: 255.255.255.0
Default gateway: (leave empty)
• Open a command prompt in Administrator mode
At the bottom left of your windows desktop, find the search box and enter cmd
On the popup window, right-click on Command Prompt and select Run as administrator (if prompted for confirmation,
accept)
• On the command window, create a persistent route

LAB GUIDE
C:\>route -p add 10.1.0.0 mask 255.255.0.0 10.1.X5.1

C:\>route print
• Test by pinging the mobility controller

C:\>ping 10.1.X4.100
C:\>tracert -d 10.1.X4.100

LAB GUIDE
LAB ACTIVITY 3: AUTHENTICATION

IMPORTANT
1. All configurations shown from here on, must be entered on the 6300 VSF Stack, unless indicated otherwise.
2. The connection between the access stack and the ClearPass server is implemented over the OOBM port (mgmt VRF)
• Verify that the management interface is properly configured

show run interface mgmt
no shutdown
ip static 10.251.X.4/24
default-gateway 10.251.X.254. . .
If the configuration is not correct, fix it before continuing
• Test management connectivity

ping 10.253.1.254 vrf mgmt
PING 10.253.1.254 (10.253.1.254) 100(128) bytes of data.
108 bytes from 10.253.1.254: icmp_seq=1 ttl=127 time=3.89 ms
. . .
--- 10.253.1.254 ping statistics ---

• Configure the NTP, DNS (required for Downloadable roles) and the RADIUS server
!
configure
ntp vrf mgmt
ntp server 10.250.1.3 iburst
ntp enable
ip dns server-address 10.253.1.254 vrf mgmt
end
NOTE: For the downloadable user roles lab, later on, it is required to have the ClearPass server configured by the FQDN,
not by the IP address. That is why we need to configure a DNS server. In a production deployment make sure the ClearPass
is entered in the DNS server as well.
Besides that, it is always a good practice to have all your network equipment time synchronized through NTP, for
downloadable user roles and User Based Tunnel, it is a requirement to have all clocks synchronized across switches,
controllers and ClearPass servers.
Test connectivity with the ClearPass server

ping cppm.arubatraining.com vrf mgmt
PING cppm.arubatraining.com (10.253.1.100) 100(128) bytes of data.

108 bytes from 10.253.1.100: icmp_seq=1 ttl=63 time=0.370 ms
. . .
--- cppm.arubatraining.com ping statistics ---

rtt min/avg/max/mdev = 0.370/0.414/0.475/0.045 msPING 10.253.1.254 (10.253.1.254) 100(128)
bytes of data.
NOTE: If it is hard or impossible to get DNS working from the switch, you can create a ‘hosts’ file equivalent local hostname
to IP mapping:
DO NOT ENTER: ip dns host cppm.arubatraining.com 10.253.1.100 vrf mgmt.
DO NOT ENTER: ping cppm.arubatraining.com vrf mgmt.
DO NOT ENTER: PING cppm.arubatraining.com (10.253.1.100) 100(128) bytes of data.

LAB GUIDE
DO NOT ENTER: 108 bytes from 10.253.1.100: icmp_seq=1 ttl=63 time=0.452 ms

• Check NTP. There should be an * in front and the REF-ID should be different from .INIT.. NTP may take a few minutes to be
enabled after the configuration.
show ntp associations
----------------------------------------------------------------------
ID NAME REMOTE REF-ID ST LAST POLL REACH
----------------------------------------------------------------------
* 1 10.250.1.3 10.250.1.3 LOCAL(0) 9 47 64 1
----------------------------------------------------------------------
• Configure ClearPass as the RADIUS server:
!
configure
radius-server host cppm.arubatraining.com key plaintext radius123 vrf mgmt
aaa group server radius clearpass
server cppm.arubatraining.com vrf mgmt
exit
radius dyn-authorization enable
!
Connect to the ClearPass Server Policy manager

• Google Chrome is on the Windows Desktop and the preferred browser for this lab.
• Open the browser and go to https://10.253.1.100/tips/
• Login using
• Username: readonly
• Password: readonly
Make sure you can successfully log in. We will continue with the switch configuration and come back to ClearPass later.
Configure MAC Authentication on the Access Stack (6300-A)

• Configure MAC authentication globally and at the interface level
!
configure
aaa authentication port-access mac-auth
radius server-group clearpass
enable
exit
!
aaa authentication port-access mac-auth enable
!
• Disable and enable ports 1/1/1 and 2/1/1 to trigger MAC authentication
shutdown
no shutdown
exit
• Verify that the Windows client has authenticated correctly
Note: it may take a few seconds for the following command to show the result
!
show aaa authentication port-access int all client-status
Port Access Client Status Details
Client 00:50:56:90:a1:bd, 00505690a1bd

============================
Session Details
---------------
Port : 1/1/1
Session Time : 57s

LAB GUIDE
IPv4 Address :
IPv6 Address :
Authentication Details
----------------------
Status : mac-auth Authenticated
Auth Precedence : dot1x - Not attempted, mac-auth – Authenticated
Auth History : mac-auth - Authenticated, 41s ago
Authorization Details
----------------------
Role : RADIUS_773420618
Status : Applied
• Go to the ClearPass server web page and look for
Verify that there is an entry confirming the authentication. Look at the NAS IP Address column and see if there is an entry
(at the top or close to the top) with your 6300’s management address (10.251.X.4).
If you find the record, observe the Login Status, it should be: ACCEPT.
You can view more details by double-clicking on the entry. The Request Details popup should appear. Check the Input and
Output tabs.
• Save the configuration

!
exit
write memory
!
Configure 802.1X Authentication on the Access Stack (6300-A)

• Configure Dot1X authentication globally and at the interface level
!
configure
aaa authentication port-access dot1x authenticator
radius server-group clearpass
enable
exit
!
aaa authentication port-access dot1x authenticator enable
!
end
write memory
!
• To match proper security standards, we will now import the RADIUS server Root certificate into your Windows certificate
store. In ClearPass, go to Administration, Certificates, Trust List and filter the Subject on ‘vlabs’:

LAB GUIDE
• Click on the first one, the one NOT having (Signing) in the name. and export it:
• Save the file TrustedCertificate.crt

• From the downloaded file, or in File Explorer, double-click the downloaded file TrustedCertificate.crt
• From the Certificate Window, click Install Certificate….
• Select Local Machine; Next, place all certificates in the following Store; Select Trusted Root Certification Authorities:

LAB GUIDE
• Press OK, Next, Finish to conclude the certificate import, and after a few seconds of delay there should be an import
successful message:
• Next, we need to enable the 802.1X supplicant on the client.

BEST-PRACTICE NOTE: On production networks, you would do both the certificate import we just did, and enabling the
802.1X supplicant through Active Directory Group Policies (GPO) or through a Device Management solution. This
configuration should happen automatically for the user, and users should never need to go through these steps. We don’t
have an Active Directory in the labs, so that is why you need to do the configuration manually.
• IMPORTANT: In the next steps, it can be that Wired AutoConfig is already enabled on your lab system. In that case, just
verify that it is running and configured for automatic start.
• On the Windows client, go to the bottom left, find the search box and type services.
TECH-TIP: You can do the following steps to enable Wired AutoConfig and set to automatic through an elevated Command
Prompt under Windows as well:
net start "Wired Autoconfig"
sc config DOT3SVC start=auto
• Scroll through the list and find: Wired AutoConfig.
• Right-click on it and Start the service and make it startup Automatic as well, so if you reboot the client the 802.1X for wired
will restart automatically:

LAB GUIDE
• To enable 802.1X authentication on the Ethernet port

• Locate the network icon on the bottom right of your screen. Right-click on it and select Open Network and
Sharing Center
• On the left menu select Change Adapter Settings
• Locate the connection called 6300, right-click and open Properties
• On the Authentication tab:
• Enable 802.1X authentication
• Go to Settings and enter the EAP server name cppm.arubatraining.com in the ‘Connect to these servers’ field, and
select the Aruba vLabs Root CA 2021 as trusted Root CA:
• And under EAP MSCHAP v2 Configure... verify/uncheck Automatically use my Windows logon name . . .

LAB GUIDE
• Close the Settings page and open the Additional Settings popup
• Under Specify authentication mode select User Authentication, and Save credentials
• Enter
Username: tX-user1 - Password: password
• Click OK to confirm all popup windows
BEST-PRACTICE NOTE: It is important to configure the 802.1X settings (supplicant) in Windows correctly with the proper
certificates. EAP MSCHAPv2 has been broken and when deployed like this it is only depending on the EAP server certificate
being validated. Although out of scope for this lab, EAP-TLS where client certificates are used for authentication, instead of
passwords, is strongly recommended. In production environments you should have the root certificate installation and
supplicant settings automatically deployed, like with Group Policies in Active Directory or a Device Management system for
non-Windows devices.
• Keep the Network Connections window open to monitor the state of the 6300 NIC
If the authentication is successful you should see:
• Check from the client that you can ping your access switch:
C:\ >ping 10.1.X5.99
Pinging 10.1.X5.99 with 32 bytes of data:

Reply from 10.1.X5.99: bytes=32 time=4ms TTL=64
Reply from 10.1.X5.99: bytes=32 time<1ms TTL=64
Ping statistics for 10.1.X5.99:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 4ms, Average = 1ms
• Validate the authentication on the switch:
show aaa authentication port-access interface all client-status
Client 00:50:56:90:a1:bd, tX-user1

============================
Session Details
---------------

LAB GUIDE
Port : 1/1/1
. . .
----------------------
Status : dot1x Authenticated
Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted
Auth History : dot1x - Authenticated, 50s ago
----------------------
Role : RADIUS_773420618
Status : Applied
Notice that the switch attempted 802.1X authentication first, and only if it fails it attempts MAC-auth. If you need the
equivalent of ArubaOS-Switch, that tries 802.1X and MAC-auth concurrently, you can configure the interfaces with port-
access onboarding-method concurrent to do both methods in parallel.
• and on the ClearPass server, in Access Tracker, check your authentication:
• Click on the authentication to see more details like the Service (Dot1x auth) and the Authentication method:

LAB GUIDE
LAB ACTIVITY 4: DOWNLOADABLE USER ROLES

With downloadable user roles, the switch will download role the role content from ClearPass dynamically after authentication.
In order for this to work, the switch needs to know how to trust the ClearPass server HTTPS certificate. We need to import the
Root CA that signed the ClearPass HTTPS Server certificate in the switch as a so-called trust anchor.
IMPORTANT: ClearPass will need to have a signed HTTPS certificate for this. The default certificate that comes out of the box is
a self-signed untrusted certificate and needs to be replaced by one issued by a Certificate Authority. Best-practice is to have
this HTTPS certificate issued by a well-known public Certificate Authority, especially if you are deploying Guest or Onboard. For
lab purposes, you can use the ClearPass built-in Onboard Certificate Authority, which is what we did in this lab.
The easiest, and most reliable way to get the correct Root Certificate is through the URL:
http://10.253.1.100/.well-known/aruba/clearpass/https-root.pem
… and replace the hostname with your own ClearPass server in your own networks.
Export ClearPass’ Root CA:

• Open Chrome and go to http://10.253.1.100/.well-known/aruba/clearpass/https-root.pem:
• Select the full content (you can use Ctrl-A), including the line -----BEGIN CERTIFICATE------- and -----END CERTIFICATE------
and ‘Copy’ it by right-clicking or Ctrl-C
NOTE: Some browsers like Edge show the content all on a single line without line-breaks. Make sure the certificate shows like
above, use Chrome to be sure.
Install the Certificate on the switch

On the 6300A switch
• Create the context for the certificate
! Disable auto-confirm to show prompts
no auto-confirm
configure
crypto pki ta-profile cppm
ta-certificate import terminal
Paste the certificate in PEM format below, then hit enter and ctrl-D:
• On the console of the 6300A VSF stack right-click to paste the certificate.
IF YOU HAVE ISSUES: Some people struggle at this point to get the certificate imported. Make sure you paste the certificate
immediately after the previous command. If there is an empty line, or erroneous lines in, the import will abort and you will
need to start over. Also, make sure that after the last line (END CERTIFICATE) you have pressed Enter before you press Ctrl-
D, so the Ctrl-D is the first character on a new line.
Enter: Ctrl-D to confirm.
6300-A(config-ta-cert)# Ctrl-D
The certificate you are importing has the following attributes:
Subject: C = US, ST = California, L = Sunnyvale, O = Aruba Networks, CN = Aruba vLabs Root
CA 2021, emailAddress = 03d6e417-a9b0-4638-8e62-ac3410a4646d@example.com

