Controllerless Networks

Greetings!

I'm sure this question has been asked before, but I haven't been able to find anything that applied to our particular circumstances, so here goes.  My apologies if this is a duplication.

 

I work for a school district.  We have 40 IAP clusters, one at each school site (39 schools) and one at our District Office.  Each site has its own router and subnet.  Each IAP cluster is configured and is currently in Monitor/Firmware Upgrade-only mode in Airwave.

 

I have, so far, not been able to figure out how to manage the configurations properly with Airwave.  I know how to change the IAP clusters to Read-Write mode, but haven't been able to figure out the rest.  Right now, whenever I want to make a change, such as to a firewall rule, I have to do it 40 times.  And then, I get 40 mismatches in Airwave, so I have to go to each VC, Audit, then import the template into Airwave again, then the mismatches go away.  I know there's a better way to do this.

 

It seems that each site's template has the same name, but I'm guessing that within Airwave, each one is really unique.  Would someone be willing to give me a step-by-step procedure on how I should do what I want to do, so that when I want to make a configuration change, I just change a template and let that push out to all 40 sites?

 

Also, most of our sites have the same SSID configuration and whatnot; however, there are 2 sites that each have an additional SSID.  Will I be able to retain this extra configuration while still using a template?

 

Thanks!

Bnewall,

 

Only knowing what you just said, in general you can use one template for 38 sites and another template for the two sites with the additional SSID.  If the configuration is the same, you should be able to create a variable in the template for anything that is different, and edit that variable in each VC cluster.  All clusters will receive the same configuration and they will get a slightly different configuration based on the variables defined in the template.  The document here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=14106 shows you how to deploy templete-based configuration to IAPs.  Ideally, all of your 38 IAP clusters will be in the same group using the same template, but with different Variable that change based on the site.  The config will be the same, but things like the hostname will be defined for each VC and be different.  They will be read-write, so that the config can be pushed automatically when you make a change to the template.  Again, this is all speaking in general.  You should test this in the lab in conjunction with the document at the link above to ensure your workflow is solid.

 

 

Thanks, Colin!

 

I was looking over that document yesterday, actually.  One thing I saw is that in defining the Organization strings in each IAP cluster, the document recommends using your toplevel organization name followed by a colon and then the department/location/etc.  I tested that on our District Office cluster using the Organization string "PUSD:DO".  That created a group called PUSD, and then created a folder called PUSD with a subfolder called DO.  It appears that this means that all of my 2000+ IAPs will end up in the same single group, but will be organized into folders by site.  Is that correct?  Currently, each cluster's Organization string is just the site abbreviation, so each cluster's IAPs are in their own group.

 

One thing I miss about the controller-based APs is the ability to have AP groups.  With the IAPs, it looks like I'll have to still maintain multiple templates due to sites that have an additional SSID.  Or do you think there's another way to approach that?

 

Thanks!

The organization string is something that you can use to create a folder structure when you are adding devices.  When your devices are already added in airwave, they are not that useful.  When you are adding APs, it can automatically create folders and groups, so that you don't have but if you are already deployed, it is less useful.

 

Groups are strictly used for configuration.  It allows you to configure devices in multiple different folders the same way and use variables for things that might be different among them.

 

Folders are used for heirarchy and reporting.  It is not a configuration construct.

 

If you have 10 schools, they can all be in the same group, and the things that differ like the hostname and maybe a few other things can have a variable in the template.  In each AP management page, there is somewhere you can define that variable so that when the same config is pushed across your district, the "variables" are inserted in the config for that specific device or group of devices.

 

You can maintain separate groups for sites with different configurations or you can configure overrides.  TAC can tell you how to do that best.

 

Hi Colin, If I want to manage new iAP cluster, did I need to add all the iAP serial number in the cluster to the Airwave whitelist? Crone

If you haven't already, please see the document here https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=14106

 

Colin,

 

I'm getting error to view the page. Are you refering to DeployingInstantInAirWave.pdf document? I did read this document, but it doesnt state whether I need to register only the VC or all the iAP inside the cluster.

Crone, yes that is the document (I fixed the link).  In the document it says -

"Discovery: AirWave does not discover Instant devices via scanning (SNMP or HTTP) the network. Each Instant deployment will automatically check-in to the AirWave configured within the IAP’s user interface. The first Virtual Controller for an organization will automatically appear as a new device in AirWave. Subsequent IAPs are discovered via the Virtual Controller, just like standard controller/thin AP deployments."

 

The simplest way to add IAPs is manually.  It says that each instant deployment will check in, but you need to manually point it at Airwave, first.  Please see the section "Setting up Aruba Instant Manually" in that document.  There are many ways to have an IAP discover Airwave (activate, DHCP option), but it is important to add it manually first to understand what is going on.

Colin,

 

Yes understand the 1st iAP at least need to set Airwave IP. Let say the 1st iAP already up in the airwave (template downloaded, whitelisted serial number), and then comes the 2nd iAP. I know this 2nd iAP will join the cluster and sync the configuration from the 1st iAP. But then, did I still need to register this 2nd iAP serial number to Airwave whitelist?

 

Crone

If you are not using Preshared Key or Certificate Authentication for your IAPs, you do not need to add them to the whitelist:

"The Instant whitelist database is a list of the Instant APs that are allowed to access the AMP server after completing pre- shared key or certificate authentication."

Thanks Colin!