Aruba Controller

What are conservative and standard release on Aruba firmware?

The standard release has the lastest featureset but take some months before it comes a conservative release. Conservative releases are for customers who prioritize stability over new features. Before it comes conservative it must be; Deployed for a certain amount of time.

What are the modes that Aruba controller can operate?

DR-Mode (Disaster recovery), Access Mode, enable-mode, config-mode

infra mode - Master mode (72xx model), local mode(inherits from master - 72xx and 70xx model), Branch mode (70xx model) and standalone(non - prod)

How do you define Branch office controller and it's operations?

Branch is a place for business operation and to provide connectivity for the branch to HQ or central DC we are opting for Branch Office controller solution. Features that comes with this includes but not limited to the below,

• Scalable site to site VPN Tunnels

• Layer-3 redundancy for Branch controller masters

• WAN failure (authentication) survivability -

• WAN optimization through IP Payload compression

• Interface bandwidth contracts

• Integration with central and other tools

• Branch controller routing features - Next hop list and Policy based routing

REF: https://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Content/ArubaFrameStyles/Branch%20Office/Branch_Deploy_features.htm

What are the major difference between 6.x and 8.x controller?

6x - 6.5.3.3 Model - 7240

VPNC-8x - 8.6.0.4-2.2.0.1 Model - Aruba7240XM-US

VPNR-8x - 8.6.0.4-2.2.0.1 Model - Aruba7024-US and Aruba7010-US

MM - 8x - 8.5.0.12 Model - ArubaMM-HW-10K

MD - 8x - 8.5.0.12 Model - Aruba7240XM-US

Conservative version that can be installed in Aruba

How does RAP works and terminates on our controller?

> Any Aruba access point can be provisioned to operate as a RAP. The purpose of deploying a RAP is to leverage the wireless and wired features of an Aruba access point from a remote location across the Internet.

> The RAP is configured to use IPsec to connect to a Mobility Controller’s public IP over UDP 4500 for NAT-T. Once the IPsec tunnel is established with the controller, the RAP receives an inner IP known to the controller from a preconfigured VPN IP pool.

> From that point on, the RAP is treated like any other campus AP reachable using it's inner IP. All WLAN and wired port configurations used by campus APs are equally used by the RAP. In other words, the RAP extends the same SSIDs available in the office so that employees can work from home as if they were in the office without the need for additional VPN clients.

> ipsec tunnels will be formed between the RAP and the mobility controller. The Netdestination(ACL's) of the profile assigned to the RAP

s decide which are the interesting traffic that needs to be allowed through the tunnel.

Refer:

https://www.arubanetworks.com/assets/so/SG_Remote-Access-Point.pdf

https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/Aruba%20RAP%20VRD.pdf

What are the ports required for ZTP and what are those?

Aruba devices can be automatically provisioned by Aruba Central using Zero Touch Provisioning. With ZTP, Aruba gateways, IAPs, and ArubaOS switches are able to automatically communicate with Central and download their group configuration without any user interaction. Each managed Aruba device can be manually assigned to their respective group in Central under Global Settings > Manage Groups or by assigning groups per site in advance under Site Installations in the Install Manager application. Unlike Aruba switches and IAPs, the group assignment for gateways must be performed prior to ZTP. This is required so that Central knows the role (BGW or VPNC) of the gateway. The group type must also be selected or the group type will display as “unprovisioned”. ZTP is the preferred method for deploying new branch devices is it eliminates the requirements for any on-site user interaction and configuration. An on-site installer can simply connect the Aruba devices and the ZTP process will automatically onboard and provision each branch device. While ZTP may be used to provision VPNCs in the data center, One Touch provisioning is often preferred as VPNCs typically require static IPv4 addresses along with specific VLAN and switchport configuration. When deploying a new branch site, it is important to remember that any IAPs and ArubaOS switches at the branch will only be able to complete their ZTP process and receive their group configuration once the gateway(s) are provisioned and online. The IAPs and switches will not be able to communicate with Central until they are able to obtain IP addressing and domain name server (DNS) information from their respective gateway(s). In order for a gateway to successfully perform ZTP, one or more ZTP ports must be connected to a WAN service that provides the following:

1. DHCP addressing

2. DHCP options 3 (Router) and 5 (Name Server)

3. Internet access

https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/branchoffice/ztp-overview.htm

https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/branchoffice/ztp-prov-mdev.htm

https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/SD-Branch%20Fundamentals%20Guide%20-%20Final%20-%20Provisioning%20Only.pdf

Why whitelisting is required and what is the use of it?

Campus or Remote APs appear as valid APs in the campus or Remote AP whitelists when you manually enter their information into the campus or Remote AP whitelists through the WebUI or CLI of a controller or after a controller sends a certificate to an AP as part of automatic certificate provisioning and the AP connects to the controller over a secure tunnel. APs that are not approved or certified on the network are included in the campus AP whitelists, but these APs appear in an unapproved state.

Use the AP whitelists to grant valid APs secure access to the network or to revoke access from suspected rogue APs. When you revoke or remove an AP from the campus or remote AP whitelists on a controller that uses control plane security, that AP is not able to communicate with the controller again, except to obtain a new certificate.

https://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Content/ArubaFrameStyles/Control_Plane/Whitelists_on_Campus_and_Remote_APs.htm

How ZTP works in our Aruba environment in detail?

https://www.youtube.com/watch?v=KJw4Ud2LAtU

Methods of collecting AP tech and controller tech support logs?

show crash info

tar logs tech-support

tar crash

How do you do packet capture on controller flash?

Have to check how?

What are the types of licenses that are present and what are the uses of it?

Perpetual Licenses:

• A perpetual license is a purchased license that has no end date; once installed, it does not expire. Most purchased licenses are perpetual licenses.

