Aruba Central Modeler

Multi-Site Design

AOS10 ArchitectureTemplate Group
Solutions Document
Downloads:CSV Template (with samples)CSV Blank TemplateCLI Config Template (.tmpl)
Sites3
Total APs192
Switch Stacks30
Stack Members63
Site Collectors6

Design Decisions

  • Single Group -- One template group ("Greenfield-Global") manages all APs and CX switches across 3 sites for uniform configuration and firmware compliance.
  • AOS10 Architecture -- All devices operate in AOS10 mode with cloud-managed APs and CX switches. No local controllers required.
  • Template Mode -- CX switches use CLI templates for consistent VLAN, spanning-tree, and PoE configuration. AP SSID/RF profiles are centrally managed through the group.
  • VSF Stacking -- Each floor has a primary CX 6300-M VSF stack (3-4 members) for high-density PoE access plus a standalone CX 6200 for overflow/edge coverage.
  • Per-Device Variables -- VLAN IPs, helpers, hostnames, and service addresses are defined as %VARIABLE% placeholders in CLI templates and resolved per switch via Central's variable store or bulk CSV upload -- one template stays compliant across all devices.
  • Stack-Aware Templates -- %SWITCH_ROLE% and %MEMBER_COUNT% drive template selection. When MEMBER_COUNT > 1, indexed member variables (%MEMBERn_PRIORITY%, %MEMBERn_SERIAL%, VSF links) and multi-member port-group ranges are activated via %if% conditional blocks. Standalone switches skip stack sections entirely.
  • AP Role Segmentation -- Four AP roles with purpose-built radio profiles: internal (general office), conference (high-density with 20 MHz channels and airtime limits), external (outdoor with sector antennas, no DFS), and air monitors (WIDS/WIPS full-time scanning). Each role maps to a dedicated AP group in Central with appropriate SSIDs, VLANs, and RF tuning.
  • Zero-Touch Provisioning -- All switches are pre-provisioned by serial number in Central before hardware ships. On first boot, devices auto-redirect via Aruba Activate, firmware-upgrade if needed, and receive their resolved CLI template config with no on-site IT.
  • Site Collectors -- Each site has a primary + secondary collector (VM-based) for local data aggregation, ensuring telemetry resilience if WAN connectivity is interrupted.

Architecture Design Diagram

Hover over any element to highlight. The hierarchy flows from Aruba Central Cloud through a single template group to 3 sites, each with dual site collectors, a 2-member aggregation VSF HA pair, 4 access-layer switch roles (data, AP, MDT, garage), and per-floor infrastructure with APs and CX stacks.

Group Configuration

AOS10
Group NameGreenfield-Global
Group Modetemplate
Wireless PersonalityAPs
Wired PersonalityCX switches

