Question: How do I set up a remote mesh portal?
Product and Software: This article applies to all Aruba controllers that run ArubaOS 5.0 and later. This article does not apply to the remote mesh portal in ArubaOS 3.3.2.19-FIPS.
Supported APs
As a remote mesh portal (RMP):
AP-60/61, AP-65, AP-70, AP-85, AP-105, AP-12x, RAP-5WN
Not supported: RAP-2WG
As a remote mesh point or mesh point (MP):
AP-60/61, AP-65, AP-70, AP-85, AP-105, AP-12x
Not supported: RAP-2WG, RAP-5WN
This article provides the procedure to set up a remote mesh portal or remote mesh point (RMP/MP) in ArubaOS 5.0. For full description of this feature, refer to the ArubaOS 5.0 Release Notes.
Prerequisites
· Licenses:
o PEF (NG) license is highly recommended.
o AP License (for MMC based controllers 6xx,3xxx, M3). In the new licensing model under ArubaOS 5.0, only one type of AP license is available and the campus APs and remote APs (RAPs) use it. Details are out of the scope of this article.
· The controller must already be configured to be a RAP controller. Out-of-box, the following needs to be configured for a RAP controller:
o IP address pool
o VPN pre-share key (if a non cert based RAP/RMP is used)
· Control Plane Security (CPSec) is introduced in ArubaOS 5.0 and is enabled by default. Make sure that all APs (other than RAP-5WN) are configured in the Campus AP Whitelist before you proceed.
· VAP and wired ap profile must be set up.
Supported Deployment Scenario
A remote mesh portal (RMP) also acts as a normal RAP. Basic RAP functionalities are not covered in this article. However, these functionalities DO NOT extend to an MP. A remote mesh point (MP) is a mesh point connected to a RMP, and it is provisioned the same way as a mesh point. The terms remote mesh point and mesh point are therefore synonymous and will be used interchangeably. An MP acts more like a campus AP rather than a remote AP. Therefore, functionalities supported on an MP (in this release) are very limited. On the MP, the only forwarding mode that is supported is 'tunnel' for wireless and wired clients. That means that all traffic terminating on an MP must be tunneled back to the controller. Therefore, a pair of RMPs/MPs cannot be used as a LAN bridge.
Set-up Guide
This section provides information to configure an RMP, which assumes that the controller is already set up to terminate RAP. For details on how to set up controllers and APs in remote networks, refer to Remote Network Solution for Fixed Telecommuters - Aruba Validated Reference Design, version 3.3.
Config Highlights
· A special VLAN (MPV) needs to be set up on the controller with DHCP enabled. MPs get IP addresses from this subnet. This subnet should not be used for user data.
· A dummy VAP in split-tunnel forwarding mode must be set up on the remote mesh portal. This VAP is used to carry control traffic between a MP to the controller. This VAP does not present on the MP. The VLAN ID of this VAP is the mesh portal VLAN (MPV).
· Ensure that the VAP is active on at least one of the radios on the RMP or else the tunnel carrying MP control traffic would not be up.
· No split-tunnel or bridge VAP is supported on the MP (tunnel only).
· No split-tunnel or bridge wired-port is supported on the MP (tunnel only).
· Mesh link can be either 'b/g' or 'a'.
· The same radio acting as mesh-link can also serve normal wireless clients.
Config Summary
The following example sets up a RMP and a MP using:
· RMP = AP-125 (ap-name = ap125-rmp)
· MP = AP-65 (ap65)
· AP Group = 'rmp'
Controller Set Up
IP addresses allocated to the MPV must be routable to the master controller for AP classification (reachable to WMS DB).
vlan 998
interface vlan 998
ip address 172.16.99.1 255.255.255.0
exit
ip dhcp pool vlan998-rmp
default-router 172.16.99.1
network 172.16.99.0 255.255.255.0
service dhcp
Set Up the Mesh
ap mesh-radio-profile "mesh"
mpv 998
ap mesh-cluster-profile "mesh"
cluster "mesh"
wpa-passphrase "arubarocksarubarocks"
opmode wpa2-psk-aes
Set Up the Dummy VAP. Note that the Dummy SSID must use opensystem (Bug 38602). No real wireless client will ever associate to this VAP. For security purpose, use max-clients = 0, hide-ssid, deny-bcase.
user-role denyall
aaa profile "denyall"
initial-role "denyall"
wlan ssid-profile "rmp"
essid "..."
opmode opensystem
max-clients 0
hide-ssid
deny-bcast
wlan virtual-ap "rmp"
aaa-profile "denyall"
ssid-profile "rmp"
allowed-band g # Note that this band must be active. Be careful with single-radio AP.
vlan 998
forward-mode split-tunnel
On the MP, only tunnel mode wired port is supported.
ap wired-ap-profile "tunnel-trusted"
wired-ap-enable
forward-mode tunnel
switchport mode access
switchport access vlan 18
trusted
ap wired-port-profile tunnel-trusted
wired-ap-profile tunnel-trusted
The Dummy VAP is only needed on the RMP, not the MP. Use an AP-specific configuration.
ap-name "ap125-rmp"
virtual-ap "rmp"
ap-group "mesh"
virtual-ap "Tunnel" # The definition of this SSID is up to the reader.
enet0-port-profile "tunnel-trusted"
ap-system-profile "rmp"
mesh-radio-profile "mesh"
mesh-cluster-profile "mesh" priority 1
To deploy a remote mesh portal or remote mesh point (RMP/MP) in ArubaOS 5.0, follow these steps:
1) Set up CPSec.
