Implementing Aruba Campus Access v23.112 (IACA)

    

Welcome to this week's class (IACA)

navigate to https://rubbernecks-arubanetworks.blogspot.com

Please be sure you have downloaded the learner guide and lab guide as per instructions you received from an email you would have received from HPE last week.  Check your email history, spam folder etc... for keyword "OnSecure" if you cannot find the email.

• Click here for this week's lab access spreadsheet
• ask me for the link password

    Lab Notes

• webgate: how to copy and paste while doing the labs

Tips on how to google our site for documentation

• googling for AOS-Switch-related topics
• site:hpe.com 16.10 -inurl:pdf -inurl:cx "dhcp-snooping"

• googling for AOS-CX-related topics
• site:arubanetworks.com -inurl:pdf inurl:AOS-CX inurl:10\.14 "dhcp-snooping"

• search option notes:
• site:x only searched that domain
• -inurl:x don't report links with this text in the URL
• inurl:x only report on links with text
• (ideal for finding specific version documentation)

Helpful Links

• about Aruba training and this course

• aruba: Aruba Worldwide Education Services training portal
• datasheet: Aruba Certified Professional - Campus Access (HPE7-A01)
• hpe press: Aruba Certified Professional - Campus Access (HPE7-A01) Practice Exam
• aruba: Self-Directed Remote Labs (IACA)

• where to find more information

• vsg: ESP Campus Deploy
• aruba: Aruba Technical Product Documentation Portal
• here you find:
• Technology Briefs
• Validated Reference Designs
• Aruba Validated Designs
• Compliancy Documentation related to GDPR
• airheads: community.arubanetworks.com
• abc: Airheads Broadcasting Channel
• afp: Partner Technical Webinars
• aruba: Central Demo

• where to find online documentation

• asp: Aruba Documentation Portal (all products)
• techdocs: The CLI Bank (all products)
• asp: Central Latest Online Help
  
• asp: Central TroubleShooting Guide (2.5.8)
• techdocs: The CLI Bank (all products)
• aps: Central OnPrem_2.5.8 User Guide
• asp: ClearPass Device Insight Online Help
• techdocs: ArubaOS_8.12_Web_Help
• aruba: EUBA Network Detection and Response (NDR) capabilities, delivered by Aruba Central

• ClearPass Policy Manager specific links

• asp: ClearPass Config/Integration/Solution/User Guides & Rel Notes
• asp: ClearPass Device Insight Online Help
• airheads: ClearPass Policy Manager 6.11-release-notifications
• techdocs: ClearPass Policy Manager 6.11 Web_Help
• datasheet: ClearPass OnBoard
• abc: ClearPass with Azure AD and Intune Integration (playlist)

• AOS-CX specific links

• aruba: feature-navigator.arubanetworks.com
• aruba: CX switch software feature packs
• abc: AOS-CX Software Release Technical Update
• aruba: HPE ArubaNetworking 3D Catalog
• td: AOS-S and AOS-CX Transceiver Guide Edition
• td: VSX Config Best Practices V2 (2025)
• asp: CX Documentation Portal
• asp: CX_10.13 EVPN VXLAN Guide
• asp: CX_10.13 IP Services Guide
• asp: CX_10.13 Security Guide
• asp: CX_10.13 NAE
• asp: CX_10.13 Monitoring Guide
• asp: CX_10.13 ACLs and Classifier Policies Guide - 6[34]00,81xx,8360
• asp: CX_10.13 CoPP Guide
• asp: CX_10.13 IP Routing
• asp: CX_10.13 Fundamentals Guide
• hpe: DS_4100i Series
• hpe: DS_5420 Series
• hpe: DS_6000 Series
• hpe: DS_6100 Series
• hpe: DS_6200 Series
• hpe: DS_6300 Series
• hpe: DS_6400 Series
• hpe: DS_8100 Series
• hpe: DS_8320 Series
• hpe: DS_8325 Series
• hpe: DS_8360 Series V2
• hpe: DS_8400 Series
• hpe: DS_9300 Series
• hpe: DS_10000 Series