Device Types Managed

APsCX Switches

Assigned Sites

HQ-EastBranch-CentralBranch-West

Switch Templates

CX6300-Access-Stack-TemplateCX6200-Access-Standalone-Template

WLAN Profiles

Corp-WPA3-EnterpriseGuest-Captive-Portal

User Roles

EmployeeGuestIoTVoIP

Central Hierarchy

Aruba Central (Cloud)
Group: Greenfield-GlobalSingle GroupAOS10 / template
CLI Template: CX-Greenfield-Unified.tmpl5 roles via %SWITCH_ROLE% | Stack via %MEMBER_COUNT%
%SWITCH_ROLE% == aggagg2-member HA | OSPF+VRRP+STP Root
%SWITCH_ROLE% == datadata3-4 member VSF | Access ports
%SWITCH_ROLE% == AP_switchAP_switch3 member VSF | PoE AP trunks
%SWITCH_ROLE% == MDTMDTStandalone | BMS/BAS trunks
%SWITCH_ROLE% == garage_switchgarage_switchStandalone | Hardened PoE
AP Groups4 role-based RF profiles
Internal/Office (AP-635)40/80MHz | Balanced power
Conference (AP-635)20MHz | Low power | BSS Color
Outdoor (AP-587)High power | No DFS
Air Monitor (AP-615)WIDS/WIPS | Full scan
Site: HQ-EastUS/Eastern
SC-HQ-East-01primary / VM
SC-HQ-East-02secondary / VM
HQ-East - Main Building
Floor 116 APs, 2 switch groups
Floor 212 APs, 2 switch groups
Floor 312 APs, 2 switch groups
Floor 412 APs, 2 switch groups
Floor 512 APs, 2 switch groups
Site: Branch-CentralUS/Central
SC-Branch-Central-01primary / VM
SC-Branch-Central-02secondary / VM
Branch-Central - Main Building
Floor 116 APs, 2 switch groups
Floor 212 APs, 2 switch groups
Floor 312 APs, 2 switch groups
Floor 412 APs, 2 switch groups
Floor 512 APs, 2 switch groups
Site: Branch-WestUS/Pacific
SC-Branch-West-01primary / VM
SC-Branch-West-02secondary / VM
Branch-West - Main Building
Floor 116 APs, 2 switch groups
Floor 212 APs, 2 switch groups
Floor 312 APs, 2 switch groups
Floor 412 APs, 2 switch groups
Floor 512 APs, 2 switch groups

VLAN Design

VLAN IDNameDescriptionSubnet Template
10ManagementNetwork device management10.x.10.0/24
20Employee-DataWired employee endpoints10.x.20.0/24
30Employee-VoiceVoIP traffic10.x.30.0/24
40Wireless-CorpCorporate SSID clients10.x.40.0/24
50Wireless-GuestGuest SSID clients10.x.50.0/24
60IoTIoT devices and sensors10.x.60.0/24
99Native-VLANNative/default VLANN/A

Subnet template uses 10.x.Y.0/24 where x = site identifier (1=HQ-East, 2=Branch-Central, 3=Branch-West)

Per-Device Template Variables

Template variables use the %VARIABLE% syntax inside CLI templates. Each switch gets unique values assigned via Central's per-device variable store or bulk CSV upload, keeping a single template compliant across all sites and floors.

VariableDescriptionScopeVLANHQ-F1-STKBR1-F1-STKBR2-F1-SA
%HOSTNAME%Switch hostnameper-device--HQ-East-F1-Access-StackBranch-Central-F1-Access-StackBranch-West-F1-Standalone
%SITE_NAME%Site identifier for SNMP locationper-site--HQ-EastBranch-CentralBranch-West
%FLOOR%Floor number for labelingper-device--111
%STACK_ID%VSF member ID (stack only)per-device--11N/A
%MGMT_VLAN_IP%VLAN 99 management SVI IPper-device9910.1.99.110.2.99.110.3.99.2
%MGMT_VLAN_MASK%VLAN 99 subnet maskper-device99255.255.255.0255.255.255.0255.255.255.0
%DATA_VLAN_IP%VLAN 20 employee data SVIper-device2010.1.20.110.2.20.110.3.20.2
%DATA_VLAN_MASK%VLAN 20 subnet maskper-device20255.255.255.0255.255.255.0255.255.255.0
%DATA_VLAN_HELPER%VLAN 20 DHCP helper addressper-site2010.1.1.1010.2.1.1010.3.1.10
%VOICE_VLAN_IP%VLAN 30 voice SVIper-device3010.1.30.110.2.30.110.3.30.2
%VOICE_VLAN_MASK%VLAN 30 subnet maskper-device30255.255.255.0255.255.255.0255.255.255.0
%VOICE_VLAN_HELPER%VLAN 30 DHCP helper addressper-site3010.1.1.1010.2.1.1010.3.1.10
%WCORP_VLAN_IP%VLAN 40 wireless corp SVIper-device4010.1.40.110.2.40.110.3.40.2
%WCORP_VLAN_MASK%VLAN 40 subnet maskper-device40255.255.255.0255.255.255.0255.255.255.0
%WCORP_VLAN_HELPER%VLAN 40 DHCP helper addressper-site4010.1.1.1010.2.1.1010.3.1.10
%GUEST_VLAN_IP%VLAN 50 guest SVIper-device5010.1.50.110.2.50.110.3.50.2
%GUEST_VLAN_MASK%VLAN 50 subnet maskper-device50255.255.255.0255.255.255.0255.255.255.0
%IOT_VLAN_IP%VLAN 60 IoT SVIper-device6010.1.60.110.2.60.110.3.60.2
%IOT_VLAN_MASK%VLAN 60 subnet maskper-device60255.255.255.0255.255.255.0255.255.255.0
%NTP_SERVER%NTP server addressper-site--10.1.1.510.2.1.510.3.1.5
%SYSLOG_SERVER%Syslog destinationper-site--10.1.1.1510.2.1.1510.3.1.15

