Configuring User-Based Tunneling for AOS-CX

User-based tunneling (UBT) uses GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. to tunnel ingress traffic on a switch interface to a gateway for further processing. User-based tunneling enables a switch to provide a centralized security policy, using per-user authentication and access control to ensure consistent access and permissions.

User-based tunneling is supported on the following switches:

  • AOS-CX 6300 F and M switch series
  • AOS-CX 6400 switch series

For provisioning User-based tunnel, the following configurations are necessary:

  • All devices need to be Day 0 provisioned
  • Underlay network is connected and reachability established
  • All devices in the underlay and topology is clearly identified

To configure user-based tunnel, complete the following steps:

  1. In the Network Operations app, select one of the following options:
    • To select a switch group in the filter:
      1. Set the filter to a group.

        The dashboard context for the group is displayed.

      2. Under Manage, click Devices > Switches.
      3. Click the AOS-CX or Config icon to view the switch configuration dashboard.
    • To select a switch in the filter:
      1. Set the filter to Global or a group containing at least one switch.
      2. Under Manage, click Devices > Switches.

        A list of switches is displayed in the List view.

      3. Click an AOS-CX switch under Device Name.

        The dashboard context for the switch is displayed.

      4. Under Manage, click Device.

        The AOS-CX UI configuration page is displayed.

  2. Click SecurityDynamic Segmentation to view the switch configuration dashboard.
  3. Toggle the User based tunneling switch to on position.

    The toggle switch is disabled by default. Enabling this toggle, shows a warning message on how to configure the User-based tunnel.

  4. Enter Primary controller IP address and Backup controller IP address. Make sure that primary and backup IP address are different.
  5. Enter the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID under Client VLAN only when you select the Reserved option.
  6. In the Source interface drop-down, select Add new source interface.

    The Edit Source Interface window is displayed. Configure the following parameters.

    If a user-based tunnel source interface is already added in the Source Interface page, it will appear in the drop-down. For more information about source interface, see Configuring Source Interface for AOS-CX.

    New source interface

    Table 1: New Source Interface Parameters

    NameDescriptionValue

    Interface

    The interface or the service name.

    By default, only User-based tunneling is selected in the Dynamic Segmentation page.

    User-based tunneling

    Port/LAGLink Aggregation Group . A LAG combines a number of physical ports together to make a single high-bandwidth data path. LAGs can connect two switches to provide a higher-bandwidth connection to a public network.

    Type of interface you want to configure.

    The name of this field is applicable only at the group level.

    At the device level, the field name is Port/LAG/VLAN/Address.

    • At the group level—Port or LAG
    • At the device level—Port, LAG, VLAN, or Address

    Port name

    Port number for the source interface.

    Applicable when you select Port in the Port/LAG drop-down at the group level or Port/LAG/VLAN/Address drop-down at the device level.

    Select a port from the drop-down.

    NOTE:  

    • At the group level—Only the ports that have routing enabled at the group level are available in this drop-down.
    • At the device level—Only the ports that have routing enabled and IP address configured on the ports at the device level are listed in this drop-down.

    LAG name

    LAG name for the source interface.

    Applicable when you select Port in the Port/LAG drop-down at the group level or Port/LAG/VLAN/Address drop-down at the device level.

    Select a LAG from the drop-down.

    NOTE:  

    • At the group level—Only the LAGs that have routing enabled at the group level are available in this drop-down.
    • At the device level—Only the LAGs that have routing enabled and IP address configured on the LAGs at the device level are listed in this drop-down.

    VLAN ID

    VLAN ID for the source interface.

    NOTE:  

    • Available only at the device level.
    • Applicable when you select VLAN in the Port/LAG/VLAN/Address drop-down at the device level.

    Select a VLAN from the drop-down.

    NOTE:  

    Address

    IP address for the source interface.

    NOTE:  

    • Available only at the device level.
    • Applicable when you select Address in the Port/LAG/VLAN/Address drop-down at the device level.

    IPv4 address

    VRFVisualRF. VRF is an AirWave Management Platform (AMP) module that provides a real-time, network-wide views of your entire Radio Frequency environment along with floor plan editing capabilities. VRF also includes overlays on client health to help diagnose issues related to clients, floor plan, or a specific location.

    The VRF to be used for communicating with DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and NTPNetwork Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. servers.

    Default

  7. Click Save,