• airheads: ArubaOS-CX ArubaOS Switch ComWare and Cisco IOS
• www.arubanetworks.com/resource/aruba-cx-10000-with-pensando-at-a-glance

• Manage and Monitor Hybrid IT Infrastructure
• hpe: OpsRamp: AIOps Powered IT Operations

• AP Datasheets

• Remote APs

• www.arubanetworks.com/assets/ds/DS_AP303H.pdf
• www.arubanetworks.com/assets/ds/DS_AP500HSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP500RSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP600HSeries.pdf
• www.arubanetworks.com/assets/ds/DS_AP600RSeries.pdf

• Indoor APs

• www.arubanetworks.com/assets/ds/DS_AP303Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP503Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP500Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP510Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP530Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP550Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP610Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP630Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP650Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP730Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP740Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP750Series.pdf

• Outdoor/Ruggedized APs

• www.arubanetworks.com/assets/ds/DS_AP360Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP370Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP518Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP560Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP570Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP580Series.pdf
• www.arubanetworks.com/assets/ds/DS_AP670Series.pdf

• GW Datasheets

• www.arubanetworks.com/assets/ds/DS_7000Series.pdf
• www.arubanetworks.com/assets/ds/DS_7200Series.pdf
• www.arubanetworks.com/assets/ds/DS_9000Series.pdf
• www.arubanetworks.com/assets/ds/DS_9100Series.pdf
• www.arubanetworks.com/assets/ds/DS_9200Series.pdf

Day 1 - Lecture Modules & Labs 

M01: Intro to Aruba Solutions

• developer: NAE - Getting Started
• asp: CX_10.10 NAE

• fbi: Threat to U.S. Critical Infrastructure
• fbi: Cyberthreat to Threat to Entire Nation
• cisa.gov: cybersecurity-advisories State Sponsored Threats
• abc: threat of quantum computers (quantum resistant algorithms)
• web: Big Four Bank Data Lost in HWL Ebsworth Cyber-Attack
• web: Every bank is being cyber attacked 'all the time'

Lunch Break

M02: Building Wired Infrastructure

• asp: CX_10.16 BFD

• S2.70 PBR Overview code sample

Lab 1 - Testing Remote Lab Connectivity

• 1.1: Aruba Training Remote Lab Access

• issue p.2, t1.2
• when you login to arubatraininglab.computerdata.com be sure that the login page is fully loaded before you press submit

• 1.2: Testing Connectivity

• issue p.12, t2.44

  • be sure to click "SSO" before you try to log in to Central

  issue p.12, t2.47

  • new central needs to be disabled in order to complete these labs, notice the slider bar, top right on your screen, move it to the left as shown below
  • 

Lab 2.1 - Campus Wired Aggregation - VSX

• 2.1.1: Review the Initial Configuration
• 2.1.2: VSX Basic Configuration
• 2.1.3: Configure a VSX LAG
• 2.1.4: Configure VSX L3 SVI with Active Gateway
• If your edge-1 or edge-2 switches cannot establish their control-plane with Central after they inherit configuration from their group, check if the switch has dns setup, if not...  add the following command to your switch template:
• ip dns server-address 10.254.1.21
• use the following commands to debug:
• debug central all
• debug destination buffer
• clear debug all
• show debug destination
• 2.1.5: VSX Link-Up delay
• 2.1.6: VSX Split-brain detection

Lab 2.2 - Wired Routing

• 2.2.1: Basic OSPF Configuration
• 2.2.2: Route Redistribution and Filtering Using Route Maps
• 2.2.3: Multi-Area OSPF and Route Aggregation between Area
• 2.2.4: Enhance OSPF Neighbor State Detection with BFD