LAB GUIDE
Issuer: C = US, ST = California, L = Sunnyvale, O = Aruba Networks, CN = Aruba vLabs Root

CA 2021, emailAddress = 03d6e417-a9b0-4638-8e62-ac3410a4646d@example.com
Serial Number: 0x11
TA certificate import is allowed only once for a TA profile
Do you want to accept this certificate (y/n)? y
• Verify:
! Exit the configuration
end
show crypto pki ta-profile
TA Profile Name TA Certificate Revocation Check
-------------------------------- -------------------- ----------------
cppm Installed, valid disabled
show crypto pki ta-profile cppm

TA Profile Name : cppm
Revocation Check : disabled
OCSP Primary URL: Not Configured
OCSP Secondary URL: Not Configured
OCSP Enforcement-level: strict
OCSP Disable Nonce: false
OCSP VRF : mgmt
TA Certificate : Installed and valid
Certificate:
Data:
. . .
• Save the configuration

write memory
Copying configuration: [Success]
Create the “download” user

• On the ClearPass server, a user has been already created for the switch to login and request the User Role download
On the 6300A
!
configure
radius-server host cppm.arubatraining.com clearpass-username duradmin clearpass-password
plaintext download123 vrf mgmt
end
write memory
!
• Verify
show run | include radius

LAB GUIDE
radius-server host cppm.arubatraining.com key ciphertext <. . .> clearpass-username duramin

clearpass-password ciphertext <. . .> vrf mgmt
aaa group server radius clearpass
…
Test the Downloadable User Role

• Verify the state of the port your client is connected to
Note: it can be 1/1/1 or 2/1/1: use show MAC-address table to determine which one:
show interface 1/1/1

Interface 1/1/1 is up
Admin state is up
. . .
qos trust none
Speed 1000 Mb/s
Auto-negotiation is on
. . .
VLAN Mode: access
Access VLAN: 105
. . .
Note: the qos trust mode will change when the new user role is enforced
• In the windows client, change the User Credentials used on the 6300 adapter: tX-user3 and password
• Save and close all the popups by clicking OK

• The client should re-authenticate automatically
• Go to the ClearPass server and verify the authentication:
• On the top-left menu select Policy Manager
• Go to Monitoring and select Live Monitoring / Access Tracker
• Find the entry that shows your login:
• Click on the log entry to view the details of the authentication

LAB GUIDE
• Go to the Output tab and open the RADIUS Response details:
On the 6300A
show port-access clients interface 1/1/1 detail
Port Access Client Status Details:
Client 00:50:56:90:87:ab, tX-user3

============================
Session Details
---------------
Port : 1/1/1
Session Time : 11223s
IPv4 Address :
IPv6 Address :
VLAN Details
------------
VLAN Group Name :
VLANs Assigned : X5
Access : X5
Native Untagged :
Allowed Trunk :
----------------------
mac-auth - Attempted, 29s ago
----------------------
Role : Web_PoE_DSCP_DUR-3002-3
Status : Applied
Role Information:

LAB GUIDE
Name : Web_PoE_DSCP_DUR-3002-3
Type : clearpass
Status: Completed
----------------------------------------------
Reauthentication Period :
Cached Reauthentication Period :
Authentication Mode :
Session Timeout :
Client Inactivity Timeout :
Description :
Gateway Zone :
UBT Gateway Role :
UBT Gateway Clearpass Role :
Access VLAN :
Native VLAN :
Allowed Trunk VLANs :
Access VLAN Name :
Native VLAN Name :
Allowed Trunk VLAN Names :
VLAN Group Name :
MTU :
QOS Trust Mode : dscp
STP Administrative Edge Port :
PoE Priority : critical
Captive Portal Profile :
Policy : webonly_Web_PoE_DSCP_DUR-3002-3
Access Policy Details:
Policy Name : webonly_Web_PoE_DSCP_DUR-3002-3

Policy Type : Downloaded
Policy Status : Applied
SEQUENCE CLASS TYPE ACTION

----------- ---------------------------- ---- ----------------------------------
1 web-traffic_Web_PoE_DSCP_... ipv4 permit
2 dhcp_Web_PoE_DSCP_DUR-3002-3 ipv4 permit
3 dns_Web_PoE_DSCP_DUR-3002-3 ipv4 permit
Class Details:
class ip web-traffic_Web_PoE_DSCP_DUR-3002-3
10 match tcp any any eq 80
class ip dhcp_Web_PoE_DSCP_DUR-3002-3
10 match udp any any eq 67
class ip dns_Web_PoE_DSCP_DUR-3002-3
10 match udp any any eq 53
NOTE: the QoS trust mode has been changed by the application of the user role.
BACKGROUND INFO: The Role has the name of the Enforcement Profile in ClearPass (Web-PoE-DSCP-DUR) an appended to
that two numbers. 3002 is the role ID internal to ClearPass, the -3 is a versioning number. When the ClearPass admin
changes the role content, for the next authentication ClearPass will use Web-PoE-DSCP-DUR-3002-4, and the switch will
know to download the new revision of the role and apply that. Already connected clients will keep using the old role until
there is a re-authentication.
• Verify the port access role independent from the assignment to an interface:

LAB GUIDE
show port-access role
Role Information:
Name : Web_PoE_DSCP_DUR-3002-3
Type : clearpass
Status: Completed
----------------------------------------------
Session Timeout :
. . .
Access VLAN Name :
Native VLAN Name :
MTU :
QOS Trust Mode : dscp
PoE Priority : critical
Policy : webonly_Web_PoE_DSCP_DUR-3002-3
• As you may have seen, the Policy allows HTTP, HTTPS, DNS, and DHCP, but not ICMP. Let’s check that from the Windows
command line by pinging the core
C:\>ping 10.1.X5.99

Request timed out.
Request timed out.
Request timed out.
Request timed out.