Subscription Licenses:

• The Web Content and Classification (WebCC) license is a subscription license that enables WebCC features only for the duration of the subscription (1,3,5,7 or 10 years).

1. AP License:

• An AP license is required for each operational LAN-connected, mesh, or remote AP that is advertising at least one BSSID (virtual-AP). • Usage Basis: Per AP

2. ACR License:

• This license enables ArubaOS Advanced Cryptography (ACR) features. A license is required for each active client termination using Suite-B algorithms or protocols. • Usage Basis: Per Client Session

3. PEF License:

• One operational AP using one or more Policy Enforcement Firewall (PEF) features, such as intelligent application identification, policy-based traffic management and controls, or stateful user firewalls. • Usage Basis: Per AP

4. PEFV License: (Alias Box License)

• The PEFV license allows a network administrator to apply firewall policies to clients using a VPN to connect to the controller. This license is mandatory for the Aruba VIA VPN client, but optional for all other VPN clients. The PEFV license is purchased as a single license that enables the functionality up to the full user capacity of the controller. • Usage Basis: Per Controller

5. RFProtect License:

• An RFProtect (RFP) license is required for each operational AP using one or more RF Protect features, such as spectrum analysis and Wireless Intrusion Protection (WIP). • Usage Basis: Per AP

6. MM License:

• Starting with ArubaOS 8.0.1, the MM license is required to terminate devices (controllers or APs) on Mobility Master. If the Mobility Master does not have sufficient MM licenses and an AP fails to obtain a license, that AP can get an IP address and connect to its controller, but will not broadcast an SSID. • Usage Basis: Associated device (Per Controller/Per AP)

7. VMC License:

• Starting with ArubaOS 8.0.1, the VMC license is a sharable license required to terminate APs on a virtual controller(MD). In ArubaOS 8.0.0, the VMC-TACT and VMC-TACT8 licenses are non-sharable licenses that must be installed on a virtual machine before you can install ArubaOS as a controller on that VM. • Usage Basis: Per AP

8. WebCC License:

(Alias Subscription License) • The Web Content Classification (WebCC) license is a subscription based, per-AP license that supports Web content classification features on an AP for the duration of the subscription period (up to10 years per license). • Usage Basis: Per AP

https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAssets/How%20Licensing%20works%20in%20AOS%208x.pdf

https://lms.arubanetworks.com/orders

https://support.hpe.com/hpesc/public/docDisplay?docId=a00072842en_us

Aruba Central License

Switches:

o Foundation—This license provides all the features included in the legacy Device Management tokens.

Access Points (APs):

o Foundation—This license provides all the features included in the legacy Device Management tokens and some additional features that were available as value-added services for APs and switches in the earlier licensing model.

o Advanced—This license provides all the features included in the Foundation License, with additional features related to AI Insights and WLAN services.

SD-Branch Gateways:

o Foundation—This license provides all features required for SD-Branch functionality in branch or headend deployments.

o Foundation Base—This license provides all the features included in a Foundation License, but can support only up to 75 client devices per branch site.

o Foundation with Security—This license provides all features required for SD-WAN functionality in branch or headend deployments and some additional security features.

o Foundation Base with Security—This license provides all the features included in a Foundation with Security License, but can support only up to 75 client devices per branch.

o Advanced—This license provides all the features included in a Foundation License, with additional features related to SaaS Express and AI Insights.

o Advanced with Security—This license provides all the features of an Advanced License, with additional security features related to IPS and IDS, security dashboard, and anti-malware.

o Virtual Gateway (VGW) License—This license is available for AWS, Azure, and ESXi platforms and is licensed based on the bandwidth required. The license types available for VGW are, VGW-500M, VGW2G, and VGW-4G.

https://help.central.arubanetworks.com/2.5.3/documentation/online_help/content/pdfs/licensing-guide.pdf

How many licenses are there on our controllers SDWAN and MM/MD setup?

Used/Total

Access Point - Foundation 1517/1776

Switches

Foundation-Switch-6100/25XX/<16ports - 23/23

Foundation-Switch-6200/29xx - 1/1

Foundation-Switch-63xx/38xx - 762/999

Gateway

Foundation 70XX/90XX - 548/701

Foundation 72XX - 22/24

Foundation with Security - 1/100

FOr MM/MD

AP, PEFNG and MM - licenses were enabled

Access points - 2855/9216

PEF=policy enforcement firewall - 2855/9216

RF Protect - Wireless Intrusion Protection - 0/2048

MM - Mobility Master - 2871/10000

Who holds the config of our retail Aruba setup and RAP setup?

What is VPNC and how does gateway know to which VPNC it has to terminate it's connection?

How do you know if the client is passing traffic?

How to check if the traffic is getting denied and which ACL it hits?

What is ace table and how to check it's consumption?

What is firmware compliance in central and how to set it and validate?

What is template group on central and why we have it?

What is per user tunnel node and per port tunnel node and what we use in our environment and how does it work?

How folder hierarchy works in MM/MD setup and where the config has been saved?

How controller is connected with Gigamon and UTM?

What are groups, sites and labels in Aruba central?

Groups

Where we can put in similar kind of devices at one place that helps us to make config changes to the whole group at once instead of configuring the devices separately

Sites

This notation mentions the location of the placement of devices , we can club the controller, switch and IAP's of any particular location in to a single site and enable alerts there , if there is any device down then the whole site will be mentioned with a warning sign telling this needs to be addressed quickly.

Labels

What is DR mode in gateways and MD?

How MD terminates it's connection on MM?

How do you confirm if the backbox has the latest flash backup of Aruba controller?

What does Maintenance with and without collection on EM7 mean?