Lab 2.3 - Campus Wired with Central

• web: online JSON editor for Lab 2.3 Task 3 

• 2.3.1: Onboard a switch to Central with ZTP
• 2.3.2: Aruba Central Initial Access
• 2.3.3: Managing Edge Switches using a Template Group
• 2.3.4: Migrate Aggregation Switches to Aruba Central
• Issue p.139 (lg-23.14), t2.3.4.27
• when you move your Agg switches into the template group, Central should have created variables for each switches
• _sys_serial
• _sys_lan_mac
• _sys_hostname
• often this does not happen (a feature), in that case you must do it manually
• create a csv file based on the following example, be sure to update it with your own tables Agg switch serial and mac addresses
• _sys_serial,_sys_lan_mac,modified,_sys_hostname,mgmt_gw,mgmt_ip,mgmt_vlan,port_ap,vlan_ap,vlan_ap_trunk_list
• TW0BKM002M,b8:d4:e7:d9:5f:00,Y,sw-agg1,,,,,,
• TW0BKM0041,b8:d4:e7:d9:9d:00,Y,sw-agg2,,,,,,
• upload this file into your groups template variables list

Helpful commands 

• show lacp interfaces
• show lldp neighbor-info
• show spanning-tree
• show event -r -n5
• show running-config vsx vsx-peer
• show running-config vsx-sync peer-diff
• show vsx status
• show vsx status linkup-delay
• show vsx status keepalive
• policy mirror reset
• show ip ospf neighbors
• show ip ospf interface brief
• show ip ospf lsdb
• show ip ospf lsdb external
• show ip ospf lsdb area 0
• show ip ospf lsdb database-summary
• show ip route
• show ip dhcp
• show lacp interfaces
• show aruba-central

Day 2 - Lecture Modules & Labs 

M03: Wireless Infrastructure with Aruba Gateways

Lab 3.1 - Deploying APs

• 3.1.1: Deploying APs

Lab 3.2 - Deploying APs

• 3.2.1: Configure Gateway1 using the Setup Dialog
• Issue p.145 (lg-23.14), t3.2.1.1
• prior to using OTP static-activate on GW1, you need to setup 1/1/5 on agg-1 to allow vlan 3
• agg-1 console:
• interface 1/1/5
• no routing
• vlan trunk native 1
• vlan trunk allow all
• 3.2.2: Configuring the Gateway in Aruba Central
• Issue p.154 (lg-23.14), t3.2.2.42
• prior to setup of port-channel on your gateways, you need to setup 1/1/5 with vsx-lag 5 on your access-aggregations switches
• agg-1 console:
• interface lag 5 multi-chassis
• no routing
• vlan trunk native 1
• vlan trunk allow all
• lacp mode active
• lacp rate fast
• lacp fallback
• no shutdown
• interface 1/1/5
• lag 5
• no shutdown
• agg-2 console:
• interface lag 5 multi-chassis
• no shutdown
• interface 1/1/5
• lag 5
• no shutdown
• Issue p.155 (lg-23.14), t3.2.2.49
• as you validate your GW config, notice that you allowed  vlan 1,3,31-35,41-45 on the GW trunk.  Your Agg switches do not have vlan 31-35 or 41-45.  you will need to create these and vsx-sync them for later labs to work as expected.
• agg-1 console:
• vlan 31-35,41-45
• vsx-sync
• 
  
• 3.2.3: Monitor Gateway Configuration Changes from Central

Lab 3.3 - Automatic Gateway Clustering

• 3.3.1: Review the Existing Auto Cluster

Helpful commands 

• branchspport / mac-address (if not connected to central)
• show configuration setup-dialog 
• show port status 
• show interface port-channel 0 
• show lacp 0 neighbor 
• show log all 6 | include fpapps
• show lc-cluster group-profile
• show lc-cluster group-profile auto_gwcluster_xyz_0 
• show lc-cluster group-membership 

