HPE7-A01 Appendix B
Inter-Switch Link Protocol (ISLP)
(ISLP)runs over the ISL link. When you first configure the VSX pair, ISL synchronizes the switches. Then it periodically synchronizes LACP states, MSTP states, MAC tables, ARP tables, and configuration information (the latter must typically be opted-in by you, the administrator).
Backup designated router (BDR)
A second router set to take over if the designated router fails. See also Designated Router (DR).
Site (Central)
A site refers to a physical location where a set of devices are installed: a campus, branch, building, or venue. In Aruba Central, you use sites as a primary navigation element.
Overlay network
An overlay network is a virtual network that runs on top of a routes physical underlay network.
Active Gateway
Active gateway is a VSX first-hop redundancy protocol that eliminates a single point of failure for default services on an access network. The active gateway feature improves the reliability and performance of the host network by enabling a virtual router to act as the default gateway for that network. Whichever VSX peer receives the traffic will then forward it onwards.
Air monitor (AM)
Also called wireless sensors, AMs are dedicated to scanning for rogue APs or other IDS events. They passively scan layer 2 802.11 frames. As passive devices, they listen for frames, but do not transmit RF and do not service clients. AMs move from channel to channel, listening for threats. They listen on all channels, not just channels that are permitted in the region, including rare ones.
Inter-Switch Link Protocol (ISLP)
A VSX Inter-Switch Link (ISL) is a layer 2 interface between two VSX peer switches. You must configure each VSX switch with an ISL that directly connects to its peer VSX switch. The ISL can consist of a single physical link but Aruba strongly recommends link aggregation with two or more physical links. The ISL interface is a member of all VLANs by default. You can change the ISL membership through the CLI, but you must ensure that any VLAN that is carried on a VSX LAG is also carried on the ISL.
Basic Service Set (BSS)
A basic service set or BSS includes an AP radio and all associated clients in a coverage area. An AP with two or more radios has more than BSS. When you define an SSID, it is assigned a different 48-bit MAC address on each of the AP radios that advertise it. The radio MAC address, known as the BSSID, identifies the BSS.
Role-based auto VLANs
Auto-VLAN enables automatic VLAN creation for the port access clients the VLAN is not configured statically on the switch. In the case of UBT, by default, administrators are required to create VLANs explicitly to onboard the clients for every user. With this feature enabled, clients can be onboarded with the VLAN derived from local user role, downloadable user role, and RADIUS VSA.
bidirectional Forwarding Detection (BFD)
BFD tests the connectivity between two IP addresses in a BFD session. BFD reports this to a protocol, like OSPF, when connectivity is lost. Routers use that information to take appropriate actions, depending on functions tied to BFD. BFD allows protocols to converge must faster than the protocols themselves (in milliseconds).
BUM Traffic
BUM refers to broadcast, multicast and unknown unicast (BUM) traffic.
Captive Portal
Captive portal is commonly used in guest networks to register their access, as well as onboarding employee devices, like a new laptop, or smartphone. Captive portal is web-based and thus only requires a web browser on the user device. Given that web is based on the http protocol, only minimal layer 3 access is needed to perform the captive portal: DHCP, DNS, and restricted HTTP to perform the captive portal process.
RADIUS server group
Companies deploy multiple RADIUS servers to provide redundancy. The servers that you add are automatically added to the global RADIUS server group, which is called radius, and is referred to as the global AAA group. The switch uses this group, by default, for all AAA functions for which have enabled RADIUS. Servers are used in the order they are defined. You might want to use only a subset of servers for a particular task, instead of all the globally defined ones. You can do this by creating specific RADIUS groups.
EAP-Tunneled Layer Security (TLS)
Considered one of the most secure EAP methods, EAP-TLS uses a TLS 1.2 handshake to authenticate the server and supplicant with digital certificates. The Windows native client supports EAP-TLS, as do many other supplicants. Clearpass also supports EAP-TLS. Note that both the supplicant and the authentication server need a certificate from a common certificate authority (CA).