• Now open a browser window to https://10.1.X5.99/ and see that you can access your switch through HTTP/HTTPS:

LAB GUIDE
LAB ACTIVITY 5: USER-BASED TUNNELING

Configure the access switch
On the 6300-A
Note: This activity implements a local user role to assign User-Based Tunneling to your Windows client.
• Create the UBT client VLAN and UBT source address

configure
vlan 1000
exit
ubt-client-vlan 1000
ip source-interface ubt 10.1.X5.99
• Configure and the UBT gateway zone – it points to the MC7005 controller
ubt zone ubt-lab vrf default
primary-controller ip 10.1.X4.100
enable
exit
!
• Configure the local user role for UBT
port-access role tunnel-mc
gateway-zone zone ubt-lab gateway-role ubt-tunneled-X3
end
write memory
NOTE: We create a local user role on the switch named tunnel-mc. This role could have been a downloadable role as well, but
we did not in this case. Remember that a ubt role also can be either local or downloadable so you are flexible in what you
configure.
• Verify the UBT zone
show ubt zone ubt-lab
Zone Name : ubt-lab

UBT Mode : local-vlan
Primary Controller : 10.1.X4.100
Backup Controller : ---/---
SAC HeartBeat Interval : 1
UAC KeepAlive Interval : 60
VLAN Identifier : 1000
VRF Name : default
Admin State : Enabled
PAPI Security Key : Disabled

LAB GUIDE
Configure the controller

• Login with
Username: admin
Password: password
• Configure NTP client to the core switch; ignore the warning:
config t
ntp server 10.1.X4.1 iburst
Warning: NTP server(s) updated! It is recommended to reboot the device(s) on /mm/mynode
node, as certain time sensitive applications like IKE/IPSec/Certmgr may get impacted.
! next just ntp to enable ntp
ntp
• Configure the gateway role:
user-role ubt-tunneled-X3
vlan X3
access-list session allowall
end
write mem
NOTE: The controller will activate the configuration only after you enter the write mem command.
On the 8325 Switch configure a DHCP Server and the WebUI on the VRF Default
!
configure
https-server vrf default
dhcp-server vrf default
pool VX3
range 10.1.X3.200 10.1.X3.209 prefix-len 24
lease 00:01:00
exit
enable
end
write memory
• Verify
show dhcp-server
VRF Name : default

DHCP Server : enabled
Operational State : operational
Authoritative Mode : false
Pool Name : V103

Lease Duration : 00:01:00
DHCP dynamic IP allocation

----------------------------
Start-IP-Address End-IP-Address Prefix-Length
----------------- --------------- -------------
10.1.X3.200 10.1.X3.209 24

LAB GUIDE
Prepare the client

On the Windows client’s 6300 adapter:
• Open properties. Change the IP address to DHCP
• Change the authentication user

Username: tX-user4
Password: password
• The client should authenticate automatically after changing the authentication user.
• When finished, the adapter’s status should have changed to “Network #”
Validate
On the ClearPass Server
• Locate the authentication entry (Access Tracker) and verify the output
• Remember that the Aruba-User-Role VSA is used for local roles while the Aruba-CPPM-Role is used for downloadable roles.
If you see a failed authentication in the next step, please double-check the gateway role name as configured on your 6300
versus the user-role name you configured on the 7005 gateway.
On the 6300A Switch
show port-access clients interface 1/1/1 detail

============================
Session Details
---------------
Port : 1/1/1
IPv4 Address :
IPv6 Address :
VLAN Details

LAB GUIDE
------------
VLAN Group Name :
VLANs Assigned : 1000
Access : 1000
Native Untagged :
Allowed Trunk :
----------------------
----------------------
Role : tunnel-mc
Status : Applied
Role Information:
Name : tunnel-mc
Type : local
----------------------------------------------
Cached Reauthentication Period :
Session Timeout :
Client Inactivity Timeout :
Description :
Gateway Zone : ubt-lab
UBT Gateway Role : ubt-tunneled-X3
UBT Gateway Clearpass Role :
Access VLAN :
Native VLAN :
Access VLAN Name :
Native VLAN Name :
VLAN Group Name :
MTU :
QOS Trust Mode :
PoE Priority :
Policy :
UBT Zone Details:
Zone Name : ubt-lab

UBT Mode : local-vlan
Primary Controller : 10.1.X4.100
Backup Controller : ---/---
SAC HeartBeat Interval : 1
UAC KeepAlive Interval : 60
VLAN Identifier : 1000
VRF Name : default
Admin State : Enabled
PAPI Security Key : Disabled
show ubt brief
---------------------------------------------------------------------------
Zone Name UBT Mode Primary Controller Address VRF Name Status

LAB GUIDE
----------------------------------------------------------------------------
ubt-lab local-vlan 10.1.X4.100 default Enabled
show ubt users all
Displaying All UBT Users for Zone: ubt-lab

Downloaded user roles are preceded by *
Port Mac-Address Tunnel Status Secondary-UserRole Failure Reason
-------------------------------------------------------------------------------------------
1/1/1 00:50:56:90:a1:bd activated ubt-tunneled-X3 ---/---
show ubt state
Local Master Server (LMS) State:
LMS Type IP Address State Role

---------------------------------------------------------------------
Primary : 10.1.X4.100 ready_for_bootstrap operational_primary
Switch Anchor Controller (SAC) State:
IP Address MAC Address State

-----------------------------------------------------------------
Active : 10.1.X4.100 20:4c:03:03:be:10 registered
User Anchor Controller(UAC): 10.1.X4.100
User Port State Bucket ID Gre Key VLAN

----------------------------------------------------------------------------------
00:50:56:90:a1:bd 1/1/1 registered 140 1 1000
show vlan
------------------------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces
------------------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 down no_member_forwarding default 1/1/2-1/1/24,1/1/26,1/1/28,
2/1/2-2/1/24,2/1/26-2/1/27
15 VLAN15 up ok static 2/1/1,lag1
1000 VLAN1000 up ok static 1/1/1
Note that VLAN X3 and X4 are not active on the access switch, only on the core and the controller.
On the MC7005
• Check the tunneled users

show tunneled-node-mgr tunneled-users
Tunneled User Table Entries

---------------------------
Flags: U - User Anchor Controller(UAC),

S - Standby User Anchor Controller(S-UAC),
T - Tagged VLAN,
A - Authenticated on Tunneled Node,
C - Convert BC & MC into Unicast,
User Tunneled User Mac Tunneled Node Mac Vlan UAC IP Address Key Tunnel Index Flags
---- ----------------- ----------------- ---- -------------- --- ------------ -----
tX-user4 00:50:56:90:a1:bd 88:3a:30:92:f4:80 1000(X3) 10.1.X4.100 1 tunnel 10 UAC
• Additionally, run the following show commands and analyze their output.