M04: Tunneled WLAN Architecture

Lab 4.1 - Deploy Tunnel WLAN

• 4.1.1: Review the Wired Network
• 4.1.2: Create PSK Tunnel WLAN with the GW Cluster
• 4.1.3: Review the Configuration
• 4.1.4: Verify the Operation of the Tunnel WLAN
• 4.1.5: Configure GRE over IPsec

Lab 4.2 - Tunneled WLAN Cluster Operation

• 4.2.1: Review the Cluster Status
• 4.2.2: Cluster Bucket Map
• 4.2.3: Load Distribution and Failover

     Lunch Break

M05: Secure Enterprise WLAN

            More About Radius Access-Accept Attributes

• slide 15: service-type=framed
• requires auth parameters to then establish/allow access to the network
• slide 11: service-type=call-check
• used to verify the status of a call
• does not support session timeouts
• it is more about monitoring call status rather than establishing access

• techdocs: Cloud-Assisted Roaming Services

Lab 5.1 - Deploy Tunnel Corporate WLAN

• 5.1.1: Understanding the AAA Profile on PSK WLAN
• 5.1.2: Configure Corporate 802.1X Tunnel WLAN
• 5.1.3: Connect with a WLAN Client
• 5.1.4: Monitoring and Roaming Key Distribution

Lab 5.2 - Roles and Access Control

• 5.2.1: User Role Derivation
• 5.2.2: Use the WLAN Workflow to Apply Access Control
• 5.2.3: Gateway Controlled Access Control
• 5.2.4: Gateway Controlled Access Control using the User Alias
• 5.2.5: Configure Dynamic Authorization with the Gateway Cluster
• 5.2.6: (optional) Server Rule-based Role Derivation

Day 3 - Lecture Modules & Labs

    M06: Guest and Captive Portal

• techdocs: Mac-Address-Randomization

Lab 6 - Overlay Guest WLAN with ClearPass Guest

• 6.1: Verify a ClearPass Guest page
• 6.2: Configure WLAN Profile with ClearPass Guest Splash Page
• 6.3: Test ClearPass Guest access
• 6.4: Guest Authentication with ClearPass MAC Caching
• 6.5: (optional) Web Redirect for a Corporate User

M07: Wireless Authentication for IOT

• techdocs: Support for MPSK in WLAN SSID

Lab 7 - PSK IOT WLAN

• 7.1: Create MPSK Local Overlay WLAN
• 7.2: Configure ClearPass-based Role Mapping for MPSK

     Lunch Break

M08: Mixed Mode Architecture

Lab 8 - Configuring Mixed Forwarding WLAN

• 8.1: Employee WLAN with Mixed Mode
• 8.2: RADIUS-based VLAN Assignment
• 8.3: (optional) Custom RADIUS Attribute in a VLAN Rule

M09: Gateway Cluster Deployments

Lab 9 - Gateway Cluster Deployments

• 9.1: Move Gateway GW2 to the Group Campus-Main-DMZ
• 9.2: Multi-Zone
• 9.3: Set up Site-Based Clustering Using a Single Site
• 9.4: Site-Based Clustering using Multiple Sites
• 9.5: (optional) Site-Based Cluster with Group-Based Backup Cluster

Day 4 - Lecture Modules & Labs  

M10: Wired Port Access

• techdocs: AOS-CX 10.10 Security Guide > Port access > Mixed roles
• how VSA attributes can override LUR or DUR attributes
• abc: AOS-CX 10.10 - Support for MACsec with EAP TLS Update
• abc: Aruba ClearPass Workshop - Wired #4 - Dynamic Access List (dACL)
• shows how to implement IETF NAS-FILTER-RULES

Lab 10.1 - Wired Access Control

• 10.1.1: Configure sw-edge2 for Access Control and 802.1X
• 10.1.2: Enable MAC Authentication
• 10.1.3: User Roles with Device-Based Authentication

Lab 10.2 - Wired Access with Aruba Gateways

• 10.2.1: Prepare the Gateway
• 10.2.2: Configure the Switch-to-Gateway Cluster Connection
• 10.2.3: (optional) Troubleshooting and Failover for UBT

M11: VXLAN and GBP

• rfc: VXLAN Group Policy Option
• techdocs: Virtual network based tunneling

Lab 11 - Group-Based Policies with EVPN

• 11.1: Prepare your lab environment
• 11.2: Verify the Group-Based Policy Configuration
• 11.3: Configure Access Control Between Roles

Day 5 - Lecture Modules & Labs 

M12: Security and Availability Features

• techdocs: Configuring Central IDS/IPS

Lab 12.1 - Service Survivability

• 12.1.1: Tunnel WLAN Central Survivability
• 12.1.2: Wired Cached Re-Authentication and Critical Role

Lab 12.2 - Admin Authentication

• 12.2.1: Gateway Admin Authentication
• 12.2.2: Switch Admin Authentication

M13: Traffic Optimization and QOS

• asp: UCC - What is the difference between Upstream and Downstream UCC Scores
• abc: ArubaOS 8.9 Series – Part 11 – QoS & AirSlice
• skip ahead to 9m23s to get to AirSlice

Lab 13 - Traffic Optimization

• 13.1: WLAN Optimization
• 13.2: Wired QoS
• 13.3: Wireless QoS Marking
• 13.4: Wireless WMM Voice Class
• 13.5: (optional) AirMatch Configuration

M14: Monitoring

• asp: Aruba AOS-CX 10.11: Edge Insight
• abc: Aruba UXI Training
• abc: Simplified Zebra Agent onboarding Experience
• blog: Web Application Testing with Selenium and UXI
• abc: Web Application Testing with HPE Aruba Networks User Experience Insight (UXI/Selenium)

Lab 14 - Monitoring with UXI Sensors

• 14.1: Monitoring with the Aruba UXI Sensor
• 14.2: Integrate the UXI Dashboard with Aruba Central
• 14.3: Reset the Lab Customer Environment

Appendix

Acronyms or Key terms

• ESP: Encapsulating Security Payload
• SA: Security Association
• a relationship between two or more entities that describes how the entities will use security services to communicate securely
• SPI: Security Parameter Index
• identification tag added to the header while using IPsec for tunneling the IP traffic. 
• This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use
• nonce:
• random / semi-random number generated for cryptographic communication 
• mechanism helps to protect against replay attacks
• the term stands for "number used once"

Lab Access Errata

• if experiencing any problems with remote lab access (WebGate):
• be sure your browser is in private (incognito) mode
• restart your browser and clear your cache and cookies
• do not try to login unless you are 100 percent sure the login page is fully loaded (the tab favicon will look similar to an orange triangle)
• during login to Central, did you select the SSO option?
• if you need to restart your windows host
• in cmd.com type "shutdown /r /t 0"

