Wireless Access

Setup:

4 - 3600 controllers (1 master and 3 local)

Testing with an AP105

 

I would like to setup a seperate vlan for APs and Users.  Currently the AP105 is plugged into a L3 access switch on its own VLAN.  I guess my only question is how do I do this?  Should I create a new AP port configuration or just leave it as default?  

 

Example:

AP Subnet - 10.80.0.x

User - 10.80.1.x

#3600

Hi

 

You can tunnel the client trraffic back to the controller and let it out there on the client VLAN. You can look at  our VRDs (Validated Reference Design guides). If you look at the Mobility VRD in chapter 4 the use of AP VLAN and User VLAN  is explained 

http://www.arubanetworks.com/vrd/ControllerVRD/wwhelp/wwhimpl/js/html/wwhelp.htm

 

Also look at the other VRD a lot of good information to find there. http://www.arubanetworks.com/technology/reference-design-guides/

 

 

 

 

 

Br,

Thomas

Thank you that is what I needed.  One last question, hypothetically if I would assign a building a /24 and there would be more devices than the VLAN could handle, would I have to increase the VLAN size?

 

You shouldn't have to make any changes on the controller.

 

You may need to reboot the APs so they can request a new IP address.

 

What's the current configuration under the AP port profile?

 

 

Wired AP Profile is "Default" - no wired ap enable, access mode and trunk mode are both VLAN 1. 

---

@richreitenauer wrote:

Wired AP Profile is "Default" - no wired ap enable, access mode and trunk mode are both VLAN 1. 

---

You should leave it as default.

 

Are you using the controller as your DHCP server ? if yes then you should use more than 512 leases on the internal dhcp server on the controller.

 

If the answer is no then you should be able to do this on the fly on your external DHCP server. But you may need to consider turning on Drop broadcast/Multicast on the VAP and bcmc optimization on the actual VLAN so avoid a large amount of droadcast on the wired and on wireless.

 

Note: You should turn on these features only if any of your Applications your wireless clients doesn't require multicast.

Thanks.  Here is where the problem lies, I would like to migrate away from VLAN 1 which is on a physically seperated network.  I do have another VLAN setup 10, which is the one I would like to migrate to.  Would I need to setup a new Wired AP Profile to do this? 

 

You should be able to do this, are you assigning static IP addresses on your APs ? if not you should be able to do this but remember that you may need to reboot your APs and clear the ARP entries for VLAN 1 on your switch .

Thanks again for your answer, no the APs are getting DHCP addresses.  I read chapter 4 on the VRD-Aruba Mobility Controllers v9, and it says not to put the APs on a dedicated VLAN in case of trying to find Rogue APs.  However, at some point we would like to implement Clearpass for wired and wireless authentication.  Which negates that statement for which APs should be placed on their own vlans.

 

Also, should I create a VLAN pool (5,6,7) of /24 for 1 building?  The reason I ask is due to the possibilities that over 253 people might connect to APs in one particular area.

---

@richreitenauer wrote:

Thanks again for your answer, no the APs are getting DHCP addresses.  I read chapter 4 on the VRD-Aruba Mobility Controllers v9, and it says not to put the APs on a dedicated VLAN in case of trying to find Rogue APs.  However, at some point we would like to implement Clearpass for wired and wireless authentication.  Which negates that statement for which APs should be placed on their own vlans.

 

Also, should I create a VLAN pool (5,6,7) of /24 for 1 building?  The reason I ask is due to the possibilities that over 253 people might connect to APs in one particular area.

---

You should create a VLAN pool , are you planning to use hash or even ?

(Hash or Even) not sure, just started to research them.  I guess the controller doesn't know when the DHCP scope is almost full?  Which would would be recommended?

The controller does NOT know. The nest strategy is to allow for 20% more than you will need and keep your dhcp leases as low as possible.

should be my last question,  can I initially start with 1 vlan and add others as I need to?

Absolutely. When you add another vlan to the virtual ap pool all of your users have to reassociate, though.

Ok, thanks again.  Should outdoor APs use the same VLAN pool or separate VLAN pools?  The reason I ask is due to the high possibility a user will be walking across the turf and pickup another buildings AP.

If there is overlapping coverage, use the same pool so that the user has a seamless experience. If you use a different vlan for users, you will almost guarantee a disconnect during roaming.

Just to be clear, the vlan that an access point gets is completely separate from the vlan that a user is assigned when he is associated to that wlan. The IP address of the ap is assigned when it boots up. The vlan of the user is assigned by the virtual ap. In practice, your access points can be on different subnets, but the user traffic is tunneled back to the controller so they are assigned to a consistent subnet regardless of the access point they are associated to.

Got it, thank you.  I'm thinking having a pool of multiple /24 since we do have a lot of overlapping coverage in a campus.