Technology Blog

Change the Management VLAN for Aruba Instant

Aruba Employee

Aruba Instant is a very simple and easy to use WLAN solution. In some projects, I have the situation, that users are placed in VLAN 1. Which is easy with Aruba Instant. But unfortunately, VLAN 1 is the default management VLAN and the AP itself should not be placed in VLAN 1. This was impossible in the past but is very easy now. You can change the management VLAN for Aruba Instant and you can use VLAN 1 for your users.

Change the Management VLAN: Untagged on the Uplink

In the past, you configured the management IP for the Instant AP. This IP was always in VLAN 1 untagged. This is fine when you do not need VLAN 1 for clients. If you do, you need to have the management IP in a different VLAN. This is possible in Instant for some time now. I did this test with the latest and greatest version available. But the feature is included in Instant since version 4.3.0.

The first step is to change the uplink VLAN. The IAP consider VLAN 1 as the native (untagged) VLAN for the uplink. To change this, log into the IAP and go to "System":Change the Management VLAN – Configure Uplink VLANI changed the "Uplink switch native VLAN" to 10. VLAN 10 is my management VLAN in this scenario. And with the default settings, you are done so far, as the IAP assume the management VLAN untagged with default settings. From Wireshark, you can see that the "Virtual Controller IP" is untagged on the uplink:Change the Management VLAN - Ping to the IAPI'm doing a ping from the switch to the controller. No VLAN tags at all.

Change the Management VLAN: Tagged on the Uplink

Now, let's assume, you need the management VLAN tagged on the uplink. This is possible as well. In the scenario above, I have used VLAN 10 for the management and put this untagged on the uplink.

This time, I use VLAN 100 for the management. VLAN 10 is still untagged on the uplink. To change the management VLAN to VLAN 100 and get the VLAN tagged on the port log into the IAP and select one of the IAP's in the cluster. Click the "Edit" link and select the "Uplink" for the IAP:Change the Management VLAN - Use Tagged Management VLANYou can define the management VLAN with the "Uplink management VLAN" setting. If this setting is different to the "Uplink switch native VLAN", the management VLAN is tagged on the uplink. In my case, it is VLAN 100. After adopting the switch configuration you can see the use of VLAN 100:Change the Management VLAN - Ping To the IAP TaggedAs you can see from the screen above, the ping from the switch to the IAP is now tagged in VLAN 100. Let's recap where we are so far. The IAP use VLAN 10 native on uplink and VLAN 100 tagged on the uplink for management. VLAN 1 is not used at all. Which is always my recommendation. But for a complete picture, I use VLAN 1 as an egress network for an SSID.  I do the same for VLAN 10. Just to make sure, it is still untagged. VLAN 1:Change the Management VLAN - VLAN 1If a client connects to this SSID, the traffic is tagged with VLAN 1 on the Uplink:Change the Management VLAN - DHCP on VLAN 1As you can see, the DHCP request is tagged with VLAN 1. And the same for VLAN 10:Change the Management VLAN - VLAN 10And the Wireshark trace:Change the Management VLAN - DHCP VLAN 10No VLAN tag for the DHCP request. This is the expected behavior as VLAN 10 is the native (untagged) VLAN on the uplink.

From the post above you see that it is very simple to change the management VLAN for the IAP and change the untagged VLAN to a different VLAN than VLAN 1.

Do you use VLAN 1 in your environment? Please let me know why or why not. Other questions or feedback is highly appreciated as a comment below.

Comments
Occasional Contributor I

If I'd like to add more VLANs on VLAN1 SSID or other SSID, which menu should I use or how to add (to be a trunk of IAP) ?

Aruba Employee

Hi Alex,

 

The uplink port of an IAP is always a trunk. So any VLAN you configure in the SSID, which is different to the uplink switch native VLAN will be tagged.

Let's use the example from above. The uplink switch native VLAN is 10. If you configure your SSID with VLAN 1, this VLAN will be tagged on the port. If you configure your SSID for radius with dynamic VLAN assignment, any VLAN different to VLAN 10 will be tagged. There is no need to do a special configuration. 

Does this answer your question? 

 

Many thanks,

Florian

 
Occasional Contributor I

 

Yes. Thanks for your info

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Read all about it! If it’s happening now, it’s in the community.

Check out the latest blogs from your community team, the community experts and other industry sources.
Labels