Device Insights
Device Insights is a cloud profiling engine built to recognize endpoint clients (loT, etc.) that connect to wireless and wired networks. Aruba has extended the device recognition engine built for Clearpass Device Insight (CPDI) for use by customers running Aruba infrastructure managed by Aruba Central cloud. Instead of relying on physical collectors used by CPDI, Aruba now utilizes the telemetry data collected directly from Aruba APs, gateways, and switches.
Device-based mode
Device-based mode is used typically with an autonomous AP. The switch authenticates only the AP; and the AP is responsible for applying authentication to the wireless devices. In device-based mode, only one device needs to authenticate to the switch to open up the port.
EVPN-VXLAN
Distributed overlays are an evolution of the traditional campus network design, built using EVPN-VXLAN on highly available underlays. These overlays are tied to a full policy-based micro-segmentation, based on global roles, across the entire network infrastructure. Role-based policies abstract policy from the underlaying network and enable flexible and simplified policy definition and enforcement. This is provisioned by fully automating the overlay that extends layer 2 connectivity over an existing physical network and layer 3 underlay.
Cluster leader
During the cluster creation, the cluster must elect one of the gateways as leader. In the election process, the highest priority value has precedence. IF all the gateways are using the same priority, the next criteria is the platform: the node having the highest capable platform is elected as leader. The last criteria is the MAC address, where the gateway with the highest system MAC address wins the election. The leader has some important responsibilities. The first one is to assign a device designated gateway or DDG to each AOS 10 AP. The DDG is needed to achieve multicast functionality in the WLAN. The second responsibility of a leader is to generate and publish a bucket map for the cluster.
AP Tunnel Agent (ATA)
From the AP CLI, you can check the status of the tunnels between the AP and gateway using the show ata endpoint command.
Group-based policies (GBPs)
GBP allows you to map user roles to GBP IDs. With GBP you can permit or deny traffic between devices connected to the same switch or different switches. The VLAN or subnet of the device doesn't matter, because in a GBP policy you can use a user role to specify source and destination of the packet.
Authenticator
In 802. 1X, the authenticator controls network access. It enforces decisions made by the authentication server, either permitting or denying access. In Aruba networks, the authenticator could be an Aruba AP, an Aruba gateway, or an Aruba switch (older AOS switches as well as the AOS-CX switches).
Extensible Authentication Protocol over LAN (EAPOL or EAP)
In 802.1X, the supplicant and authenticator communicate with EAPOL messages. EAPOL operates at the data link layer and uses EtherType 0x888e.
Group (central)
In Aruba Central, groups are a primary management and configuration element: a container for device management, monitoring, and maintenance. Groups enable you to combine devices with identical configuration requirements and manage these devices efficiently by using either a Ul-based configuration workflow or CLi-based configuration template or editor.
Multi-pre-shared keys (MPSK)
In MPSK mode, multiple keys are used in the same PSK WLAN; therefore, security is enhanced. When the device connects to MPSK WLAN, the key used during authentication process can be used to assign different roles and/or VLANs. You can also integrate MPSK with Clearpass for the authentication function.
Link state database (LSDB)
In OSPF, the LSDB contains a list of every path in the known topology (area), which is also referred to as a topological database or table.
Tarpit containment
In addition to sending de-authentication messages, the AM spoofs probe responses and association responses on a different channel or BSSID from the rogue AP. The idea is to get the clients away from the rogue and connect to the AM instead. Once a client is associated with the AM, it stops trying to reconnect to the rogue AP. This process is called a tarpit.
Auto-group mode
In auto-group mode all gateways that are members of the same Central group will join the gateway cluster.
Auto-site mode
In auto-site mode, the gateways that are assigned to the same group and the same site will automatically form a gateway cluster.
Spectrum monitor (SM)
Like AMs, spectrum monitors (SMs) do not service clients. However, they examine layer 1 RF data, rather than layer 2 like AMs. By sending captured RF data to Aruba Central for spectrum analysis, SMs help companies detect RF noise and interference issues. Such interference could be introduced maliciously, but is usually done so accidentally. Examples of devices that cause RF interference include non-802.11 devices like microwave ovens, baby monitors, video cameras, cordless phones and Bluetooth devices.
