Reply
New Contributor

AP Segmentation

My company is currently evaluating Aruba wireless. One scenario that we haven't been able to test yet is our solution for segmenting APs into isolated, non-routable VLANs. A scenario of what we wish to accomplish follows:

VLAN 2 192.168.2.10 (isolated, non-routable)
VLAN 3 192.168.3.10 (isolated, non-routable)
VLAN 4 10.0.4.10, static routes for internal subnets
VLAN 5 no IP assigned
VLAN 6 no IP assigned
VLAN 7 external address with default gateway

APs on VLAN 2 communicate with the controller at 192.168.2.10.
APs on VLAN 3 communicate with the controller at 192.168.3.10.
VLAN 4 is used for management, RADIUS communications, and communications for APs on other internal segments
VLAN 5 and 6 are used to client connectivity (assigned my RADIUS).
VLAN 7 is used for RAP communications.

Can this be easily accomplished with Aruba gear and what are the potential pitfalls that anyone might see?
Aruba Employee

Re: AP Segmentation

Josh,

No pitfalls that I can see. The APs would need to be able to talk to the switch IP of the controller, which you can set (if you are using 3.4 code). If you set the switch IP to be VLAN2, then APs on VLAN3 would need to be able to reach VLAN2. Also, APs routing through VLAN4 would need to be able to reach VLAN2 (if that is the switch IP).

Everything else is straightforward.

Also, if you are using captive portal, which I doubt you are since you are mentioning RADIUS, you will need an IP address assigned to the controller on VLANs 5 & 6. If you are not using captive portal for user auth, then you don't have to have an L3 interface.
New Contributor

Re: AP Segmentation

I didn't explicitly state it, but the plan would be to have all of the VLANs above will be configured on our controllers. This is so that controllers would have an interface to talk to APs on any of these isolated segments. We would be using as many as 4 different VLANs (isolated, non-routable, strictly for APs) and APs will be redundantly configured across 2 controllers each.

Part of the issue is that we don't want VLANs 2 and 3 to cross our router. One reason: we don't want the extra load on the router. Also, why would this traffic need to traverse a router when the controllers already have interfaces on their respective VLANs?
Aruba Employee

Re: AP Segmentation


I didn't explicitly state it, but the plan would be to have all of the VLANs above will be configured on our controllers. This is so that controllers would have an interface to talk to APs on any of these isolated segments. We would be using as many as 4 different VLANs (isolated, non-routable, strictly for APs) and APs will be redundantly configured across 2 controllers each.

Part of the issue is that we don't want VLANs 2 and 3 to cross our router. One reason: we don't want the extra load on the router. Also, why would this traffic need to traverse a router when the controllers already have interfaces on their respective VLANs?




They won't need to traverse a router, the controller will take care of the inter-vlan routing.

The only two minor things I see is that clients in VLAN 2 and VLAN 3 are going to have get addresses from the integrated DHCP server on the controllers since, even with forwarding, an external DHCP server won't know how to get back to those VLAN interfaces.

Also, I see that you're interested in doing RAP on the same controllers as campus APs. You don't be able to do this unless you're running beta software.
Occasional Contributor II

Re: AP Segmentation

hi,

i want to know why the captive portal needs that all vlan's must be assigned IP addresses
Aruba Employee

Re: AP Segmentation

Any VLAN where users are being placed and you expect to use Captive Portal must have an IP address. Reason is, and it's simple if you think about it, you're (the controller) effectively telling the client, instead of sending that port 80 http call to www.google.com, send it to me (the controller) at this IP address on port 8080.

Thus, the client must be able to get to the controller on an IP interface for the dst-nat Captive Portal redirect to happen.
Occasional Contributor II

Re: AP Segmentation

Hi bjwhite,

thanks for your reply,

i understood from the post that all VLAN's must be assigned IP to the captive portal to work, and that whither the users that will connect through the captive portal assigned to that VLAN or not,

you 're definitely right if i want a user to connect using a captive portal then the user's VLAN must be assigned IP, but i can still have another VLAN that don't assigned IP in the controller as soon as that VLAN's users don't connect with captive portal.

thanks for your reply
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: