Wireless Access

Hello IT friends, I hope this is the correct board to place my question. This is my first time posting here and overall I am relativley new to the aruba network so please forgive me if i dont make much sense.

We currently have the Aruba 3200 controller setup with multiple AP105's, everything is working fine.

I have recently been given the task of setting up multiple virtual AP's and assigning them to different VLAN's.

Is anyone able to give me a guide on how to configure this in the aruba controller. I have listed some details below, I can provide more if needed.

My default router is 10.10.254.254 and is routing the following vlans

VLAN2 Routing IP 10.10.254.254 255.255.0.0
VLAN20 Routing IP 10.20.1.254 255.255.255.0
VLAN30 Routing IP 10.30.1.254 255.255.255.0
VLAN40 Routing IP 10.40.1.254 255.255.255.0
VLAN50 Routing IP 10.50.1.254 255.255.0.0
VLAN 60 Routing IP 10.60.1.254 255.255.0.0

I would like to broadcast the following SSIDS

BYOD - VLAN 60
Teacher -  VLAN 20
Students - VLAN 50

Thank you for any help you can give.

Is multiple VLANs *SSIDs a requirement? The "new" way to do this is use a single SSID and map VLAN based on the user that is connecting. For example. if students are in a certain AD group, we can give them a STUDENT role and VLAN 50.

 

You should try to keep your SSIDs down to a bare minimum, designing around authentication method/encryption type.

 

SSID 1: 802.1X/WPA2-AES (students, faculty, BYOD)

SSID 2: Open/PSK (guest, dumb devices)

that sounds very interesting. will that still route the students to the 10.50.0.0 range and asign a 10.50 ip address from the DHCP?

I have ACL's setup on the default router to prevent students from accessing things from other VLAN's.

how would i achieve what you have suggested?

The first sentence should read "Are multiple SSIDs required..."

 

Yes, you can do this if either of the two things below are true:

 

1) You are doing 802.1X

2) You are using a PSK with MAC authentication

 

 

 

Sorry, no multiple SSID's are not required if we can do it another way. I was under the impression that multiple SSID's were the only option.

We are using 802.11 security in mixed mode with a PSK passphrase.

 

* Please forgive my stupidity.

OK. Without utilizing user or device authentication, you will have to use VLANs and SSIDs to segregate your users.

 

Long-term you should consider a policy engine like ClearPass.

 

 

To add your VLANs:

 

- Add the VLAN tags under Configuration > VLANs

- Add the VLANs to the uplink of the controller (usually via a trunk port) (on both the controller and upstream switch links)

- Use the Campus WLAN wizard at the top left of the configuration page to create your SSIDs and map the appropriate VLANs. It will take you through step-by-step.

We are starting a BYOD program here shortly so ClearPass looks like something we will need to look into.

 

if i can bother you with a couple more questions.

 

1) When i add the VLANs in the controller do i need to assign them an IP Address?

2) for the switchports that are connected to the AP's, do they also need to be in trunk mode?

That's great! It will definitely help you with your BYOD initiatives. Adds a lot of flexibility to your network.

 

1) You do not need to add IP addresses to the controller interfaces unless you are using a captive portal on that VLAN. (and as long as the gateway for that subnet is upstream).

 

2) If your AP's are in tunnel mode (default), then you do not need to trunk the VLANs down to the APs. That is the beauty of tunnel mode. You can literally plug your AP's in anywhere and not have to worry about VLAN configurations!

I created the VLAN and run through the WLAN configuration however no new WLAN appears.

can the WLAN be created on the default AP group or do I need to create a new one?

 

Make sure you click the Apply button on the final configuration screen.

You can use the default AP group, but at some point you should move APs into their own group. AP’s come up out of the box into the default AP group, so it can be a security issue.

I have tried doing what you suggested but for some reason i cant get it to work.

i have configured port 1 as a trunk on both ends with all vlans allowed, when i plug in port 1 i am unable to connecte to the controller or ping it.

i have attached my running config if that helps.

Could you post the upstream switch port config and the controller port config?

are these the files you mean?

From what i can see, both the controller and the connecting switch are configured correctly.

 

 

(Aruba3200) #show interface gigabitethernet 1/1 switchport

Name:  GE1/1
Switchport:  Enabled
Administrative mode:  trunk
Operational mode:  trunk
Administrative Trunking Encapsulation:  dot1q
Operational Trunking Encapsulation:  dot1q
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (Default)
Trunking Vlans Enabled: ALL
Trunking Vlans Active: 1-2,60

Is anyone able to offer me some more advice? I have attached the configs for the aruba controller, the switch that it is connected to and the gateway/router.

I have configured port 1/1 on the aruba controller as a trunk port with the allowed VLAN's, it connects to port 1/g19 on the dell switch (this port is also a trunk port with the allowed VLAN's).

 

When I unplug port 1/0 on the controller and connect up port 1/1 I loose all connection to my controller and the AP's do not connect either.

 

Any additional advice you can give me would be very much appreciated.