LAB GUIDE
Locate the IP address to verify that if the DHCP server worked, and gateway role (secondary role) has been applied.
show station-table
! (check output in your own lab setup)
Station Entry
-------------
MAC Name Role Age(d:h:m) Auth AP name Essid Phy Remote Profile User Type
------------ ------ ---- ---------- ---- ------- ----- --- ------ ------- ---------
00:50:56:90:a1:bd tX-user4 ubt-tunneled-X3 00:00:12 Yes 10.1.X5.99 - 1/1/1 No default-tunneled-user TUNNELED USER
Station Entries: 1
show user
Users
-----
IP MAC Name Role Auth AP name User Type
---------- ------------ ------ ---- ---- ------- ---------
10.1.X3.200 00:50:56:90:87:ab tX-user4 ubt-tunneled-X3 Tunneled-User-802.1X 10.1.X5.99 TUNNELED USER
Check in the above output the client IP as seen on the controller (IP from DHCP in VLAN X3 from the core; VLAN X3 is not
available on the access switch); the assigned role, and the switch IP as ‘AP name’.
! show the client traffic in the datapath of the controller:

show datapath session table
!
On the Windows client
• On the command prompt:

ipconfig
Ethernet adapter 6300:
Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::9847:e52c:d652:4e93%16
IPv4 Address. . . . . . . . . . . : 10.1.X3.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.X3.1
ping 10.1.X3.1


Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
You are direct connected to the core.
• On Chrome, try to open the WebUI of the 8325

Enter the 8325 WebUI URL: https://10.1.X3.1
On the 8325 Core:

# show mac-address-table
MAC age-time : 300 seconds
Number of MAC addresses : 3
MAC Address VLAN Type Port

--------------------------------------------------------------
00:50:56:90:87:ab X3 dynamic lag11
20:4c:03:03:bd:88 X4 dynamic lag11
88:3a:30:92:85:c0 X5 dynamic lag12

LAB GUIDE
Note that your client is behind port lag11, which is where the controller is connected. So from the core seen, the client is at
the controller.
Let’s describe the packet flow step by step in detail for User Based Tunnel in the next diagram:
The Client (PC) has been assigned a user role at the gateway (MC) in VLAN X3. This means that the client logically lives in that
VLAN and traffic is tunneled between the switch (SW) and gateway (MC) where it surfaces again and is ‘virtually’ local to that
VLAN X3.
• Step 1: Client (PC) starts, and sends a packet to the Server (S) IP, the destination MAC is the router in VLAN X3 at the
controller side.
• Step 2: Switch has role that requires tunneling, so encapsulates the packet in a GRE header that is between the Switch (SW)
and the Controller/Gateway (MC). That combination is routed to the MC via the Core; a Dot1Q VLAN tag is applied
• Step 3: Core routes the packet, GRE still in-tact, 1Q and L2 (outer) changed following standard routing.
• Step 4: MC receives on VLAN X4, then decapsulates the GRE and keeps the original packet. Because the user role for this
user has VLAN X3, the packet is sent to the core in VLAN X3 (assuming the firewall rules for the user role allow this).
• Step 5: Core routes the packet to VLAN X1
• Step 6: Server (S) in VLAN X1 receives the packet
• Return path would be similar, but in the other direction

LAB GUIDE
LAB ACTIVITY 6: TROUBLESHOOTING

Troubleshooting commands
• On your Windows client, change back your IP address assignment on the 6300 interface from DHCP to the static
assignment:
IP address: 10.1.X5.200
Mask: 255.255.255.0
Default gateway: (leave empty)
• Change the authentication user

Username: tX-user5
Password: password
• Check ClearPass to see that the client successfully authenticated, and a DUR is returned:
From ClearPass, all looks good. ACCEPT Status and Role is returned.
• Now check the client status on the 6300 switch:
show aaa authentication port-access interface 1/1/1 client-status

============================
Session Details
---------------
Port : 1/1/1
IPv4 Address :
IPv6 Address :
----------------------
----------------------

LAB GUIDE
Role :
Status : Not Ready
The Role status is: Not Ready, which means there is something wrong.
• Run show logging -r to find out what is wrong with the role sent:
show logging -r
---------------------------------------------------
Event logs from current boot
2021-04-22T15:19:33.149406+00:00 PN10-6300-VSF port-accessd[3415]:
Event|9301|LOG_ERR|MSTR|1|Failed to apply ClearPass role - Send_DUR_Lab6_Role-3018-5 -
Invalid input: eq Error at Line 6 - match ip any any eq 53 RET_VAL
The issue here is that match ip any any eq 53 is sent, but an ip match does not allow a port number. You are advised to
check the contents of downloadable user roles in the CLI of a switch first, before entering it in ClearPass. If you make
changes, be careful not to break the role and test well after your change as you may lock out clients from the network.
NOTE: Important to understand here, is that if there is an error in the Downloadable User Role contents, everything in the
role is rejected and NO access at all is granted to the client.
• Check this by pinging the gateway:

C:\Users\admin>ping 10.1.X5.1

Reply from 10.1.X5.200: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.

• The following is just an example of logging if you have an issue with your trust-anchor on the switch or certificate on the
ClearPass:
show logging -r
---------------------------------------------------
---------------------------------------------------
2021-02-16T18:52:36.416793+00:00 PN1-6300-A port-accessd[3516]:
Event|7709|LOG_WARN|MSTR|1|Certificate cppm.arubatraining.com rejected due to
verification failure (30)
• When you have found the root cause of the issue, let’s have another troubleshooting ticket.
On the Windows client, change the authentication user
Username: tX-user6
Password: password
• The client should authenticate automatically after changing the authentication user.
• Checkout the status of the client. For some reason, the client failed to get proper access to the network. It is for you to find
out what the root cause is, and you can use your imagination on how to fix the issue.
• Guidance for this troubleshooting ticket:
• You may see the issue immediately from ClearPass Access Tracker, but please find the root cause of this issue
through logging of the switch.
• You need to dig a bit deeper into the debugging:
§ Start to debug the radius and portaccess processes. To limit the amount of logging messages, you only
have to enable debugging for the relevant processes. For example, you can see that the dot1x
authentication is successful when you check the port-access status for the interface. This means that you
don’t have to activate debugging for dot1x. Because you are performing dot1x authentication, this means
that you also don’t have to activate debugging for mac-auth. And the same applies for accounting,

LAB GUIDE
portsecurity and deviceprofile

• You can start the debugging to the buffer with the command: debug destination buffer
• You can start the debugging to the console (only with terminal access, not SSH) with the command: debug
destination console
• You can enable debugging for the relevant processes with the command: debug …. (hint: check out portaccess
and radius)
• You can stop all debugging with the command: no debug all
• You can clear the debug buffer with the command: clear debug buffer
• Please put the log line from the switch in a personal chat message to the instructors.
• If you found the root cause, you can fix it, using your own imagination.

