Table of Contents
Advertisement
Type
Contractor
Change in User/Device
Posture
Colorless Ports
Within a campus network with a few thousand switch access ports and numerous intermediate distribution frames
(IDFs), network admins must put in effort to assign VLAN IDs to the devices. It is also difficult to maintain switch
port to VLAN mapping, and a significant configuration effort to manage thousands of lines of configurations on the
switches is required.
With colorless ports, all the switches would have similar configuration with IP, credentials, authentication, VLANs,
and uplinks. All access ports need only a few lines of configuration common for all ports. No admin intervention is
needed to assign a VLAN to a user, since the user is automatically assigned a reserved VLAN ID.
The benefits of colorless ports are:
•
Simplified user experience
•
Increased visibility: It is easy to see what is on the network.
•
Increased security: The network applies the correct policy to a device.
•
Simplified switch configuration. All access ports are configured the same.
For more details on the colorless ports, see User Roles in the Access Security Guide for your switch.
Port-Based Tunneling
In a traditional campus network, wireless traffic is encapsulated between the access point and controller using a
tunnel. With Port-Based Tunneling on the Aruba switches, a similar implementation is done using the same
mechanism with an Aruba Mobility Controller. In essence, a wired port becomes a "wired AP". Each switch port
can then be individually configured to create a single tunnel to the Mobility Controller. However, at the Mobility
Controller, each tunneled node port is seen as separate tunnel to provide more granular visibility, as each tunnel
has a unique GRE key. By tunneling traffic to the Mobility Controller, in Port-Based Tunneling, authentication and
network policies are applied and enforced at the controller-side for tunneled, wired traffic. This simplifies
configuration on the switch and centralizes policies at the Mobility Controller. Port-Based Tunneling allows using
the same enforcement options for wired and wireless clients. This includes stateful session processing, deep
packet inspection, URL filtering, and bandwidth contracts.
The main purpose of Port-Based Tunneling is to use the Mobility Controller as a unified policy enforcement point
for traffic from both wired and wireless clients.
NOTE: If the Mobility Controller is not reached by the Aruba switch, the user can fall back to local
switching, which allows the tunneled ports to communicate with the other ports in the same VLAN.
612
Enforcement Description
Tunnel
Contractors may need more access than a traditional guest user.
Tunnel
User or device goes from a healthy to unhealthy state (OnGuard
checks, IntroSpect notification, Ingress Event Engine Notification)
IMPORTANT:
•
Port-Based Tunneling is configured on a per-port basis. Traffic to and from ports that
is not configured as tunneled is forwarded using the standard layer switching
technology.
•
An ArubaOS-switch can be configured with a main and a backup tunnel termination
controller called "tunneled-node server".
•
Port-Based Tunneling does not support HA and load balancing over an Aruba
Mobility Controller Cluster compared to User-Based Tunneling.
Aruba 2930F / 2930M Management and Configuration Guide
for ArubaOS-Switch 16.08
Advertisement
Table of Contents
Troubleshooting
