Secure Wired AOS-CX

Secure Wired AOS-CX Detailed Explanation

1. Access Layer Security

Access layer security is about protecting the first point of entry into the network — usually where users and devices physically plug into switches. If this layer is weak, attackers can gain a foothold easily.

Port-Based Controls

These controls ensure that only authorized users or devices can connect to the network, and that their traffic is properly encrypted and isolated.

802.1X Authentication

802.1X is a network access control protocol that checks a device’s identity before granting access.
It works with ClearPass (RADIUS server) and supports different modes:
- Single-host mode: Only one device per port is allowed.
- Multi-auth mode: Multiple authenticated clients (e.g., VoIP phone + PC) can connect through the same port.
- Multi-domain mode: One authentication for the data device (e.g., PC) and another for the voice device (e.g., IP phone).

MAC Authentication Bypass (MAB)

If a device (like a printer or camera) does not support 802.1X, the switch uses its MAC address for identification.
ClearPass can look up that MAC and assign the appropriate role.

Captive Portal

If neither 802.1X nor MAB works, a web login page is shown to the user.
Common for guest access or temporary devices.

MACsec (802.1AE)

MACsec encrypts Ethernet frames directly between the switch and the endpoint device.
It uses strong encryption like AES-GCM 256-bit, which protects data even if someone physically taps into the cable.
Requires both the endpoint and the switch to support MACsec.

2. User-Based Tunneling (UBT)

User-Based Tunneling is a powerful Aruba feature that brings wireless-style policy control to wired devices.

What is UBT?

Normally, a wired device connects through a local switch, and traffic flows directly into the network.
With UBT, the access switch encapsulates traffic in a tunnel (GRE or IPsec) and sends it to an Aruba 9000 Series Gateway.

Why use UBT?

The gateway applies centralized policies, just like with wireless clients:
- Downloadable roles
- ACLs
- Bandwidth limits
- App-based controls (e.g., block YouTube or Zoom)
This provides consistent security policies for both wired and wireless users.

Example use case:

A contractor plugs into an office port.
The switch uses ClearPass to identify them.
Their traffic is tunneled to the gateway, which limits access to only specific systems and logs all activity.

3. Infrastructure Hardening

Beyond the edge ports, the switches themselves must be protected against failures and attacks.

VSX (Virtual Switching Extension)

VSX is a redundancy and high-availability feature for Aruba AOS-CX core and aggregation switches.
It links two physical switches into a logical pair:
- Both run independently (dual control plane).
- Configuration is synchronized, but each can make its own decisions if the other fails.

Benefits of VSX:

No single point of failure.
Hitless upgrades via In-Service Software Upgrade (ISSU).
Maintains traffic flow even during switch reboot or failure.

uRPF (Unicast Reverse Path Forwarding)

uRPF checks whether the source IP of a packet is reachable via the same interface it arrived on.
This prevents spoofed IP packets, which are often used in DoS or scanning attacks.

CP Limiters (Control Plane Limiters)

Protects the switch’s CPU from being overwhelmed by certain types of traffic:
- ICMP floods
- LLDP storms
- Malicious routing protocol packets

Use case: Someone plugs in a malicious device that floods the network with bogus LLDP packets. CP limiter drops excess packets, keeping the switch responsive.

4. Advanced Policy Objects

Advanced policy objects help the switch make intelligent decisions about how to handle traffic based on identity, application, or risk.

Classifier-Based QoS (Quality of Service)

AOS-CX can classify traffic by:
- Device type (e.g., printer vs. laptop)
- Application type (e.g., Zoom, Teams, BitTorrent)
Once classified, traffic is:
- Prioritized (e.g., voice gets high priority)
- Rate-limited (e.g., guest devices can’t use all bandwidth)

How classification happens:

Using AppRF (Application Recognition Firewall)
Using Deep Packet Inspection (DPI) at the gateway

Policy-Based Routing (PBR)

Instead of following traditional routing rules (based on destination), PBR allows traffic to be routed based on:
- Application type
- User role
- Risk level
You can steer high-risk or unknown traffic to:
- An inline intrusion prevention system (IPS)
- A sandbox for malware analysis
- A logging device for full session inspection

Example: IoT devices are forced through an IPS for extra inspection, while corporate laptops go direct to the internet.

