Wireless Access

Can anyone give me an answer or point me to the documentation for the following questions?

• Should the AP's be in their own vlan or in the same vlan as clients?
  
• How big should the AP vlans be (how many AP's per vlan?
  

Josh - the APs should be on a dedicated VLAN, if possible. They will work on a shared VLAN, but it is not recommended. If you are doing bridge mode, the will have to be on a shared uplink with the clients (trunk port to a switch).

The number of APs per VLAN really depends. If you can keep them relatively small, that is good. I haven't seen anything more than a /24 for AP management VLANs (not that it wont work, but it's just not a good idea IMHO). If you are using bridge mode, you can get away with more, since the traffic is dropped locally on the subnet. If you are using tunnel mode, all the traffic is forwarded back to the controller. As long as you don't have saturated infrastructure, you would still be OK.

The client VLANs should also be kept as small as possible using VLAN pooling.

I dont really want to dig up older topics, but I wanted to reply for those who may come across this while designing their networks.

 

Taken from: 

VRD_Campus_Networks.pdf

 

 

"VLANs are used on the access side of the controller where the APs terminate their GRE tunnels. These VLANs
carry traffic back and forth between APs and the controllers. Aruba strongly recommends that edge access
VLANs should not be dedicated to APs. The only exception where the APs may have to be deployed on
dedicated VLANs is in environments where 802.1X is a requirement on the wired edge. The APs should use the
existing edge VLANs as long as they have the ability to reach the mobility controller. Deploying the APs and AMs
in the existing VLANs allows for the full use of the Aruba rogue detection capabilities."



Good quote.  I think the contributor above you was saying that APs and wireless clients should not be in the same VLAN, as opposed to APs being in a dedicated vlan.

 

Hi all,

 

I am a little confused.

 

We are implementing 100 ap´s and a 7210 controller.

 

What is the best way to do it?

 

1. Ap´s and controller are going to be placed in the client existent Vlan for MGMT. ( ex: create a scope in dhcp 10.200.1.xx)

 

2. Wlan clients are going to be in the client network ( dhcp , dns are in this network 55.0.0.xx)

 

Ap´s need to contact dhcp over the Core switch trunk..

 

id this possible and good practise?

 

Regards

#7210

The access points can be on any VLAN, as long as they can discover and contact the controller on its master ip address.

 

It is best practice to have the wireless users in their own VLAN.

 

That is all.

Deal :)

 

Ap´s and controller going to be on Vlan MGMT that already exists on the client.

 

Users have their own Vlan configured at the core switch. We are going to use that one in network 55.0.0.xx for wireless testing

 

That was only the point , if users in a different network could get to the AP and gain Wlan access (that are going to be in 10.200.1.xx network).

 

This will be a best practise , in my point of view, since AP´s are not bumpped into all the broadcast traffic of the users network.

 

Regards

also

 

do I need to create all Core Vlans in the Mobility Controller?

 

the MGMT yes, but the other also ? the ones that are already in the client side? ( users,servers etc?)

---

@brunoaraujocosta wrote:

also

 

do I need to create all Core Vlans in the Mobility Controller?

 

the MGMT yes, but the other also ? the ones that are already in the client side? ( users,servers etc?)

---

No.  Make the user VLAN a trunk to a layer3 switch that does the routing for that VLAN.  Wireless clients will be bridged to that VLAN and the layer3 switch will take care of all of the routing to the server Vlans, etc.

 

If the AP's are at the same site as the controller that is a different design then if the AP's are at a remote site to the controller.  In the case where the AP's and the controller are at the same site, I would recommend the following:

 

1) connect the AP's to switches and vlans the same as wired workstations.

2) connect the controller to your network and either use an existing subnet or create a new one for the controller (depends on if you have a firewall you route through, I prefer a separate vlan between the controller and the firewall as the firewall is my default gateway).

3) define new subnets on the controller for the wireless clients.  The AP's will get an IP out of the user vlans and communicate back to the controller. The wifi client traffic tunnels back to the controller and then obtains an IP out of the wireless vlans you created.  You can assign client vlans using dhcp on the controller or better yet from a corporate dhcp server.

