Aruba Instant & Cloud Wi-Fi

Reply
New Contributor
Posts: 4
Registered: ‎11-16-2016

IAPs and traffic on separate subnets or VLAN

If this is a repeat I apologize but I couldn't find anything.  

 

I have a multi building school campus with IAP-215's throughout for wireless, and HP/ARUBA 2920's and a 8200ZL core for wired.  Right now, the WIRED LAN has 10 Subnets /VLANs. Due to connection requirements the wireless TRAFFIC / CLIENTS and the wired traffic for each building must be on the same subnet.  However, I believe that I need the IAP's themselves to all be on the same subnet so that they can see each other and be managed as one network.

 

I will admit to being somewhat of a newbie at a lot of this so my conclusions may be suspect, but I would think that the key is to have the IAP itself be on one subnet, and have the client traffic dump onto the default subnet for the edge switch of that building.  Some notes in the help section of the web interface (pic included) seem to imply that is possible but I am at a loss of how to make it happen.  Right now I have ten WLANs and trying to manage them as individual entities is a mess.

MVP
Posts: 930
Registered: ‎04-13-2009

Re: IAPs and traffic on separate subnets or VLAN

Hi,

 

You need to configure a trunk port on your switch with the native VLAN being the VLAN which your APs will reside in. Then tag the VLANs which are for your wireless clients.

 

Here's a useful post: http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/trunk-port-IAP/td-p/146796

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
New Contributor
Posts: 4
Registered: ‎11-16-2016

Re: IAPs and traffic on separate subnets or VLAN

correct me if I am wrong, but does that mean staticly configuring ONLY the ports with IAP's plugged into them on all the 2920's (about 20 switches) to accept untagged traffic and place it on a new wireless VLAN, say 100. Then configuring the same ports to place TAGGED traffic on the appropriate VLAN (the default for the building)?  Remember, I need to be able to plug in a device at the wall and have the DHCP server hand out an IP in the correct subnet for that building AND I need wireless clients/traffic to be in that SAME subnet.

 

I think I am following, it just means having to manually configure ports for 150 IAP's on the switches and eliminates a lot of flexibility.  IAP's could only be plugged in to a preconfigured port.  I guess I was hoping for a way to tag the IAP and leave traffic on the default.  Then I could apply a config for tagged traffic on any port to go to the new wireless vlan, and untagged on any port to be in the vlan for that building.

MVP
Posts: 930
Registered: ‎04-13-2009

Re: IAPs and traffic on separate subnets or VLAN

OK, if you want clients and APs in the same subnet you don't need to trunk the switchports they're patched into. 


Going by what you'vewritten, if you have 10 different subnets on different VLANs you would end up with 10 IAP clusters to manage (if you put APs and clients on the same subnet).

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
New Contributor
Posts: 4
Registered: ‎11-16-2016

Re: IAPs and traffic on separate subnets or VLAN

[ Edited ]

which is the question.....

I DON'T want the ap's and clients on the same subnet, I want the IAP's on one subnet / vlan "campus wide" and all other traffic on the default subnet for that building.

Example...  if: 

High school subnet is 10.2.x.x

Middle school is 10.3.x.x

Elementary is 10.4.x.x

Due to software and connection requirements, I need a teacher in the elementary school to have her computer plugged into the wall get a 10.4.x.x IP address AND I need every IPAD and other wireless device she uses in her room to ALSO get a 10.4.x.x ip address from the IAP on her ceiling.  But like you said, if I have the IAP with a 10.4.x.x address, it won't see any other IAPs from the Highschool or Middle school.  So I think I need a way to put just the IAP's themselves on a different vlan like 10.5.x.x while the traffic goes to 10.4.x.x (or 10.3 or 10.2 depending on building).  

 

Does that help with what I am trying to do?  There might be other options but like I said, this level of networking is not my strong point so I have to kind of apply what I know and try to go from there.  

 

I truly appreciate the time and help your giving.

MVP
Posts: 930
Registered: ‎04-13-2009

Re: IAPs and traffic on separate subnets or VLAN

If you don't want to put user and APs in the same VLAN then you need to trunk the switchport the APs are patched into.

 

I'd recommend reaching out to your local Aruba partner to get help on your design. :)

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 706
Registered: ‎12-01-2010

Re: IAPs and traffic on separate subnets or VLAN

Let me try with an example from my own deployment:

 

VLAN1 switch and AP management VLAN 10.1.0.0

VLAN2 Client-type A VLAN 10.2.0.0

VLAN3 Client-type B VLAN 10.3.0.0

VLAN4 Client-type C VLAN 10.4.0.0

 

All switches and APs are configured to have mangement IP addresses in VLAN 1 (the default VLAN)

Wired clients are connected to Access Ports in the appropriate VLAN

SSID "type-A" will put wireless users in VLAN 2

SSID "type-B" will put wireless users in VLAN 3

SSID "type-C" will put wireless users in VLAN 4

 

A switch-port configured for an AP will be a trunk port with default VLAN set to 1 (or not set, since 1 is the default) - the AP will get an IP address from DHCP on VLAN 1, clients will be dropped off on the switch with tagged pacekts for the above assigned VLAN.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
New Contributor
Posts: 4
Registered: ‎11-16-2016

Re: IAPs and traffic on separate subnets or VLAN

Matthew,

I think that's close, but I am actually looking more for the opposite. subnets are set geographically with seperate buildings getting different subnets. So the goal is:

VLAN 10 - Building 1 wired traffic and wireless CLIENT traffic 10.10.0.0

VLAN 20 - Building 2 wired traffic and wireless CLIENT traffic 10.20.0.0

VLAN 30 - Building 3 wired traffic and wireless CLIENT traffic 10.30.0.0

VLAN 50 - AP management for all three buildings so that the IAPS can see each other and be managed as a single network - 10.50.0.0 .

 

I can dive into the reasons for this if needed but will hold off for space.

 

This is where I get things close but kind of get out of my depth.

At the edges, the current config for switch 1 has two VLANS:

VLAN 1 - Default VLAN - NO PORTS - Primary VLAN

VLAN 10 - all ports untagged - Default gateway 10.10.1.1 

This is repeated for switch 2:

VLAN 1 - Default VLAN - NO PORTS - Primary VLAN

VLAN 20 - all ports untagged - Default gateway 10.20.1.1

And switch 3 w/ VLAN 30 and 10.30.1.1.  My actual network has a couple of tougher spots, but for the purpose of this, I think they are not worth diving into.  Obviously, they all come back to the core which lists all the VLANS. Why the network engineer set it up that way at the edges, I am not sure though I supose he had his reasons.

 

In my mind, if I can ADD a VLAN 50 at the three edges and/or (not sure which) the core, and have the AP management on VLAN 50, then the IAP's all see themselves and create one wireless network instead of three, but all SSID's stay set to default and therefore continue to dump client traffic onto the subnet that is local / default / assigned for that switch.  I just lose out on how to make that happen.

MVP
Posts: 706
Registered: ‎12-01-2010

Re: IAPs and traffic on separate subnets or VLAN

You'd either want to set the default VLAN for the port each AP is on to 50, or declare the management VLAN in the iAP VC as 50 (although I've never tried it, that's how I'd expect it to work)

You will need VLAN 50 on each switch with iAP and any switched in between (like the core) whichever way you go - that way all iAP will be able to "see" all the others.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
Showing results for 
Search instead for 
Did you mean: