Wireless Access

Reply
Occasional Contributor I
Posts: 9
Registered: ‎10-23-2014

Aruba Controller & VLAN's

Hello IT friends, I hope this is the correct board to place my question. This is my first time posting here and overall I am relativley new to the aruba network so please forgive me if i dont make much sense.


We currently have the Aruba 3200 controller setup with multiple AP105's, everything is working fine.


I have recently been given the task of setting up multiple virtual AP's and assigning them to different VLAN's.


Is anyone able to give me a guide on how to configure this in the aruba controller. I have listed some details below, I can provide more if needed.

My default router is 10.10.254.254 and is routing the following vlans

VLAN2 Routing IP 10.10.254.254 255.255.0.0
VLAN20 Routing IP 10.20.1.254 255.255.255.0
VLAN30 Routing IP 10.30.1.254 255.255.255.0
VLAN40 Routing IP 10.40.1.254 255.255.255.0
VLAN50 Routing IP 10.50.1.254 255.255.0.0
VLAN 60 Routing IP 10.60.1.254 255.255.0.0

I would like to broadcast the following SSIDS

BYOD - VLAN 60
Teacher -  VLAN 20
Students - VLAN 50

Thank you for any help you can give.

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Aruba Controller & VLAN's

[ Edited ]

Is multiple VLANs *SSIDs a requirement? The "new" way to do this is use a single SSID and map VLAN based on the user that is connecting. For example. if students are in a certain AD group, we can give them a STUDENT role and VLAN 50.

 

You should try to keep your SSIDs down to a bare minimum, designing around authentication method/encryption type.

 

SSID 1: 802.1X/WPA2-AES (students, faculty, BYOD)

SSID 2: Open/PSK (guest, dumb devices)


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎10-23-2014

Re: Aruba Controller & VLAN's

that sounds very interesting. will that still route the students to the 10.50.0.0 range and asign a 10.50 ip address from the DHCP?

I have ACL's setup on the default router to prevent students from accessing things from other VLAN's.

how would i achieve what you have suggested?

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Aruba Controller & VLAN's

The first sentence should read "Are multiple SSIDs required..."

 

Yes, you can do this if either of the two things below are true:

 

1) You are doing 802.1X

2) You are using a PSK with MAC authentication

 

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎10-23-2014

Re: Aruba Controller & VLAN's

[ Edited ]

Sorry, no multiple SSID's are not required if we can do it another way. I was under the impression that multiple SSID's were the only option.

We are using 802.11 security in mixed mode with a PSK passphrase.

 

* Please forgive my stupidity.

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Aruba Controller & VLAN's

OK. Without utilizing user or device authentication, you will have to use VLANs and SSIDs to segregate your users.

 

Long-term you should consider a policy engine like ClearPass.

 

 

To add your VLANs:

 

- Add the VLAN tags under Configuration > VLANs

- Add the VLANs to the uplink of the controller (usually via a trunk port) (on both the controller and upstream switch links)

- Use the Campus WLAN wizard at the top left of the configuration page to create your SSIDs and map the appropriate VLANs. It will take you through step-by-step.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎10-23-2014

Re: Aruba Controller & VLAN's

We are starting a BYOD program here shortly so ClearPass looks like something we will need to look into.

 

if i can bother you with a couple more questions.

 

1) When i add the VLANs in the controller do i need to assign them an IP Address?

2) for the switchports that are connected to the AP's, do they also need to be in trunk mode?

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Aruba Controller & VLAN's

That's great! It will definitely help you with your BYOD initiatives. Adds a lot of flexibility to your network.

 

1) You do not need to add IP addresses to the controller interfaces unless you are using a captive portal on that VLAN. (and as long as the gateway for that subnet is upstream).

 

2) If your AP's are in tunnel mode (default), then you do not need to trunk the VLANs down to the APs. That is the beauty of tunnel mode. You can literally plug your AP's in anywhere and not have to worry about VLAN configurations!


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎10-23-2014

Re: Aruba Controller & VLAN's

I created the VLAN and run through the WLAN configuration however no new WLAN appears.

can the WLAN be created on the default AP group or do I need to create a new one?

 

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Aruba Controller

Make sure you click the Apply button on the final configuration screen.

You can use the default AP group, but at some point you should move APs into their own group. AP’s come up out of the box into the default AP group, so it can be a security issue.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: