Wireless Access

Hey all-

Trying to build the following network as shown in the attachment, and have a question on how to setup controller discovery.

After looking in the 6.1 UG, I know that this is deployment option 2, where the AP's are seperated by a L3 device from the controllers. My first thought was to simply put an ip helper address with the VRRP IP of the controllers so that the controllers could send a local IP address to the AP's and the GRE tunnel could be built, but then it occured to me that the AP will still need a local network address so that it knows where it's next hop is.

I can't find explicit info on this, so I'm wondering how it needs to be setup to:

1. Allow the AP's on a seperate L3 subnet than the controllers

2. Use DHCP to find both their DG and the controller's IP (something else recommended)?

3. Ensure that the GRE tunnel can be formed between the AP's IP address and the VRRP address. (Pretty sure the answer is yes).

I know this is a covered scenario, just want to make sure I've got my ducks in a row here. Thanks all!

hi

i hope i understood your questions

1. Allow the AP's on a seperate L3 subnet than the controllers

Aruba AP`s can connect to aruba controller over lan/wan/cloud service and more with nat or with out nat.

(GRE or IPSEC) - you just need to allow the the controller to establish the tunnel (open ports in the router/fw/gw port fw)

2. Use DHCP to find both their DG and the controller's IP (something else recommended)?

use dns record that will redirect the ap's to the controller | or user dhcp option 43.

3. Ensure that the GRE tunnel can be formed between the AP's IP address and the VRRP address.

use dns record that will redirect the ap's to the controller | or user dhcp option 43.

let me know if u need further info - or it's answering your question.

rgrds.

me

Thanks for the response!

Okay- so if the Aruba controllers are going to handle the DHCP requests of the AP's, the scope should be set to the remote VLAN's L3 addresses, with the DG being the remote router's .1 address, but there should be DHCP option 43 also set that has the controller's VRRP address?

So in other words, if the AP is on the 10.0.0.x network (with .1 being the DG of the router) and the controller is on the 192.168.0.x network (with .4 being the VRRP address), and the controllers were the ip-helper target, you'd hand out a 10.0.0.x address with an DHCP 43 option set as 192.168.0.4 (controller's VRRP)?

you should  hand them the extrnal LEG (VLAN in front of the cloud) of the controller as their (Access points)  controller address. the internal or extranl vrrp address will stay the same even in failover.

  :smileyhappy: *if the above posts helped you - please mark solved and Kudos me , thanks :) *

Okay- is there a good guide as to how to setup DHCP w/ options on the controller? Looking at the UG for 6.1 now, but it's a bit unclear.

please read attached PDF.

(i hope they will answer your question)

(i dunno if there is a command to enable dhcp option on the controller it-self...there is a linux command,but i never tested the synatx over the cli)

linux dhcpd:

option serverip code 43 = ip-address;
class “vendor-class” {
match option vendor-class-identifier;
}

cisco switch cli:

option 60 ascii "ArubaAP"
option 43 ip x.x.x.x

rgrds.

Me

Attachment(s)

DHCP_Microsoft_Option43-v1.1.pdf   127 KB 1 version

dhcp-option.pdf   193 KB 1 version

Just to clarify- once this DHCP process is done, with options 43 and 60 setup as mentioned, the AP will have the following information:

1. An IP address on the proper remote subnet (i.e. whatever the scope on the DHCP server is set to)

2. A DG address for that remote subnet

3. The address (specified by option 43 and filtered by option 60) of the external VRRP address of the controller.

Nothing additional on the remote router needs to be setup other than a IP-helper address pointing to the DHCP server.

Thanks for the PDF's. Read through them twice already. Just want to make sure what I'm reading what I think I'm reading. 

YEP.

IF THERE IS:

• an ip address for the Accesspoint. (including GW that can connect to the controller & dns record of course :)
• Controller address in the AP boot environment or during the adp process.
• A tunnel of GRE or IPSEC can be establish between the AP and the Controller. (you case ...GRE)
• (default AP-group with a working vap in the controller)

So the remote Accesspoint will be able to go "UP" on the remote controller. (via your MPLS cloud)

regards.

Me.

*dont forget , if i assisted your - please Kudos (The star+ button) me ! Thanks :) :smileyhappy:

If you create the dhcp pool on the controller, the option is automatically added, though it will be the ip of the local controller the scope is created on.

You can add other options, but not sure on the syntax to change the ip returned to be something different from the local it is created on.

You may have already considered this but if not....  I have many remote offices that connect over MPLS to a central site where the controllers live, We plug the AP into the same network as the local workstations so the AP gets an IP via DHCP just like local workstations. Our DHCP server is at one of our colo centers and hands out IP's for the various remote offices.

Once the AP gets a DHCP address it knows it's default gateway (local router or firewall at the remote office). It then uses DNS to find the controllers (aruba-master). Then it associates with the controller and sets up the GRE tunnel, etc.

We then have different subnets and vlans configured on the controllers for the different offices. The IP's and default gateway information are then handed out by our DHCP server as mentioned above.  Again no DHCP or other options configured on the controllers other than the IP helper address that points to the DHCP server on the network.

The one exception to the above is for guest access. We like to keep that completely separate so it gets it's own IP/subnet and gets it's DHCP directly from the controllers. Then it traverses the corp network on it's own subnet/vlan directly to the firewalls and out to the internet.

Hope that helps give you another perspecitve of how it can be done,

Ian

BTW: u might also configure the AP as RAP (ipsec tunnel).

(if u have pefng/pefv installed on your controller)

Example: (of a really old deployment I did for an ISP)

Working mode that can be user: Tunnel/split tunnel/bridge mode (IPSEC recommended over WAN)

Hi, I have problem with provissioning new APs as campsus via Mobile MPLS. The Aps find the controller and start to download the new version for upgrade but due to the latency they are unable to download it. How can I resolve this issue.

This is not a supported setup.