EAP-Tunneled EAP (EAP-TEAP)
Like PEAP and EAP-TTLS, EAP-TEAP uses TLS as an outer method to secure tunnel. It then uses an inner method to authenticate the client. Depending on the inner method implemented, the client can authenticate with a username/password or a certificate. EAP-TEAP also supports chaining of multiple authentications, which can be useful when a company wants to ensure that users connect on authorized devices. The client can authenticate with device or machine credentials first, proving the device is authorized. The client obtains a token during this authentication. The client can authenticate with user credentials, including the token from the machine authentication, proving that both the user and device are authorized.
Remote Authentication Dial-In User Service (RADIUS)
RADIUS is an IETF protocol that defines how an authenticator and an authentication server interact with each other. It uses UDP as a transport. RADIUS is commonly used to authenticate and control access to a network.
Route-map
Route-maps are a feature you can use to define policies for your routing protocols. This can include filtering routes when redistribution or assigning properties to routes, like changing the administrative distance or metric, to name a few.
MACsec
Media access control security (MACsec) provides layer 2 security for wired LANs, protecting network communications against a range of attacks including: denial of service, intrusion, man-in-the-middle (MITM) attacks, and eavesdropping (see Figure 10-64). These attacks exploit layer 2 vulnerabilities and often cannot be detected. MACsec appends a header and trailer to all Ethernet frames, and encrypts data payload within the frame. Receiving device checks header and tail for integrity. If the check fails, traffic is dropped. If the check is successful, the frame is decrypted.
Mixed mode
Mixed mode SSIDs enable both bridge and tunnel forwarding modes within a single SSID. Reducing SSIDs on a campus increases WLAN performance by reducing the number of management and beacon frames transmitted. Mixed mode SSIDs, however, only support 802. 1X authentication. If the VLAN exists on the gateway, then the device is tunneled; if it doesn't exist on the gateway, then it is bridged by the AP.
PAPI
PAPI is the communication protocol that Aruba uses to allow APs and switches to communicate to the gateways. PAPI is the protocol that runs the control plane. PAPI runs on UDP 8211. PAPI is IPsec-protected between APs and gateways. You can optionally implement an MD5 HMAC functic protect PAPI between the AOS-CX switches and the gateways.
Policy-based routing (PBR)
PBR lets you manipulate the path of a packet based on various packet attributes. Packets must be destined to a valid subnet on your network. As each router receives an inbound packet, it compares appropriate header and tag information to a classifier that you configure. The router then takes action on this matching traffic based on a policy. Matching traffic with the same destination can be routed over different paths, to improve traffic handling, performance, and/or security for various traffic types.
Class of Service (CoS)
See 802.1p
Network Access Control (NAC)
See AAA
Multi-chassis LAG (MC-LAG)
See VSX LAG
Change of Authorization (CoA)
See dynamic authorization
One-touch provisioning (OTP)
Static Aruba Activate is a one-touch provisioning (OTP) option, used to provision gateways that require static addressing or PPPoE authentication. With OTP, you must use a serial console port or web-browser to supply minimum information to the gateway in order to permit initial communication with Activate and Central.
802.11n
The 802.11 n amendment added High Throughout (HT) speeds, theoretically up to 600Mbps with 300Mbps being typical. It accomplished these speeds by increasing the channel width, using advanced 64-Quadrature Amplitude Modulation (QAM), and techniques like Multiple Input/Multiple output (MIMO).
EAP-Tunneled TLS (TTLS)
TTLS and PEAP function in similar ways. Both methods involve a two-phase authentication process. In the first phase, the outer method creates a secure tunnel using TLS. The authentication server then initiates a second authentication method, called the inner method, inside the secure TLS tunnel. PEAP and EAP-TTLS can use several different options for the inner method.
Network analytics engine (NAE)
The NAE engine is integrated with the AOS-CX system configuration and time series databases. This enables you to examine historical trends and predict future problems due to scale, security, and performance bottlenecks. With that information, you can create software modules that automatically detect issues, take appropriate actions, and reduce the time spent on manual tasks. NAE uses python-based agents to automate network monitor and troubleshoot functions.
Authentication server
The authentication server directs the authenticator and ultimately takes responsibility for access control decisions. Clearpass is an example of an authentication server.