Stack-Aware Template Logic

Templates use 5 roles: agg, data, MDT, AP_switch, garage_switch. %MEMBER_COUNT% determines stack vs. standalone (agg is always 2-member HA pair). Universal config (DNS, NTP, SNMP, TACACS, syslog) applies to all roles. Role-specific port profiles define interface behavior per role.

Template Resolution Pipeline

%SWITCH_ROLE%Axis 1: Role
%MEMBER_COUNT%Axis 2: Stack
%if% ConditionalsFilter blocks
%VARIABLE% ResolveCSV values
Running ConfigPushed to device
Role selects port-config blocksCount includes/skips VSF blocksOne template, many outputs
RoleMembersTemplate FileDescriptionActive Sections
agg= 2 (always)CX-Agg-Stack.tmplVSF 2-member HA pair with L3 SVIs, trunk ports to all downstream access roles, VRRP, OSPF, STP root priority. MEMBER_COUNT is always 2 for agg.
universal_configvsf_member_configvsf_link_configtrunk_port_groupsrouting_ospfvrrp_configstp_root
data> 1 (stack)CX-Data-Stack.tmplVSF stack with access ports, per-member port groups, loop protect, uplink LAG
universal_configvsf_member_configvsf_link_configaccess_port_configuplink_lagloop_protect
data= 1 (standalone)CX-Data-Standalone.tmplSingle data switch with access ports, loop protect
universal_configaccess_port_configuplink_lagloop_protect
MDT> 1 (stack)CX-MDT-Stack.tmplVSF stack with trunk ports for building systems
universal_configvsf_member_configvsf_link_configtrunk_port_groupsuplink_lag
MDT= 1 (standalone)CX-MDT-Standalone.tmplSingle MDT switch with trunk ports for BMS/BAS
universal_configtrunk_port_groupsuplink_lag
AP_switch> 1 (stack)CX-APSwitch-Stack.tmplVSF stack with PoE budget, AP port profiles (trunk allowed VLANs), LLDP-MED for AP discovery
universal_configvsf_member_configvsf_link_configap_port_profilepoe_configuplink_lag
AP_switch= 1 (standalone)CX-APSwitch-Standalone.tmplSingle AP switch with PoE, AP trunk profiles, LLDP-MED
universal_configap_port_profilepoe_configuplink_lag
garage_switch> 1 (stack)CX-Garage-Stack.tmplVSF stack with hardened access ports, limited VLANs, extended PoE for outdoor cameras
universal_configvsf_member_configvsf_link_configaccess_port_configpoe_configuplink_lagloop_protect
garage_switch= 1 (standalone)CX-Garage-Standalone.tmplSingle garage switch with hardened ports, extended PoE, limited VLANs
universal_configaccess_port_configpoe_configuplink_lagloop_protect

AP Roles & Radio Profiles

Four AP roles with purpose-built radio profiles: Internal / General Office, Conference Room / High-Density, External / Outdoor, Air Monitor (WIDS/WIPS). Each role gets a dedicated AP group in Central with appropriate SSIDs, VLAN assignments, and RF tuning for its deployment scenario.

