Simplifying User-Based Tunneling with Reserved VLAN

Prior to 16.08, authenticated clients were assigned to the VLANs provided by applied user role profile (configured or downloadable). Then, the User-Based Tunnel would get established between the switch and controller, and client traffic would be tunneled to the controller, provided the client VLAN imposed by the user role profile was created previously in both switch and controller. Otherwise, User-Based Tunneling functionality would fail.

This created an overhead for network admins while configuring all possible client VLANs in each access switch and controller, so that the client traffic could be tunneled and segregated properly. Since all client traffic was tunneled to the controller, and controller segregated the traffic based on its configured policy (secondary user role), there was no value added for maintaining multiple VLANs for various categories of clients.

ArubaOS-Switch 16.08 allows creation of a reserved VLAN through which all tunneled traffic is taken to the controller and this simplifies deployment of User-Based Tunneling. A fixed/reserved VLAN is configured under tunneled profile, which is assigned to all tunneled clients and the same VLAN is used while tunneling client traffic to the controller. Thus, to use a reserved VLAN, it is not required to preconfigure VLANs configured under user role in switch, prior to initiating client authentication. When a reserved VLAN is configured, if it is not already present on the switch, it will be created and traffic from all clients on the switch will go through the reserved VLAN. By adding a single line configuration to tunneled-node command, existing users can migrate to the Reserved VLAN mode without changing any other configuration.

Differences between User-Based Tunnels with and without Reserved VLAN:
User-Based Tunnels without Reserved VLAN User-Based Tunnels with Reserved VLAN
Tunnel VLANs should be statically configured on all switches. Tunnel VLANs need not be statically configured on all switches.
User role should have VLAN attribute configured. User role need not have VLAN attribute configured.
Multicast traffic is replicated on the switch. Multicast traffic is replicated on the controller.
VLANs need to be synchronized between the switch and the controller. VLANs need not be synchronized between the switch and the controller.
Operating Notes:
  • The reserved VLAN is used exclusively for User-Based Tunneling feature. Deletion of this VLAN is not allowed outside of tunneled profile configuration.

  • The VLANs imposed by user role after successful client authentication is ignored, and the reserved VLAN is used for on-boarding the tunneled clients.

  • Controller segregates tunneled client traffic based on assigned secondary role and unicasts the multicast/ broadcast traffic to individual clients through UAC tunnel.

  • SAC multicast tunnels are no longer used in reserved VLAN mode.

  • The reserved VLAN configuration on the controller is optional.

  • The default VLAN cannot be configured as a reserved VLAN.

  • Migration from Port-Based Tunneling to User-Based Tunneling requires a disable and then, a re-enable of tunneling.

  • The user role for tunneled clients will not be allowed to contain untagged and tagged VLAN like normal clients.