Client IP address tracking
The client track ip command enables client IP address tracking on the AOS-CX switch. With this feature enabled you will see wired client IP addresses in Aruba Central. The default is disabled on global and VLAN levels. You can enable client IP address tracking globally and at the VLAN level.
Overlay Tunnel Orchestrator (OTO)
The communication between an AP and gateway uses an IPsec tunnel to protect the control plane traffic (PAPI). The creation of this tunnel is orchestrated. This means that the AP and the gateway establish a communication channel with the OTO service in Central. The OTO service internally negotiates IPsec Phase 1, which implies that this phase does not run directly between the Aruba AP and gateway anymore. Once Phase 1 is completed, the OTO service shares the key material, tunnel specifications and instructs the AP and gateway to run IPsec Phase 2 between each other.
Supplicant
The supplicant is the 802.1x component that runs on the endpoint, which is attempting to connect to the network.
Key management service
The key management service facilitates fast roaming for networks that us 802.11r and OKC (see Figure 5-12). This service dynamically provides list of neighbor APs (target APs) for each AP-client association; in other words, it dynamically manages the mobility domain. The neighbor AP list provided by the AirMatch service via Aruba Central; a maximum of 128 APs are allowed in the list. The criteria for a neighboring AP is that the loss should be less than 150dBm.
ESP campus policy layer
The policy layer uses overlay technologies and traffic filtering to isolate user and application traffic. You can tunnel data traffic back to a gateway cluster for centralized enforcement or let the local switch fabric handle it - policy enforcement at every node in the network. ESP decouples the policies from IP addressing, for powerful, scalable policy management.
Stub area
To eliminate external routes and advertisements from an OSPF area, define the area as a stub area. ABRs for stub areas do not forward Type 4 or Type 5 LSAs into those areas, and internal routers in those areas do not generate or accept them. You must define the stub setting on every OSPF router in the area: ABs and internal routers.
Rogue APs
Unauthorized APs that are connected to the LAN are called rogue APs. If a rogue AP or interfering AP have the same SSID as your authorized APs, IDS/IPS also calls them honeypot APs.
Role
An Aruba user role is a collection or group of settings that can de assigned to a switch port: a VLAN identifier, PoE priority, QoS trust mode (DSCP and 802. 1p prioritizations), security policy, bandwidth restrictions (rate limiting), custom captive (web) portal page, and etcetera. These settings are typically dynamically assigned to the user's connection based on their authentication, device profiling information, type of connection, location, and/or many other things.
Multi-domain authentication
Multi-domain authentication allows a combination of voice data clients to be authenticated on a port. When the port is in multi-domain mode, only one voice device is allowed on the port while the data device limit is configurable.
802.1p
One of the fields inside the 802.1Q header is used to do QoS tagging, as defined in the 802.1p standard. This is a 3-bit field, and so supports 8 priority values: 0-7. These fields are called the class of service (CoS) bits. if you use the 802.p user priority field that is a part of the 802.1Q standard, you are said to be using CoS masking.
Group persona (Central)
The group persona defines the type of devices and features that are available and managed by the group. Creating personas for devices helps you to customize configuration workflows, automate parts of configurations, and see the default configuration and relevant settings for the device. It also helps you to customize the monitoring screens and troubleshoot workflows appropriate for the device.
Autonomous system border router
The router that redistributes external routes is referred to as an ASBR because it communicates routing information between the OSPF AS and other routing processes. A redistributed route becomes an external OSPF route, sometimes referred to as an AS external route.
dynamic segmentation
User-based tunneling (UBT) is a centralized overlay that allows you to tunnel specified user traffic to a gateway cluster to enforce policy using services such as firewalling, deep packet inspection (DPI), application visibility, and bandwidth control. UBT selectively tunnels traffic based on a user or device role.
802.11ax
802.11 ax is the latest standard and operates on both 5 GHz and 2.4 GHz frequencies, with a maximum data rate of 4.8 Gbps. The big news here is a technique called Multi-User MIMO, enabling multiple transmitters at the same time. This early version of 802 ax has also been referred to as Wi-Fi 6.