The RMP (AP-125) and the MP (AP-65) must be connected to the controller as thin APs so that they can be reprovisioned as RMP and MP. CPSec is enabled by default, so these two APs have certified certificates before they can be provisioned. The state of these certificates can be configured on the Campus AP whitelist. See the ArubaOS 5.0 Release Notes for details.
This step is not necessary if a RAP-5WN is used as a RMP. However, the MP (AP-65) still must have a valid certificate.
2) Provision the RMP.
After the AP-125 appears in the Provisioning AP list in WebUI, select the AP and reprovision it as an RMP. Pay attention to the following parameters:
· AP Group
· RAP parameters (PSK or Certificate)
· Master Controller IP Address/DNS name
· Mesh Role: Select Remote Mesh Portal
3) Provision the mesh point.
4) Change the following parameters for the mesh point:
· AP Group
· Mesh Role: Select Mesh Point.
Sample Output
These outputs are from some useful commands that are related to RMPs.
(A3200) #show ap active
Active AP Table
---------------
Name Group IP Address 11g Clients 11g Ch/EIRP/MaxEIRP 11a Clients 11a Ch/EIRP/MaxEIRP AP Type Flags Uptime Outer IP
---- ----- ---------- ----------- ------------------- ----------- ------------------- ------- ----- ------ --------
ap125-rmp mesh 192.168.202.12 0 AP:HT:11/9/20 0 MPP+AP:HT:161-/9/19 125 RAM 1d:1h:26m:3s 210.176.111.245
ap65 mesh 172.16.99.254 0 AP:11/9/20 0 MP+AP:161/23/23 65 EM 4h:15m:29s N/A
Flags: R = Remote AP; P = PPPOE; E = Wired AP enabled; A = Enet1 in active/standby mode;
L = Client Balancing Enabled; D = Disconn. Extra Calls On; B = Battery Boost On;
X = Maintenance Mode; d = Drop Mcast/Bcast On; N = 802.11b protection disabled;
a = Reduce ARP packets in the air; M = Mesh; C = Cellular; K = 802.11K Enabled;
Channel followed by "*" indicates channel selected due to unsupported configured channel.
Num APs:2
(A3200) #show ap bss-table
fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always)
Aruba AP BSS Table
------------------
bss ess s/p ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t mtu acl-state acl fm
--- --- --- -- --- ---- ---------------- ------ ------- ------- ----- --- --------- --- --
00:1a:1e:11:48:40 ... 1/2 192.168.202.12 g-HT ap 11/9/20 0 ap125-rmp 0 1d:1h:0m:2s 1200 - 44 S
00:1a:1e:9f:cb:80 Tunnel ?/? 172.16.99.254 g ap 6/12/20 0 ap65 0 4h:14m:4s 1200 - 53 T
00:1a:1e:9f:cb:8a Tunnel ?/? 172.16.99.254 a ap 161/23/23 0 ap65 0 4h:14m:4s 1200 - 53 T
00:1a:1e:c1:fc:b8 N/A 2/0 172.16.99.254 e0 N/A N/A N/A ap65 0 4h:14m:4s 1200 N/A 1 T
Channel followed by "*" indicates channel selected due to unsupported configured channel.
Num APs:4
Num Associations:0
(A3200) #show ap mesh active
Mesh Cluster Name: mesh
-----------------------
Name Group IP Address BSSID Band/Ch/EIRP/MaxEIRP MTU Enet Ports Mesh Role Parent #Children AP Type Uptime
---- ----- ---------- ----- -------------------- --- ---------- --------- ------ --------- ------- ------
ap125-rmp mesh 192.168.202.10 00:1a:1e:11:48:50 802.11a/153-/9/19 1200 -/Off Portal - 1 125 8m:5s
ap65 mesh 172.16.99.254 00:1a:1e:9f:cb:88 802.11a/153/23/23 Tunnel Point ap125-rmp 0 65 8m:16s
Total APs :2
(A3200) #show ap mesh topology
Mesh Cluster Name: mesh
-----------------------
Name Mesh Role Parent Path Cost Node Cost Link Cost Hop Count RSSI Rate Tx/Rx Last Update Uplink Age #Children
---- --------- ------ --------- --------- --------- --------- ---- ---------- ----------- ---------- ---------
ap125-rmp Portal (N) - 0 1 0 0 0 - 19s 8m:20s 1
ap65 Point ap125-rmp 1 0 0 1 76 54/54 5m:40s 7m:6s 0
Total APs :2
(R): Recovery AP. (N): 11N Enabled. For Portals 'Uplink Age' equals uptime.