LAB GUIDE
LAB ACTIVITY 7: AOS-CX ADMIN AUTHENTICATION TACACS+

While not fully Dynamic Segmentation, configuring TACACS+ authentication can be useful to have done once.
• On the ClearPass we prepared the TACACS Service, and a policy with the following enforcement:
• In this policy the AOS-CX Administrator returns a Shell:priv-lv = 15:
• The AOS-CX Operator returns Shell:priv-lvl=1, following this table from the AOS-CX Security Guide (10.4):
What this policy will do:
- User tX-user1 will get admin level access (full)
- User tX-user2 will get operator access (read/limited)
- Other users will not get access (Default Profile: [TACACS Deny Profile]
Let’s configure the switch for TACACS:

tacacs-server host cppm.arubatraining.com key plaintext tacacs123 vrf mgmt
aaa group server tacacs clearpass-tacacs
server cppm.arubatraining.com vrf mgmt
!
aaa authentication login ssh group clearpass-tacacs local
Note we just configured TACACS for ssh now, so on console and web you can still use local authentication. If all works fine,
you can consider changing all authentication to TACACS, which would be the command aaa authentication login
default group clearpass-tacacs tacacs local
• Make sure that you are in a role that has SSH access to your Access Switch. Easiest is to enable 802.1X on your interface
again with the username tX-user1 for 802.1X, and set back your IP to the static IP 10.1.X5.200 / 255.255.255.0.

LAB GUIDE
• Connect with PuTTY to your switch
• Use user tX-user1 to log in, and go into configuration mode to check if you have full admin access:
tX-user1@10.1.X5.99's password: password
Last login: 2021-02-24 15:51:32 from 10.1.X5.200

User "tX-user1" has logged in 7 times in the past 30 days
6300-A# conf t
6300-A(config)#
• Check the same with tX-user2, and see if you get operator access:
tX-user2@10.1.X5.99's password: password
Last login: 2021-02-24 15:51:05 from 10.1.X5.200

User "t1-user2" has logged in 2 times in the past 30 days
6300-A> conf t
Invalid input: conf
• Check with tX-user3, which should not get access:
tX-user3@10.1.X5.99's password:
Access denied
• You can check in Access Tracker. One thing that may look weird is that you see an ACCEPT for user3, as authentication is
successful, but a Deny Access is returned. Which is what we wanted to configure.
END OF LABS

LAB GUIDE
APPENDIX: CLEARPASS CONFIGURATION

This appendix is for reference only, and shows relevant configuration on the ClearPass server used in this lab.
• Services
• Dot1X auth:

LAB GUIDE
class ip web-traffic
match tcp any any eq 80
exit
class ip dns
match udp any any eq 53
exit
class ip dhcp
match udp any any eq 67
exit
port-access policy webonly
1 class ip web-traffic
2 class ip dhcp
3 class ip dns
exit
port-access role poe-dscp-role
poe-priority critical
trust-mode dscp
associate policy webonly
exit

LAB GUIDE
• Service MAC-AUTHEN

LAB GUIDE
• AOS-CX Admin Access TACACS

LAB GUIDE

LAB GUIDE
APPENDIX: SOLUTION TO THE TROUBLESHOOTING LAB

Some explanation on the troubleshooting lab 6 second assignment. The issue is that the client with
downloadable user role does not get access.
In ClearPass we see success:
But on the switch, we see a fail:

PN3-6300-A# show port-access clients
Port Access Clients
Status codes: d device-mode
----------------------------------------------------------------------------------
Port MAC-Address Onboarding Status Role
Method
----------------------------------------------------------------------------------
1/1/1 00:0c:29:ce:46:fa Fail
Check some more detail:

PN3-6300-A# show port-access clients interface 1/1/1 detail
Client 00:0c:29:ce:46:fa, t3-user6

============================
Session Details
---------------
Port : 1/1/1
IPv4 Address :
IPv6 Address :
----------------------
----------------------
Role :
Status : Invalid
Now, why do we get this Invalid/failed? Let’s have a look in the switch logging:
PN3-6300-A# show logging -r
---------------------------------------------------
---------------------------------------------------
Event|10502|LOG_INFO|MSTR|1|Port 1/1/1 is blocked by port-access
2021-04-06T13:56:23.575454+00:00 PN3-6300-A intfd[756]: Event|403|LOG_INFO|UKWN|1|Link
status for interface 1/1/1 is up
2021-04-06T13:56:23.542155+00:00 PN3-6300-A lldpd[3020]:
Event|110|LOG_INFO|MSTR|1|Configured LLDP reinit-delay to 2
Event|10503|LOG_INFO|MSTR|1|Port 1/1/1 is unblocked by port-access
2021-04-06T13:56:13.972544+00:00 PN3-6300-A intfd[756]: Event|404|LOG_INFO|UKWN|1|Link
status for interface 1/1/1 is down

LAB GUIDE
Well, that is not too useful. Let’s enable some debugging.

# no debug all
# no debug destination console
# clear debug buffer
# debug portaccess all
Bounce the port:
# configure terminal
# interface 1/1/1
# shutdown
# no shutdown
Check the debug logs:
# show debug buffer
PN3-6300-A(config-if)# show debug buffer reverse
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
show debug buffer
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
2021-04-06:14:25:26.463544|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39204 logID=39204 DB
Operation: Update dot1x statistics for port '1/1/1': statistics update for port row with
uuid df4c2259-327c-468b-9616-7648275041e2 successful
2021-04-06:14:25:21.462100|port-
2021-04-06:14:25:16.459664|port-
2021-04-06:14:25:11.458395|port-
2021-04-06:14:25:06.455190|port-
2021-04-06:14:25:01.452227|port-
2021-04-06:14:24:56.448818|port-
2021-04-06:14:24:51.444429|port-
2021-04-06:14:24:46.442877|port-
2021-04-06:14:24:41.440416|port-
2021-04-06:14:24:39.439987|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39157 Handing over the event
15 to component Accounting Req