802.11ac
802.11ac only operates in the 5Ghz frequency with theoretical rates up to 6.93 Gbps. It accomplishes this by using Very High Throughput (VHT ) methods, with higher channel width and more complex modulation techniques . 802.11ac has sometimes been referred WiFi 5.
802.1x
802.1X, an IEEE standard for network access control (NAC), enables the network infrastructure to authenticate and authorize endpoints for network access. 802.1X requires users to authenticate as soon as layer 2 connection is established. In a wired network, 802.1x takes effect as soon as the Ethernet connection comes up. In a wireless network, it takes effect after the initial 802.11 association. Users connection is established. Authenticating the network side involves validating the networks certificate. The user side can be authenticated with usernames and passwords or digital certificates.
RADIUS Access-Accept message
A RADIUS Access-Accept message is sent by the RADIUS serv is allowed to access the network. This means that the authenti was successful and that the RADIUS policy permits network a‹ message can optionally contain authorization attributes that restricts the supplicant's access, like applying an Aruba user VLAN, for example, that should be applied to the supplicant's access.
Designated router (DR) and backup designated router (BDR)
A client/server design is implemented in OSPF on each broadcast segment. For each multiaccess broadcast segment, such as Ethernet, there is a designated router (DR) and a backup designated router (BDR) as well as other OSPF routers, called DROTHERs (designated router other). In a broadcast environment, all routing updates are sent to the DR, who, in turn, disseminates this information to the other routers in the segment.
Authentication, Authorization, Accounting (AAA)
A common network access control (NAC) solution is based around AAA services running on an authentication server. It provides authentication (validating a device or person's identify), authorization (assigning policies for the user/device access), and accounting (a record of what occurred) services.
Extended service set (ESS)
A group of APs and radios advertising the same BSSID.
Three-tier campus LAN
A three-tier campus LAN contains access, aggregation, and core layers.
AP1X
AP1X allows an Aruba AP to authenticate (acting as a supplicant) via 802.1X to an authenticator (switch port). PEAP and EAP-TLS are supported.
Hybrid mode APs
APs are primarily responsible for serving WLAN clients. However, they can operate in hybrid mode and devote some of their time to detecting and mitigating threats as well. Hybrid mode APs go off channel every 10 seconds to scan one channel for about 100 milliseconds (ms). If they are serving clients, the APs back off the scans. Hybrid mode APs can typically sweep the regulatory channels and detect all wireless devices in the area within five to six minutes. Hybrid mode APs are capable of containing wireless devices that IDS/IPS has determined pose a risk, but only on their own channel and in a best effort manner. The hybrid mode APs also support spectrum analysis to help maintain RF health. Hybrid mode operation is the default.
RADIUS Access-Reject message
After receiving this message, the network device (authenticator) will not allow the client to access the network.
Artificial Intelligence Operations (AlOps)
AlOps, part of Aruba Central, helps you to identify network, security and application performance issues before they affect users. It eliminates many manual troubleshooting tasks, and provides optimization tips as your deployment grows and changes.
Alias
Aliases are a method of simplifying the filtering process with firewall policies. Network aliases can be used for the source or destination address(es) of an access control rule; they represent one or more networks or host addresses. Service aliases represent a service or application based on IP protocol or TCP or UDP port list.
BSSID
All BSSIDs are based on the AP's 2.4, 5, and/or 6 GHz radio "base MAC addresses). So the first SSID you define on AP1 might end with aa: aa:aa. The next SSID you define on that AP might end with aa:aa:ab, the next ends with aa:aa:ac, and so on.
Air Pass
Aruba Air Pass™M enables Wi-Fi enabled devices with SIM credentials from major cellular network operators to automatically connect to enterprise networks. This improves the in-building cellular experience because Wi-Fi is automatically offloaded onto the enterprise network. Using Air Pass, users can send and receive Wi-Fi calls and text messages, and the Wi-Fi network can deliver high-speed data offload.
ESP campus services layer
Aruba Central provides a cloud management and services delivery platform for the end-to-end Aruba ESP solution.