 

Hope that helps,

 

Ian

---

@istong wrote:

If the AP's are at the same site as the controller that is a different design then if the AP's are at a remote site to the controller.  In the case where the AP's and the controller are at the same site, I would recommend the following:

 

1) connect the AP's to switches and vlans the same as wired workstations.

2) connect the controller to your network and either use an existing subnet or create a new one for the controller (depends on if you have a firewall you route through, I prefer a separate vlan between the controller and the firewall as the firewall is my default gateway).

3) define new subnets on the controller for the wireless clients.  The AP's will get an IP out of the user vlans and communicate back to the controller. The wifi client traffic tunnels back to the controller and then obtains an IP out of the wireless vlans you created.  You can assign client vlans using dhcp on the controller or better yet from a corporate dhcp server.

 

Hope that helps,

 

Ian

---

Hi Ian,

 

We are gointg to use corporate DHCP server since we are likely to have 100 Ap´s and no less than 2000 devices..

 

Correct me if this is not the best way :

 

1. Vlan 37 already exists for management and we want to add all AP´s and Controller to that Vlan.

     For that we are going to add all AP´s MAC´s to  Subnet in DHCP for 10.200.1.xx

 

 

2. Wired users are today in a network 55.0.0.xx based, where there are several vlan´s and where are located also Active directory and all its services ( DHCP, DNS ).

 

3 .  Since we are expecting a huge ammount of devices in the final i assume i need to create several Vlan´s for Wireless users and also a scope in DHCP.  A user when connecting to Wlan will get a dhcp address in a subnet on 55.0.0.xx

 

 

4. Assuming all this I will need to create a Trunk between the Aruba and the Core 6500 Cisco. That trunk will have vlan allowed for MGMT and all the others?

 

5. LAst point: on dhcp we will create a scope for users in 55 network... I also think its better to create serveral Vlans for users on WLAN.

For this my doubt is create them on aruba or in client side ?

 

 

Sorry to be so extensive but this is a big project and my knowledge for Aruba is not that big..

 

Thanks so much

 

Regards

BRuno

 

 

 

Hi All,

 

Finally we have changed a few things and first phase is already completed.

 

We decided to create a " base guest vlan" with AP going to internal DHCP of the client and wireless clients going to Aruba DHCP.

 

All is segmented by Vlans and Controller is for now direct to internet om gi 0/0/1 for testing.

 

LAter next week is going to be connected to External Firewall.

 

But we are having some issues with internet browsing. For large periods browsing gets stuck and nothing happens ( like the Aruba is not finding is way ) but for others browsing is funtastic.

 

Internet link is huge and its ok.

 

Wireless clients connect ok but this issue with internet is killing me...

sent you a scheme and also the config for you to try to help..

guys any help?

 

regards

Your question is too complicated and has too much to address.  You have a problem with internet browsing and you also have design questions.  If it is working, you did something right, and you are probably okay.  If you are having problems, you should open a TAC case and focus on that or ask questions about your problem.

already opened :smileywink:

 

 

Thank you.

 

Please keep us up to date on what is discovered.

Of Course.

 

We should be one for all ;)

 

Today I will test connect vlan 999 directly to my PC , and see if the problem is on Wireless config..

 

Regards

 

 

Hi,

 

I tested today my PC connected directly to gi 0/0/0 on vlan 999.

 

I received an dhcp address from the controller dhcp server, ican ping the external router IP ,  I can do continiuous pings to several sites like www.sapo.pt or others but i only get huge cuts on internet access.

 

Tomorrow i will connect my PC directlt to external internet IP.

Regards

Hi

 

It seems taht the problem is that Aruba 0/0/1 has a mismatch config with a switch Procurve HP.

 

The procurve swittch helds the internet public IP and we configured the Aruba 0/0/1 trunk with a POrt on Procurve.

 

I am 100% sure that I had tested put the ports on access, but....

 

Now aruba Port is in access vlan 2 and all seems fine..

 

Don´t understand why.... I supposed that Aruba and Procurve are very no friendly switches...Because Aruba , like Cisco and Avaya calls Trunk Port and HP called it Trusted Port..

 

Well.. it seems its working..

 

No connect 65 AP´s test coverage and then the BIG thing ... Implement ClearPAss

 

Regards