Per-user tunneled node

Aruba per-user tunneled node (PUTN) is similar to the MAS equivalent per-port tunneled node where all ingress traffic is tunneled through a specified switch port to a controller. Aruba PUTN gives ArubaOS-Switch the ability to tunnel traffic per client through Generic Routing Encapsulation (GRE) from an interface on a switch (tunneled-node-port) to an Aruba controller (tunneled-node-server).

Once PUTN is enabled, the Aruba controller provides a centralized security policy, authentication, and access-control. The decision to tunnel client traffic is based on the user-role. User-role authorizations are given permission to redirect traffic to an Aruba controller when the PUTN status is UP. A secondary role, provided by the authentication subsystem (DCA), when present in the user-role authorizations, notifies the PUTN and provides a secondary role.

PUTN, combined with CPPM/LMA policies, can be used to indicate per client whether that clients traffic is to be tunneled to a controller or forwarded locally.

For example, when a PC Phone is deployed to a network, the administrator can use PUTN to route the PC traffic through additional security and allow the VoIP traffic to move freely through the wired network.
NOTE:

The current release has a limitation with respect to jumbo. When jumbo is enabled on the uplink tunneled-node-server VLAN, the multicast traffic destined to the switch tunneled users starts dropping as the controller multicast tunnels are programmed with an MTU limit of 1500.

Flow

  • Authenticate user.

  • Apply user role to authenticated user.

  • Redirect user traffic to controller

  • Apply secondary user-role to user traffic on controller.

Limitations

  • 1,024 users with redirect policy per switch (or stack).

  • 32 users supported per port.

  • Tunneled and nontunneled users are not allowed to belong to same VLAN.

  • Tunneled node is not supported on port-channel.

Tunneled node server prerequisites

Commands necessary to configure a tunneled node server for a tunneled node ArubaOS-switch:

  • switch(config)#tunneled-node-server

  • switch(tunneled-node-server)# controller-ip <IP-ADDR>

  • Optional: switch(tunneled-node-server)# backup-controller-ip <IP-ADDR>

  • Optional: switch(tunneled-node-server)# keepalive interval <Integer>

  • switch(tunneled-node-server)# mode role-based

  • switch(tunneled-node-server)# enable

These commands are available in detail in the ArubaOS-Switch Configuration Guide at http://support.arubanetworks.com/.

NOTE:

Per-port tunneled-node encapsulates incoming packets from end-hosts in GRE packets and forwards them to an Aruba Mobility Controller to be processed further. The Aruba Mobility Controller, upon receiving the GRE packets, strips the GRE header and further processes the packet for additional purposes such as authentication, stateful firewall, and others.

Cluster mode

If the controller is in a cluster mode, see that the Mobility Master Configuration managed controller information in the ArubaOS-Switch User Guide at http://support.arubanetworks.com/

Note

PUTN works for Standalone Controller or with the Aruba 8.x controller cluster.