Wireless Access

Hi,

I am testing the design of new remote site topologies for my organisation;

We are using a Remote AP to tunnel back to us over the internet, which carries vlan 290 on the wired port profile (vlan 290 terminates on our core). Connected to the RAP's wired port is a managed switch with an IP in the vlan 290 address range.

This connectivity is fine.

If I connect a Campus AP to vlan 290 (via the switch or directly to the RAP), then it gets an IP from DHCP, finds the controller successfully with ADP and I can ping the controller address all without issue - yet it fails to bring the CAP online.

If I connect a Campus AP to a different vlan on the switch (local vlan as it is a L3 switch, with a default route pointing to the vlan 290 gateway address on our core), then the CAP works exactly as expected.

Can anyone explain this difference in behaviour?

It appears to be a consistant behaviour with the controller not liking a CAP that is using tunnelled addressing.

Having a CAP behind a RAP is not a supported configuration. That seems to be related that the CAP tunnel is within the RAP tunnel, so you have tunnel-in-tunnel. I believe to have heard that it might work if the RAP and CAP terminate on different controllers, but that needs to be tested before deployed.

Thanks, Herman.

I had been looking around for any documentation on this, and couldn't find anything to say if it was supported or not. Are you able to provide a link to some documentation, as it would be handy to have if questioned.

I'm not sure where to find a statement that AP behind RAP is not supported. Probably the Aruba TAC can help you with such a statement.

For me, it came up during training where I'm not sure if that was because of a question, or being part of the training content.

Also, here a similar question and answer, which adds another reason that it doesn't work which is that the Campus AP should have 1500 byte MTU to the controller to come up. In a RAP (IPSec) tunnel, you lose some bytes for the encapsulation.