Edge Services Platform (ESP)
Aruba ESP is a cloud-native architecture that automates, unifies, and protects your systems. With Aruba ESP you get onboarding, provisioning, orchestration, security, analytics, location tracking, and management.
NetConductor
Aruba NetConductor is a cloud-based solution that can automate and simplify many processes and tasks related to the EVPN-VXLAN fabric, cluding GBP.
devHub
Aruba devHub is a place where you can learn how to integrate with Aruba products. Here you can find tutorials, documentation, and curated learning content to start a project. You can take your knowledge to the next level and build automated workflows and applications using Aruba products documentation and API guides.
AirGroup
Aruba's AirGroup is a unique enterprise-class capability that leverages zero-configuration networking and allows devices to communicate over complex access network topologies. AirGroup supports Bonjour and DNA services on Apple and Android (and Windows) devices, respectively. Apple devices constantly send mDNS packets to locate Bonjour services. Similarly, Android and Windows devices constantly send SSDP packets to locate DLNA services. AirGroup allows administrators to set policy-based discovery and enables client devices to be location-aware. Zero-configuration networking enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services.
AirMatch
Aruba's AirMatch provides automated dynamic RF optimization to improve the wireless user experience by providing a stable network that dynamically adapts to the changing RF conditions. AirMatch, which runs now in the Aruba Central cloud, is a centralized RF planning and optimization service. It models the network as a whole and devises a channel and power plan for the RF environment. This service receives telemetry data from APs, including radio measurements, channel range, EIRP range, operational conditions, and local RF events (like radar detection or high noise). AirMatch processes the RF information and generates an RF solution that specifies new channel, bandwidth, EIRP, and mode of operation for every radio. AirMatch also minimizes channel coupling, where adjacent radios are assigned to the same channel.
Client-based mode
Client-based mode is recommended for scenarios in which you want the switch port itself to authenticate and control multiple clients connected to a single port, where different roles can be applied to the different devices.
ClientMatch
ClientMatch is an Aruba patented technology that provides client load balancing across radio bands and AP radios. ClientMatch helps to influence sticky clients to connect to the best radio. When clients associate to the WLAN, their wireless NIC's firmware determines which radio, and on which AP, the client will connect. ClientMatch is a feature that matches a client to the most appropriate AP and frequency in the area. When APs see a probe request from a user, they all report that to Aruba Central. Aruba Central then looks at a lot of criteria to determine which AP and radio would be best and this is shared with the original AP that received the probe. The AP will then redirect the user to the more appropriate radio, assuming that the most appropriate radio is not itself. This is best done if the client supports IEEE 802. 1 1v, which allows for this interaction between the client and the AP, which any client product sold today should support. ClientMatch thus load balances clients and if a client tries to connect to a less preferred frequency, like 2.4 GHz, the client can be redirected to a 5 GHz or 6 GHz radio.
DiffServ
Differentiated Services DiffServ), defined in FC 2474, supersedes a legacy IP QoS protocol called Type of Service (ToS). In DiffServ, the first bits of the eight-bit To field define 64 DiffServ code points (DSCPs). Instead of only defining priority relative to each other, the 64 DSCP values are a intended to define distinct forwarding behaviors, or per-hop behaviors (PHBs).
Ethernet VPN (EVPN)
EVPN is a BGP-driven control plane for overlays that provides virtual connectivity between different layer 2/3 domains over an IP or MPLS network.
Area Border Router (ABR)
Each OSPF ABR router must have at least one interface in area 0, and at least one interface in some other area. Each ABR maintains one LSDB per connected area. The Type 1/2 routes are summarized into Type 3 LSAs, and injected into the other areas. They do not automatically summarize th routing tables themselves -you have to configure the summarization yourself.
Split-brain
If the ISL between the two VSX switches is down, both VSX switches are still active, but the switches cannot exchange information, which causes the switches to become out of sync. This situation is called a split brain, and it occurs if the keepalive function is not enabled.
Link Layer Discovery Protocol (LLDP
LLDP is a vendor-neutral, open standard link layer protocol (layer 2 protocol). It is used by network devices to advertise their identity and capabilities over a wired Ethernet connection. This protocol enables you to discover and document network device interconnections.
