ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 11
Registered: ‎03-11-2010

VLAN tagging on bridge mode remote AP

Hello,

I've setup the aurba wireless network where the controller is installed at data centre and all the APs in branch offices connect as remote AP through MPLS network.
Currently only Employee SSID is using on all remote APs with same VAP profile which is in bridge mode and no VLAN tagged.
Employee ssid working perfectly when the APs are installed in different vlan.

But we need to add bridge mode Guest ssid which will use same vlan 100 in all places.

How can I implement two SSID , one tag to vlan 100 and other no tagging , in bridge mode for this scenario ?
So that the employee ssid will remain the same for all branch offices.


Please see the diagram attached for reference.

thanks & regards
Ye Lynn
Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

AP System-Profile VLAN

Yelynntun,

The Native VLAN id in the AP system profile of that AP-group determines if bridged traffic is tagged our not. For example if you want to put guests in Vlan 100, you would created a bridged Virtual AP (VAP) with VLAN 100 for guests and you would just make sure that the Native VLAN id in the AP System Profile is NOT 100. As long as the Native Vlan ID in the AP system profile is different from the bridged users' VLAN, the traffic will be tagged. Below is a table that someone created for me to understand this:

In these examples the Trunk Native VLAN = 1)

=============================================================================================================================================
AP Uplink Port & VLAN | AP system-profile VLAN | Bridge VAP VLAN | Bridge wireless user gets IP in VLAN |
=============================================================================================================================================
Access port & 1 | 10 | 10 | 1 |
---------------------------------------------------------------------------------------------------------------------------------------------
Trunk port & 1 | 10 | 10 | 1 (AP does not tag since AP system & B-VAP VLANs are same) |
--------------------------------------------------------------------------------------------------------------------------------------------
Trunk Port & 1 | 200 | 10 | 10 ( Now tags with vlan 10) |
---------------------------------------------------------------------------------------------------------------------------------------------
Trunk Port & 1 | 200 | 2 | 2 (As in above case AP tags with vlan 2 and Bridge users get vlan 2)|
---------------------------------------------------------------------------------------------------------------------------------------------



I hope this helps.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎03-11-2010

Re: VLAN tagging on bridge mode remote AP

Thank you cjoseph,
Appreciate your kind reply, it really help me to understand aruba wireless more.

Is it possible to leave blank on native VLAN in AP-group ?
I just wanna use only one VAP-profile (Employee-ssid) in different VLAN with trunk port to AP.
Emplyoee-ssid will also use with bridge mode since all the AP connected to remote Controller.

Any better idea and advice for this scenario ?

regards
Ye Lynn
Contributor II
Posts: 52
Registered: ‎11-11-2009

Re: VLAN tagging on bridge mode remote AP

So of I understad it, in remote bridge mode you can have multiple SSID with different VLAN TAGGING and the tag will be done only if the VLAN ID doesn't match the NATIVE VLAN ID, and the netwotk traffic will be tagged with VLAN ID of the BRIDGE SSID. It's that correct?

Regards
Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Blank


Thank you cjoseph,
Appreciate your kind reply, it really help me to understand aruba wireless more.

Is it possible to leave blank on native VLAN in AP-group ?
I just wanna use only one VAP-profile (Employee-ssid) in different VLAN with trunk port to AP.
Emplyoee-ssid will also use with bridge mode since all the AP connected to remote Controller.

Any better idea and advice for this scenario ?

regards
Ye Lynn




You cannot leave it blank. You could just make it a number like 4093.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Correct


So of I understad it, in remote bridge mode you can have multiple SSID with different VLAN TAGGING and the tag will be done only if the VLAN ID doesn't match the NATIVE VLAN ID, and the netwotk traffic will be tagged with VLAN ID of the BRIDGE SSID. It's that correct?

Regards




That is correct.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎04-27-2010

Re: VLAN tagging on bridge mode remote AP

That's been very useful for me too.
Thanks a lot!

Ale
Occasional Contributor II
Posts: 11
Registered: ‎03-11-2010

Re: VLAN tagging on bridge mode remote AP

Hello All,

I've been setup Employee and Guest SSID in different VLAN successfully.

But I'm facing a issue with radius authentication.

Currently Employee SSID is authenticate to IAS server with MSChapv2 and PEAP.
We have only one IAS radius server and also like to use it for guest ssid with 802.1x.
Is there any way to configure guest-aaa-servergroup to use PAP to authenticate with IAS ? We can't deploy captive portal since guest vlan doesn't have a route to controller.

appreciate your kind help
Ye Lynn
Frequent Contributor I
Posts: 108
Registered: ‎09-26-2008

Re: VLAN tagging on bridge mode remote AP

Just some ideas to share.

In IAS, we are able to set policies based on user profiles.
We can set employee and guest policies accordingly.

In this way, employees and guests are able to connect accordingly, returning user specific profiles (employee vlan or guest vlan, access controls...) for the individual employees and guest.

mschapv2 and pap may not be the key issue in this case.

Michael
Occasional Contributor I
Posts: 9
Registered: ‎11-02-2011

Multiple SSID on single RAP

HI all,
i want to install a RAP in a branch office, and it's talking to the controller through MPLS WAN, i want to deploy two different WLANs (SSID),

the problem is that users are only getting IPs for the SSID of which has its "Vlan" the same as "Native Vlan" in AP system profile VLAN, and the range they are using is the range that the RAP is getting from the local DHCP according to its access port VLAN, that is let's say: native vlan is 111, VAP vlan is 111, access port of RAP is vlan 10, then users are getting IPs from pool of vlan 10,

the option that i've done now is creating two different profiles, and installing two RAPs on site, each one of them supporting a different SSID with different IP ranges,
any ideas how i can broadcast multiple SSIDs on the same RAP,
Search Airheads
Showing results for 
Search instead for 
Did you mean: