10-23-2014 04:07 PM
Hello IT friends, I hope this is the correct board to place my question. This is my first time posting here and overall I am relativley new to the aruba network so please forgive me if i dont make much sense.
We currently have the Aruba 3200 controller setup with multiple AP105's, everything is working fine.
I have recently been given the task of setting up multiple virtual AP's and assigning them to different VLAN's.
Is anyone able to give me a guide on how to configure this in the aruba controller. I have listed some details below, I can provide more if needed.
My default router is 10.10.254.254 and is routing the following vlans
VLAN2 Routing IP 10.10.254.254 255.255.0.0
VLAN20 Routing IP 10.20.1.254 255.255.255.0
VLAN30 Routing IP 10.30.1.254 255.255.255.0
VLAN40 Routing IP 10.40.1.254 255.255.255.0
VLAN50 Routing IP 10.50.1.254 255.255.0.0
VLAN 60 Routing IP 10.60.1.254 255.255.0.0
I would like to broadcast the following SSIDS
BYOD - VLAN 60
Teacher - VLAN 20
Students - VLAN 50
Thank you for any help you can give.
Solved! Go to Solution.
10-23-2014 04:18 PM - edited 10-23-2014 05:52 PM
Is multiple VLANs *SSIDs a requirement? The "new" way to do this is use a single SSID and map VLAN based on the user that is connecting. For example. if students are in a certain AD group, we can give them a STUDENT role and VLAN 50.
You should try to keep your SSIDs down to a bare minimum, designing around authentication method/encryption type.
SSID 1: 802.1X/WPA2-AES (students, faculty, BYOD)
SSID 2: Open/PSK (guest, dumb devices)
10-23-2014 05:02 PM
that sounds very interesting. will that still route the students to the 10.50.0.0 range and asign a 10.50 ip address from the DHCP?
I have ACL's setup on the default router to prevent students from accessing things from other VLAN's.
how would i achieve what you have suggested?
10-23-2014 05:05 PM
10-23-2014 05:10 PM - edited 10-23-2014 05:12 PM
Sorry, no multiple SSID's are not required if we can do it another way. I was under the impression that multiple SSID's were the only option.
We are using 802.11 security in mixed mode with a PSK passphrase.
* Please forgive my stupidity.
10-23-2014 05:27 PM
OK. Without utilizing user or device authentication, you will have to use VLANs and SSIDs to segregate your users.
Long-term you should consider a policy engine like ClearPass.
To add your VLANs:
- Add the VLAN tags under Configuration > VLANs
- Add the VLANs to the uplink of the controller (usually via a trunk port) (on both the controller and upstream switch links)
- Use the Campus WLAN wizard at the top left of the configuration page to create your SSIDs and map the appropriate VLANs. It will take you through step-by-step.
10-23-2014 05:32 PM
We are starting a BYOD program here shortly so ClearPass looks like something we will need to look into.
if i can bother you with a couple more questions.
1) When i add the VLANs in the controller do i need to assign them an IP Address?
2) for the switchports that are connected to the AP's, do they also need to be in trunk mode?
10-23-2014 05:35 PM
That's great! It will definitely help you with your BYOD initiatives. Adds a lot of flexibility to your network.
1) You do not need to add IP addresses to the controller interfaces unless you are using a captive portal on that VLAN. (and as long as the gateway for that subnet is upstream).
2) If your AP's are in tunnel mode (default), then you do not need to trunk the VLANs down to the APs. That is the beauty of tunnel mode. You can literally plug your AP's in anywhere and not have to worry about VLAN configurations!
10-23-2014 06:55 PM
You can use the default AP group, but at some point you should move APs into their own group. AP’s come up out of the box into the default AP group, so it can be a security issue.