Central Configuration Path

In Aruba Central: Manage > Devices > Access Points > Configuration. Each AP role maps to a dedicated AP group with its own RF profile, SSID assignment, and VLAN trunk list. APs are assigned to groups either manually by serial or via labels/naming convention. The group determines which SSIDs the AP broadcasts and the radio tuning parameters it uses.

Zero-Touch Provisioning (ZTP) Workflow

Pre-provision by serial, auto-deploy config on first connection

Sequence Overview

Pre-Provision
First Boot
DHCP/DNS
Activate Redirect
Serial Match
FW Upgrade
Config Push
VSF Join
Operational
IT Admin
CX Switch
Aruba Activate
Aruba Central
1

Pre-Provision Inventory

admin

Upload serial numbers via CSV or API before hardware arrives

Each serial is assigned to group (Greenfield-Global), site (HQ-East / Branch-Central / Branch-West), and all per-device variables (%HOSTNAME%, %SWITCH_ROLE%, %MEMBER_COUNT%, VLAN IPs, port-groups). Stack commander serial is used -- secondary members are listed in %MEMBERn_SERIAL% variables.

2

Switch Powers On

switch

CX switch boots with factory default, obtains IP via DHCP

Switch runs ZTP agent on first boot. DHCP server provides IP address, default gateway, and DNS. No console access or manual config required.

3

Aruba Activate Redirect

activate

Switch contacts activate.arubanetworks.com with serial + MAC

Aruba Activate cloud service receives the device identity (serial number, MAC address, model), looks up the Central tenant mapped to that serial via your Activate account, and returns the Central instance URL for redirection.

4

Central Serial Match

central

Central identifies the serial in pre-provisioned inventory

Central matches the incoming serial against the pre-provisioned device list. It resolves: (1) Target group = Greenfield-Global, (2) Target site = assigned site, (3) Target firmware version, (4) All per-device template variables from the variable store.

5

Firmware Upgrade

central

Central pushes target firmware if device version doesn't match

If the factory firmware differs from the group's compliance firmware version, Central auto-upgrades the switch first. The switch reboots on the target version before config push. This ensures template compatibility.

6

Template Resolution & Push

central

CLI template resolved with device variables, pushed to switch

Central selects the correct template based on %SWITCH_ROLE% and %MEMBER_COUNT%, resolves all %VARIABLE% placeholders with device-specific values (VLAN IPs, hostnames, port-groups, VSF config), and pushes the full running configuration to the switch.

7

Switch Operational

switch

Switch applies config, joins site, reports compliant to Central

Switch applies the pushed configuration, brings up all interfaces, VLANs, and services. It registers in Central under its assigned site and shows as 'Config Compliant' in the monitoring dashboard. For VSF stacks, secondary members auto-join via the commander's VSF config.

Site Details

-- 3 sites, 5 floors each

HQ-East

Planned
100 Corporate Drive, New York, NYUS/Eastern / US
64APs
10Switch Groups
21Stack Members

Site Collectors

SC-HQ-East-01
primaryVM
SC-HQ-East-02
secondaryVM

HQ-East - Main Building

Branch-Central

Planned
500 Innovation Blvd, Chicago, ILUS/Central / US
64APs
10Switch Groups
21Stack Members

Site Collectors

SC-Branch-Central-01
primaryVM
SC-Branch-Central-02
secondaryVM

Branch-Central - Main Building

Branch-West

Planned
200 Pacific Ave, San Francisco, CAUS/Pacific / US
64APs
10Switch Groups
21Stack Members

Site Collectors

SC-Branch-West-01
primaryVM
SC-Branch-West-02
secondaryVM

Branch-West - Main Building