Have a Question?
< All Topics
Print

Initial Setup of Aruba Virtual Controller

Posted
Updated
ByYongKW

Steps for initial setup of Aruba Virtual Controller

Network Diagram for our Lab Network

Notes:

  • 2 Static Routes are created in FortiGate to route 192.168.100.0/24 & 192.168.200.0/24 to Aruba VMC (192.168.1.240)

Provisioning of Aruba VMC

  1. Download Aruba Virtual Mobility Controller – ArubaOS_VMC_8.6.0.3_74788.ova

  2. Convert the OVA to OFV and import it to ESXi 6.7 Host with PowerCLI

3 x vCPU, 4GB RAM, 4GB & 6GB HDDs and 2 x vNIC are required for Aruba VMC

Initial Setup of Aruba Virtual Controller

Initial Setup of Aruba Virtual Controller

Power on the Aruba VMC and Select Full Setup

Select Switch Role = Standalone and other information, like System Name, IP Address, Country Code and Time Zone when prompted. Click Yes to accept the changes to complete the initial setup.

Login to https://192.168.1.240:4343 with the credential defined during initial setup

Evaluation Licenses

Request for Evaluation license from local Aruba Distributor , and you should receive an Email with Certificate ID as below

Dear yong ([email protected])

Please find the details :
________________________________________
Aruba Part Number: EVL-MC-VA-1K-RW
Description : [EVL-MC-VA-1K-RW] Aruba MC-VA-1K (RW) Cntlr 1K AP E-LTU (JY901AAE)
CERTIFICATE ID : IC3z8ZrR-el7cxTxe-xxxxxxxxxxxxxxxxxxxxxxxxxx
________________________________________
If you have any questions or need assistance in the installation of the license please contact: Aruba Support 
To activate your licenses, please visit Licensing Portal 

Aruba License Management System

Login to Aruba License Management System and activate the license with Certificate ID & Passphase

(ArubaVMC) [mynode] # show license passphrase
MC6E41707-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Select Virtual Mobility Controller , and enter the **Passphase and Certificate ID

Add the license to Aruba VMC using CLI

  • The MC-VA-XX license is a sharable license required to terminate APs on a virtual controller
  • An AP license is required for each operational LAN-connected, mesh, or remote AP that is advertising at least one BSSID (virtual-AP).
  • One operational AP using one or more Policy Enforcement Firewall (PEF) features, such as intelligent application identification, policy based traffic management and controls, or steateful user firewalls.
(ArubaVMC) [mynode] #license add /GDy+uuW-Efxxxxxxxxxxxxxxxxx
The limit for MC-VA-RW has been constrained to the platform limit [10]

(ArubaVMC) [mynode] #license add hJVEcsqc-xxxxxxxxxxxxxxxxxxxxx
The limit for Access Points has been constrained to the platform limit [10]

(ArubaVMC) [mynode] #license add 55ywdiIV-xxxxxxxxxxxxxxxxxxxxxxx
Please make sure to enable the feature bit to have the license take effect.

Convert Aruba 315 to Campus AP

Convert the Aruba IAP to Campus AP with IP Address of controller

a8:bd:27:c1:7b:f8# convert-aos-ap cap 192.168.1.240
a8:bd:27:c1:7b:f8# commit apply
a8:bd:27:c1:7b:f8# reload
Do you really want to reset the system(y/n): y

Verify that the Access Point is listed in Aruba VMC database now

(ArubaVMC) [mynode] #show ap database

AP Database
-----------
Name               Group    AP Type  IP Address     Status  Flags  Switch IP      Standby IP
----               -----    -------  ----------     ------  -----  ---------      ----------
a8:bd:27:c1:7b:f8  default  315      192.168.1.130  Denied         192.168.1.240  0.0.0.0

Create an AP Group called LAB

(ArubaVMC) [mynode] (config) # ap-group LAB

Whitelist mac address of AP and approved it by associated it to AP Group

whitelist-db cpsec modify mac-address a8:bd:27:c1:7b:f8 state approved-ready-for-cert mode enable ap-name 315 ap-group LAB