Secure Wired AOS-CX (Additional Content)

1. User-Based Tunneling (UBT) – Configuration Snapshot

User-Based Tunneling (UBT) enables per-user traffic tunneling from the access switch to a central Aruba gateway, where advanced security policies are enforced.

Key Benefits:

Centralized policy control
Consistent enforcement across wired and wireless users
Enhanced role-based segmentation

Example Configuration (AOS-CX):

(config)# user-based-tunnel
(config-user-tunnel)# gateway-ip 10.0.0.1
(config-user-tunnel)# mode gre
(config)# interface 1/1/10
(interface)# user-based-tunnel

This sets up UBT for port 1/1/10, tunneling user traffic to the specified gateway IP using GRE. Role-based policy enforcement occurs at the gateway.

2. Policy-Based Routing (PBR) – CLI Example

PBR allows you to route traffic based on identity, application, or risk score, not just the destination IP.

Use Case:

Redirect traffic from untrusted IoT devices to a monitoring system.

Sample Configuration:

(config)# class ipv4 IOT-CLASS
(config-class)# match ip source 192.168.10.0/24
(config)# policy ipv4 IOT-PBR
(config-policy)# class IOT-CLASS action next-hop 10.0.0.100
(config)# interface vlan 20
(interface-vlan)# service-policy IOT-PBR in

Here, traffic from subnet 192.168.10.0/24 is rerouted via a next-hop security appliance.

3. DHCP Snooping and DAI in Wired Networks

Although often associated with Wi-Fi security, DHCP Snooping and Dynamic ARP Inspection (DAI) are equally critical for wired access layer protection.

DHCP Snooping

Prevents rogue DHCP servers from issuing malicious IP configurations
Marks trusted ports (e.g., uplinks) and blocks untrusted DHCP offers

(config)# dhcp-snooping
(config)# vlan 10
(config)# dhcp-snooping vlan 10
(config)# interface 1/1/1
(config-if)# dhcp-snooping trust

Dynamic ARP Inspection (DAI)

Blocks ARP spoofing by validating ARP replies against DHCP bindings

(config)# arp inspection vlan 10
(config)# interface 1/1/2
(config-if)# arp inspection trust

These two features, when combined, prevent Man-in-the-Middle (MITM) attacks and IP spoofing in enterprise wired networks.

4. Downloadable Roles over 802.1X (dRole)

A Downloadable Role (dRole) is a dynamic policy profile sent by ClearPass to an AOS-CX switch after successful 802.1X authentication.

What it includes:

VLAN assignment
ACL policies
QoS settings
Bandwidth limits
Tunneling or quarantine behaviors

Aruba Workflow:

Device authenticates via 802.1X
ClearPass evaluates identity, posture, and context
ClearPass responds with a dRole
The AOS-CX switch enforces this role locally (or tunnels via UBT)

CLI Reference (for verification):

show port-access client detail

This shows the assigned role, VLAN, and authentication method for the connected client.

Why it matters:

This model brings Aruba's wireless-grade identity-based security to the wired access layer, allowing unified policy control across the network fabric.

Summary

Feature	Purpose/Benefit	Aruba Implementation Example
UBT CLI Example	Shows how to tunnel user traffic to a gateway	`user-based-tunnel`, `gateway-ip`
PBR CLI Example	Shows traffic steering based on source IP or device role	`policy`, `class`, `next-hop`
DHCP Snooping + DAI	Blocks rogue DHCP/ARP spoofing on wired ports	`dhcp-snooping`, `arp inspection`
dRole over 802.1X	Dynamic access control based on identity and posture	ClearPass + `show port-access`

Shopping cart

Subtotal:

HPE7-A02 Secure Wired AOS-CX

Detailed list of HPE7-A02 knowledge points