Lab Troubleshooting Commands

• HPE ANW Central issues:
• commands to troubleshoot AP connectivity to Central
• reboot AP, access boot ROM, validate L2/L3 path to Central
• mfginfo (to determine AP card0 serial number as admin password)
• apboot> mfginfo
• Inventory:
• Card 0: System
• Wired MAC           : 20:4c:03:c6:09:78
• Wired MAC Count     : 4
• Date Code           : 052620
• Serial              : CNKCK2R9NB
• Wireless MAC        : 24:62:ce:c5:c2:ce
• Wireless MAC Count  : 2
• Country             : CCODE-US-bb57c5b718e86164a118d99523adf1859129912b
• Card 1: CPU
• Assembly            : 2010258C
• Serial              : Y10592D81
• Date Code           : 051620
• Major Rev           : 02
• Minor Rev/Variant   : 00
• Card 2: Power
• Assembly            : 2010259C
• Serial              : Y10591512
• Date Code           : 051620
• Major Rev           : 02
• Minor Rev/Variant   : 00
• dhcp (test the DHCP client from the bootROM)
• failed DHCP example
• apboot> dhcp
• eth0 up: 1 Gb/s full duplex
• DHCP broadcast 1
• DHCP broadcast 2
• DHCP broadcast 3
• DHCP broadcast 4
• DHCP broadcast 5
• Retry count exceeded; starting again
• successful DHCP example
• apboot> dhcp
• eth0 up: 1 Gb/s full duplex
• DHCP broadcast 1
• DHCP IP address: 10.1.4.51
• DHCP subnet mask: 255.255.255.0
• DHCP def gateway: 10.1.4.1
• DHCP DNS server: 10.254.1.21
• DHCP DNS domain: aruba-training.com
• boot (wait for login prompt, admin/card0 serial number)
• Booting OS partition 0
• Checking image @ 0x0
• Copying image from 0x84000000
• Image is signed; verifying checksum... passed
• SHA2 Signature available
• Signer Cert OK
• Policy Cert OK
• RSA signature verified using SHA2.
• Uncompressing Kernel Image ...
• show ip interface brief (check that br0 ip is from dhcp)
• show ip route (validate dfgw via br0)
• show ap debug cloud-server

• commands to troubleshoot AP issues
• show ap association
• show ap bss-table
• show ap debug auth-trace-buf
• show ap debug cloud-server
• show ap debug radio-state
• show ap debug radio-stats <0-1> (try "show radio stats" as well)
• make sure this output does not say the radio is disabled, if it is disabled despite being configured to be enabled in Central
• anticipate Central GROUP corruption, delete the group and recreate it
• show ap monitor ap-list
• show ata current-cfg
• validate you see the current configuration for each cluster your WLAN profile has associated with this AP, if not...
• anticipate Central GROUP corruption, delete the group and recreate it

Current Central is Up

Microbranch AP is Disabled

Microbranch System IP is 0.0.0.0/::

[Current Configuration For cluster(CORPORATE)]

<Tunnel list>

-----pub_ip=10.1.3.21, local_ip=10.1.3.21, vlan=1,3,31,33,63, mcast=0, Tun_Type=GRE, peer_device_type=Gateway

     key_exp=0, dstNatt=0, HBT_interval=3, HBT_Threshold=10

<SSID list for primary>

-----ssid=hq-corp-86-1, type=0

[Current Configuration For cluster(DMZ)]

<Tunnel list>

-----pub_ip=10.1.3.22, local_ip=10.1.3.22, vlan=1,3,33,63, mcast=0, Tun_Type=GRE, peer_device_type=Gateway

     key_exp=0, dstNatt=0, HBT_interval=3, HBT_Threshold=10

<SSID list for primary>

-----ssid=hq-guest-86-1, type=0

<SSID list for backup>

-----ssid=hq-corp-86-1, type=0

• show ata endpoint
• look for SM_STATE_CONNECTED, if you see a STALE state, check L2,L3 connectivity issues between AP and GW

ATA Endpoint Status

-------------------

UUID                                  IP ADDR    STATE               TUN DEV  TUN SPI(OUT/IN)    LINK TAG  VALID TIME(s)  TUNNEL TYPE  GRE VLANs        HBT(Jiff/Missed/Sent/Rcv)  INNER IP   UP TIME(s)

----                                  -------    -----               -------  ---------------    --------  -------------  -----------  ---------        -------------------------  --------   ----------

ddaf45d4-6c92-4858-a185-12c1bfce8df1  10.1.3.22  SM_STATE_CONNECTED  tun0     5481c900/b53ff100  inet      98617          GREoIPSec    1,3,31,33,61,63  47498/0/30919/30915        10.2.4.51  2025-08-27 17:27:52

Total Endpoints Count: 1

• show log ap-debug
• show overlay cluster-info
• show overlay tunnel