LAB GUIDE
2021-04-06:14:24:39.439964|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|Dropped 14 log messages in last 50
seconds (most recently, 50 seconds ago) due to excessive rate
2021-04-06:14:24:36.439527|port-
2021-04-06:14:24:31.435858|port-
2021-04-06:14:24:26.434076|port-
2021-04-06:14:24:21.427918|port-
2021-04-06:14:24:16.423290|port-
2021-04-06:14:24:11.419609|port-
2021-04-06:14:24:06.418027|port-
2021-04-06:14:24:01.415008|port-
2021-04-06:14:23:56.411354|port-
2021-04-06:14:23:51.407059|port-
2021-04-06:14:23:49.591477|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Handling db
write(Update) success for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.591457|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Handling db
write(Update) success for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.591433|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DYNAUTZ|logID=39107 Successfully updated DB
with RADIUS CoA attributes
2021-04-06:14:23:49.591414|port-
Operation: Update state for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1': state update for
pae with MAC 00:0c:29:ce:46:fa on port '1/1/1' successful
2021-04-06:14:23:49.591394|port-
Operation: Update RADIUS attributes for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1':
RADIUS attributes update for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1' successful
2021-04-06:14:23:49.591367|port-
Operation: Update username for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1': username
update for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1' successful

LAB GUIDE
2021-04-06:14:23:49.582966|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating profile state
of client 00:0c:29:ce:46:fa in port 1/1/1 to not-valid
2021-04-06:14:23:49.582949|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating onboarded
method of client 00:0c:29:ce:46:fa in port 1/1/1 to dot1x
2021-04-06:14:23:49.582931|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating authentication
state of client 00:0c:29:ce:46:fa in port 1/1/1 to authenticated
2021-04-06:14:23:49.582914|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating radius server
state of client 00:0c:29:ce:46:fa in port 1/1/1 to rowb4170e9c_972f_477c_9f40_4fbf97c60bef
2021-04-06:14:23:49.582893|port-
accessd|LOG_INFO|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 PortClientProfile current
profile type is invalid 0
2021-04-06:14:23:49.582873|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Executing db
write(Update) for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.582848|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating profile state
of client 00:0c:29:ce:46:fa in port 1/1/1 to not-valid
2021-04-06:14:23:49.582827|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating onboarded
method of client 00:0c:29:ce:46:fa in port 1/1/1 to dot1x
2021-04-06:14:23:49.582806|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating authentication
state of client 00:0c:29:ce:46:fa in port 1/1/1 to authenticated
2021-04-06:14:23:49.582781|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Updating radius server
state of client 00:0c:29:ce:46:fa in port 1/1/1 to rowb4170e9c_972f_477c_9f40_4fbf97c60bef
2021-04-06:14:23:49.582755|port-
accessd|LOG_INFO|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 PortClientProfile current
profile type is invalid 0
2021-04-06:14:23:49.582735|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Executing db
write(Update) for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.582565|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_MACAUTH_PROTOCOL|logID=39107 Event handler of
MACAuthPAE 00:0c:29:ce:46:fa on port 1/1/1 for event 'Portclient Auth Stop' in state 'NULL'
returned 'OK'
2021-04-06:14:23:49.582544|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_MACAUTH_PROTOCOL|logID=39107 Handling event
'Portclient Auth Stop' for MACAuthPAE 00:0c:29:ce:46:fa on port 1/1/1 in state 'NULL'
2021-04-06:14:23:49.582524|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_ACCOUNTING|logID=39107 No op for event
'CLIENT Del' in state 'NULL' for Acctreq
2021-04-06:14:23:49.582501|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_MACAUTH_PROTOCOL|logID=39107 Event handler of
MACAuthPAE 00:0c:29:ce:46:fa on port 1/1/1 for event 'Profile Status For Client' in state
'NULL' returned 'OK'
2021-04-06:14:23:49.582476|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_MACAUTH_PROTOCOL|logID=39107 Handling event
'Profile Status For Client' for MACAuthPAE 00:0c:29:ce:46:fa on port 1/1/1 in state 'NULL'
2021-04-06:14:23:49.582450|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107 Event
handler of Dot1XPort '1/1/1' for event 'Profile Status For Client On Port' in state 'READY'
returned 'OK'
2021-04-06:14:23:49.582384|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 logID=39107
Handling event 'Profile Status For Client On Port' for Dot1XPort '1/1/1' in state 'READY'
2021-04-06:14:23:49.582361|port-
accessd|LOG_INFO|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Secure client state
changed for client 00:0c:29:ce:46:fa in port 1/1/1 to Authenticated but failed to apply
role.

LAB GUIDE
2021-04-06:14:23:49.582339|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Handling event Client
Status Changed for port 1/1/1 in state BLOCKED
2021-04-06:14:23:49.582316|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Request db write(Update)
for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.582292|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 portclientprofile SM
State transition [NULL] -> [INVALID PROFILE] for object with key '1/1/1, 00:0c:29:ce:46:fa'
2021-04-06:14:23:49.582273|port-
accessd|LOG_NOTICE|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Client '1/1/1
00:0c:29:ce:46:fa' failed authorization with role admin-client. State: INVALID PROFILE
2021-04-06:14:23:49.581926|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Event handler of
portclientauth with mac 00:0c:29:ce:46:fa on port '1/1/1' for event 'Auth-Response From
Auth-Module' in state 'AUTH IN PROGRESS' returned 'OK'
2021-04-06:14:23:49.581886|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Request db write(Update)
for client 00:0c:29:ce:46:fa in port 1/1/1
2021-04-06:14:23:49.581859|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 portclientauth SM State
transition [AUTH IN PROGRESS] -> [FINAL AUTH SUCCESS] for object with key '1/1/1,
00:0c:29:ce:46:fa'
2021-04-06:14:23:49.581833|port-
00:0c:29:ce:46:fa' identity 't3-user6' onboarded via dot1x successfully.
2021-04-06:14:23:49.579749|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=39107 Handling event 'Auth-
Response From Auth-Module' for mac 00:0c:29:ce:46:fain port 1/1/1 in state 'AUTH IN
PROGRESS'
2021-04-06:14:23:49.579724|port-
handler of Dot1XPort '1/1/1' for event 'First Authenticated Client On Port' in state
'DISCOVERING' returned 'OK'
2021-04-06:14:23:49.579706|port-
dot1xport SM State transition [DISCOVERING] -> [READY] for object with key '1/1/1'
2021-04-06:14:23:49.579685|port-
Handling event 'First Authenticated Client On Port' for Dot1XPort '1/1/1' in state
'DISCOVERING'
2021-04-06:14:23:49.579654|port-
handler of Dot1XPort '1/1/1' for event 'RADIUS Response Received On Port' in state
2021-04-06:14:23:49.579600|port-
accessd|LOG_DEBUG|MSTR|1|PORTACCESS|PORTACCESS_DOT1X_PROTOCOL|logID=39107 dot1xpae SM State
transition [AUTHENTICATING] -> [AUTHENTICATED] for user 't3-user6' with key '1/1/1,
00:0c:29:ce:46:fa'
2021-04-06:14:23:49.573699|port-
Handling event 'RADIUS Response Received On Port' for Dot1XPort '1/1/1' in state
'DISCOVERING'
2021-04-06:14:23:49.572413|port-
Operation: Update username for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1': username
update for pae with MAC 00:0c:29:ce:46:fa on port '1/1/1' successful
2021-04-06:14:23:49.572327|port-
handler of Dot1XPort '1/1/1' for event 'Dot1X EAP Packet Received on Port' in state
2021-04-06:14:23:49.571930|port-
Handling event 'Dot1X EAP Packet Received on Port' for Dot1XPort '1/1/1' in state
'DISCOVERING'