VLAN, IP Interface and DHCP Pool

Create a new VLAN 200 and IP Interface

(ArubaVMC) [mynode] (config) #vlan-name VLAN200
(ArubaVMC) [mynode] (config) #vlan VLAN200 200

(ArubaVMC) ^[mynode] (config) #interface vlan 200
(ArubaVMC) ^[mynode] (config-submode)#ip address 192.168.200.1 255.255.255.0

Create a DHCP Pool for VLAN 200 with smaller subnet

(ArubaVMC) [mynode] (config) #ip dhcp pool vlan_200
(ArubaVMC) ^[mynode] (config-submode)# network 192.168.200.0 255.255.255.240
(ArubaVMC) ^[mynode] (config-submode)# dns-server 1.1.1.1
(ArubaVMC) ^[mynode] (config-submode)# default-router 192.168.200.1

You will get the error message below if you are trying to create a DHCP Pool with large than 256 hosts (/24)

(ArubaVMC) ^[mynode] (config-submode)#network 192.168.200.0 255.255.255.0
Failed to add pool vlan_200 which has 254 addresses. Maximum addresses configurable is 256 in the config path.
Currently configured are 29 addresses. You may want to exclude unused address ranges.

DHCP Relay

Do not create the DHCP Pool in Aruba VMC, and configured the DHCP Helper on the VLAN interface as below

Configure ArubaVMC port as trunk ports

(ArubaVMC) [mynode] (config) #interface gigabitethernet 0/0/0
(ArubaVMC) ^[mynode] (config-submode)#switchport mode trunk

Configure IP Helper Address in VLAN 200 Interface

(ArubaVMC) ^[mynode] (config) #interface vlan 200
(ArubaVMC) ^[mynode] (config-submode)# ip helper-address 192.168.1.230

AAA Authentication Profile

Create a new AAA Authentication profile

(ArubaVMC) ^[mynode] (config) # aaa authentication dot1x "UAT_dot1x_auth"

(ArubaVMC) ^[mynode] (config) # aaa profile "UAT_aaa_prof"
(ArubaVMC) ^[mynode] (AAA Profile "UAT_aaa_prof") # initial-role "authenticated"
(ArubaVMC) ^[mynode] (AAA Profile "UAT_aaa_prof") # authentication-dot1x "UAT_dot1x_auth"

SSID Profile with WPE3 Authentication

Create a new SSID Profile with WPE3

WPE3 is only supported with tunnel mode

(ArubaVMC) [mynode] #configure terminal
(ArubaVMC) [mynode] (config) #wlan ssid-profile UAT_ssid_prof
(ArubaVMC) ^[mynode] (SSID Profile "UAT") # essid UAT
(ArubaVMC) ^[mynode] (SSID Profile "UAT") #wpa-passphrase a1b2c3d45e
(ArubaVMC) ^[mynode] (SSID Profile "UAT") #opmode wpa3-sae-aes

Virtual AP

Create a new Virtual AP and put it to AP Group

(ArubaVMC) [mynode] (config) #wlan virtual-ap UAT
(ArubaVMC) ^[mynode] (Virtual AP profile "UAT") # aaa-profile "UAT_aaa_prof"
(ArubaVMC) ^[mynode] (Virtual AP profile "UAT") # vlan 200
(ArubaVMC) ^[mynode] (Virtual AP profile "UAT") # forward-mode tunnel
(ArubaVMC) ^[mynode] (Virtual AP profile "UAT") # ssid-profile "UAT_ssid_prof"

ArubaVMC) [mynode] (config)# ap-group LAB
(ArubaVMC) [mynode] (AP group "LAB") # virtual-ap "UAT"

Testing with Windows 10 Laptop

Windows 10 is connected to SSID = UAT successfully and obtained 192.168.200.2/24 IP Address

Obtain IP Address from DHCP Server (192.168.1.230) with DHCP Helper Address configured

Obtain IP Address from ArubaVMC

Table of Contents
Scroll to Top