MAC caching
MAC caching combines a MAC authentication request and a captive portal request. The user device is authenticated using captive portal initially; subsequent authentications can be performed with MAC-auth. This is useful for devices that go to sleep and then wake up.
LLDP media endpoint discovery (LLDP-MED)
MED is an enhancement of LLDP known as LLDP-MED. LLDP-MED provides auto-discovery of LAN policies such as the voice VLAN ID, and the layer 2 priority and differentiated services for quality of service (QoS), as well as many other types of information.
Differentiated Services Code Point (DSCP)
Many service providers needed more classifications than what was originally provided by IP Precedence, so a new standard was created (Differential Services) for the To field, utilizing 6 bits. If using this standard you are said to be using Differentiated Services Code Point (DSCP) markings.
Link state advertisements (LSAs)
OSPF routers use link state advertisements (LSAs) to communicate with each other. One type of LSA is a hello, which is used to form neighbor relationships and as a keep-alive function. Each LSA includes information that describes the portion of the network that a router announces. LSAs are collected to make up the LSDB, which represents the topology of the network.
Quality of service (QoS)
QoS enables networks to provide better or special service to a set of users and/or applications, perhaps to the detriment of other users and /or applications. With QoS, you are trying to make the best possible use of available bandwidth.
ESP campus connectivity layer
The connectivity layer is implemented on Aruba CX Ethernet switches. You get low latency and high bandwidth on a fault-tolerant platform designed to carry campus traffic from the access layer to the core. Wireless connectivity is over industry-leading APs. You can tunnel traffic to centralized controllers or for bridge locally at the AP.
Controlled port
The controlled port is typically only enabled upon successful authentication. After authentication, the controlled port can accept all types of traffic, but you can control this with locally-defined access lists or centrally defined policy (like using dynamic segmentation). Both sides of the connection control the port based on their assessment of the authentication state. In other words, no unauthorized traffic flows across the link.
Bucket map
The gateway leader generates and publishes a bucket map for the cluster. This is a simple table which is first shared to the gateways and then to the APs or switches (dynamic segmentation). When an endpoint is connected to the WLAN, the AP uses the bucket map to select a gateway from cluster to tunnel endpoint's traffic. The selected gateway is known as the user designated gateway (UDG).
Manual cluster
The manual cluster configuration is a gateway cluster deployment mode. This mode allows you to enable Microbranch A termination and RADIUS change of authorization (CoA) redundancy.
Automatic cluster mode
Unlike AOS 8, where you had to perform multiple configuration steps on your Mobility Conductor to establish a cluster, using AOS 10 and Aruba Central, the automatic cluster option is enabled by default, and the auto group mode is selected. If you wish to use the auto site mode, the system will display a warning message indicating that the existed cluster will be dismantled.
Bridge mode
WLAN bridge mode provides an easy solution when tunneled traffic is not needed and advanced gateway features are not required. In this mode, wireless traffic is bridged directly from the AP into the wired infrastructure. The access switch ports for the APs are trunked to provide SSID-to-VLAN connectivity. The AP handles the packet encryption, user authentication, and policy enforcement functions.
Server-derived roles
When a server returns an Aruba VSA with the RADIUS reply, the Aruba AP or switch places the user in the specified role and/or VLAN that was sent. When the server returns a RADIUS attribute, you must configure the Aruba AP to look for this attribute. If you use an Aruba Clearpass server, the Aruba AP-to-Clearpass communication is automatic. The AP sends a RADIUS request with the Aruba VSAs.
Device designated gateway (DDG)
When connecting to a gateway cluster, the DDG is needed to achieve multicast functionality in the WLAN. The cluster leader assigns the DDG and S-DDG (standby) for the AP in a round-robin fashion based on the current AP load on all gateways in the cluster.
MAC authentication (MAC-auth)
With MAC authentication, the network access device (NAD) validates an endpoint MAC address against a list of valid MAC addresses. Endpoint MAC addresses are burned in ROM at the factory, but are copied to RAM during bootup; and this is the MAC address an endpoint adds to Ethernet or 802.11 Wi-Fi frames. This means it is relatively easy for bad actors to change or "spoof" their MAC address to gain unauthorized access.