LAB GUIDE
PN3-6300-A(config-if)#
Wow, that is a lot… if you watch carefully, you can find the following log message:
2021-04-06:14:23:49.582273|port-
00:0c:29:ce:46:fa' failed authorization with role admin-client. State: INVALID PROFILE
The admin-client role does not exist in the switch as local user-role.
The data is there, it is in this specific case just hard to find the needle in the haystack.
Now we know this, we could have filtered the debug log messages to level notice and up:
# debug portaccess all severity notice
which would have resulted in only the relevant lines:
# show debug buffer
---------------------------------------------------------------------------------------------
2021-04-12:13:11:50.512859|port-
accessd|LOG_WARN|MSTR|1|PORTACCESS|PORTACCESS_SERVICES|logID=15750 Unable to update client
state of client 00:0c:29:2d:ff:ee in port 1/1/1 : Does not exist
2021-04-12:13:11:58.732553|port-
00:0c:29:2d:ff:ee' identity 't4-user6' onboarded via dot1x successfully.
2021-04-12:13:11:58.733295|port-
00:0c:29:2d:ff:ee' failed authorization with role admin-client. State: INVALID PROFILE
The solution could be to create that local user-role:

port-access role admin-client
trust-mode dscp
Or modify ClearPass to return a local user-role that does exist.
This exercise was in to demonstrate that it may be simple, like with the error in the ACL in the previous
example which shows up in the normal logs, or hard like this one where you need to enable debug logging
that generates massive amounts of data and if you don’t know what you are looking for, it is really hard to
find the actual issue.
END OF APPENDIX

LAB GUIDE
Last page left intentionally blank. However, after typing this it is no longer blank.
www.arubanetworks.com
3333 Scott Blvd. Santa Clara, CA 95054
1.844.472.2782 | T: 1.408.227.4500 | FAX: 1.408.227.4550 | info@arubanetworks.com
55

CXW02 - Dynamic Segmentation - Lab Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CXW02 - Dynamic Segmentation - Lab Guide

Uploaded by

Copyright:

Available Formats

LAB GUIDE

© 2021 Aruba, a Hewlett Packard Enterprise company

LAB ACTIVITY 1: SETTING UP VSF STACKING FOR CLIENT ACCESS ................................................. 8

LAB ACTIVITY 2: CONFIGURE THE AGGREGATION SWITCH (8325-A) ............................................... 13

LAB ACTIVITY 3: AUTHENTICATION ....................................................................................................... 18

LAB ACTIVITY 4: DOWNLOADABLE USER ROLES ............................................................................... 26

LAB ACTIVITY 5: USER-BASED TUNNELING ......................................................................................... 32

LAB ACTIVITY 6: TROUBLESHOOTING .................................................................................................. 39

LAB ACTIVITY 7: AOS-CX ADMIN AUTHENTICATION TACACS+ ......................................................... 42

APPENDIX: CLEARPASS CONFIGURATION ........................................................................................... 44

APPENDIX: SOLUTION TO THE TROUBLESHOOTING LAB .................................................................. 49

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 2

Figure 1. Aruba CX collapsed core campus network

LAB NETWORK LAYOUT

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 3

Figure 2. Lab-group Kit for this workshop

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 4

CONNECTING TO THE LAB ENVIRONMENT

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 5

This VM has four Ethernet adapters:

Adapter Name Purpose

IMPORTANT: do not modify it!

2930 Not used in this lab

3810-OOBM Connection to the out-of-band network. It gives you access to:

• Each switch’s management port

Copy/Paste to/from the lab environment

Exiting the lab environment

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 6

• IP Address: static in subnet 10.251.X.0 (where X is the Labgroup number)

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 7

LAB ACTIVITY 1: SETTING UP VSF STACKING FOR CLIENT ACCESS

• Open the consoles of the both 6300 switches

Verify the link between the 6300 switches

Figure 3. 6300 to 6300 Link

On each console enter:

On each console enter:

PN1-6300-A# show lldp neighbor-info

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 8

Prepare the VSF Auto-stacking

Mbr Mac Address type Status

Mbr Mac Address type Status

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 9

Do you want to continue (y/n)? y

Mbr Mac Address type Status

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 10

! configure the management port

Setting up the uplink

Figure 4. VSF Stack Uplink

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 11

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 12

LAB ACTIVITY 2: CONFIGURE THE AGGREGATION SWITCH (8325-A)

Connection to the 6300 VSF Access Stack

Actor details of all interfaces:

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 13

Partner details of all interfaces:

--- 10.1.X5.1 ping statistics ---

--- 10.254.X.1 ping statistics ---

Connection to the MC7005

• Complete the IP addressing configuration on the VLAN interfaces

Version 20210423-v10.7a © 2021 Aruba, a Hewlett Packard Enterprise company 14

• A single port will be connecting the 8325-A to the controller

Partner details of all interfaces:

PING 10.1.X4.100 (10.1.X4.100) 100(128) bytes of data.