Wireless Access

Reply
MVP
Posts: 1,011
Registered: ‎04-13-2009

Riddle me this.....

The aim is to allow remote users (from a remote site) to connect to RAPs which they take home so they can connect to internal resources at their remote site. These RAPs terminate in the network core (on the active master controller) and the particular site does not have a local controller.

 

· The VLAN for a particular site is VLAN 888.
· We have configured an AP group for this school which puts wireless clients into VLAN 888.
· VLAN 888 is different on core switch 1 to VLAN 888 on core switch 2.  
· Controller 1 is patched into core switch 1.
· Controller 2 is patched into core switch 2.
· The correct VLAN 888 that wireless clients for this particular school need to be put into is on core switch 2.

 

The controllers as configured in a Master-Master redundancy method.
 

· Controller 1 is the current active master.
· Controller 2 is the current standby master.

 

How would you recommend to proceed?

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite
Posts: 21,555
Registered: ‎03-29-2007

Re: Riddle me this.....


jrwhitehead wrote:

The aim is to allow remote users (from a remote site) to connect to RAPs which they take home so they can connect to internal resources at their remote site. These RAPs terminate in the network core (on the active master controller) and the particular site does not have a local controller.

 

· The VLAN for a particular site is VLAN 888.
· We have configured an AP group for this school which puts wireless clients into VLAN 888.
· VLAN 888 is different on core switch 1 to VLAN 888 on core switch 2.  
· Controller 1 is patched into core switch 1.
· Controller 2 is patched into core switch 2.
· The correct VLAN 888 that wireless clients for this particular school need to be put into is on core switch 2.

 

The controllers as configured in a Master-Master redundancy method.
 

· Controller 1 is the current active master.
· Controller 2 is the current standby master.

 

How would you recommend to proceed?


To give you the full range of options, I suggest you take a look at the Virtual Branch Networking Validated Reference Guide here:  http://www.arubanetworks.com/pdf/technology/VBN_VRD.pdf

 

It will answer your questions as well as give you appoaches you might want to take.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Riddle me this.....

Think I'd need to see a diagram to comment properly. I think I get what you're saying but I'm not sure! cjoseph is right of course, but I like to tinker, and I'd be inclined (if this ISN'T a production system of course) to try knocking a GRE or IPSEC between the two controllers, and then mismatching VLANs end to end. That tends to be a little tricky in itself between a master and standby, as they have an established ipsec for syncing stuff etc (so it tends to confuse them). It probably wouldn't be so much of an issue if the other controller was a local. Can't you turn it into one, or does your design need the standby?

 

My idea would be something like... At the end where your standby is, connect a single port into the switch 2 on the "real" vlan 888 (access mode in Cisco terms). Tell the standby controller that this cabled port is VLAN 777 (again "access" (untagged)). Then pull VLAN 777 through a GRE from the standby to the master (i.e. create a bridge). Then change your AP group on the master so the VAP ties to 777. Might work??? Of course this is a bit messy, but hey, you asked for ideas!

 

Cheers.

 

 

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 21,555
Registered: ‎03-29-2007

Re: Riddle me this.....

[ Edited ]

the.racking.monkey,

 

Thanks for getting me to re-read that.

 

So if you want users to end up in one VLAN if they are on the Master and another VLAN when they are on the backup master, it is best that you use "Named" Vlans.

 

Named VLANs will allow you to define a NAMED vlan on the master controller, and assign that to the Virtual AP.  At the local controller level, you can define the Actual VLANs that a named Vlan or Named Vlan pool will be assigned to.

 

- Vlan numbers are local, but Vlan names are global.

 

You can create a VLAN name, which will only take a single VLAN or create a VLAN pool, which will allow you to add multiple vlans:

 

Single VLAN name creation:

(host) (config) #vlan-name nvlan
(host) (config) #vlan nvlan 2
 

Vlan Pool creation with Name:

(host) (config) #vlan-name nvlanpool pool
(host) (config) #vlan nvlanpool 2,4,5-10

(host) (config) #show vlan mapping

VLAN Name   Pool Status  VLAN IDs
---------   -----------  --------
nvlan       Disabled     2
nvlanpool   Enabled      2,4-10 
Assign a VLAN pool to a Virtual AP:


(host) (config) #wlan virtual-ap test
(host) (Virtual AP profile "test") #vlan nvlanpool

 Here is how it looks on the GUI:

 

pool.jpg

 

For example, the Virtual AP for schools will have a named VLAN of "students".  On the master controller that Named VLAN of "student" will be 888.  On the backup master that named Vlan of "student" will be 777.  So the vlan Number that a student ends up in will be determined by what controller the AP is on.  If you add a local, for example, the vlan name student can be yet another VLAN number.

 

Caveat#1:  Named VLANs cannot be applied to bridged or split-tunneled Virtual APs.

Caveat#2:  You also must create the VLANs on the controller before they are assigned to a VLAN name or VLAN pool.

 

To see any errors, use show profile-errors:

 

(host) (config) #show profile-errors

Invalid Profiles
----------------
Profile                         Error
-------                         -----
ap wired-ap-profile "test"      Named VLAN "nvlan" does not exist.
aaa profile "test"              User derivation rule "test" is invalid
aaa server-group "test"         Named VLAN "nvlan" is removed
aaa derivation-rules user test  Named VLAN is invalid

 

 

 

Does that make sense?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Riddle me this.....

Oh yeah, good point! That's an improvement to my thought. I keep forgeting about named VLANs. I probably should use them more myself.

Kudos appreciated, but I'm not hunting! (ACMX 104)
MVP
Posts: 1,011
Registered: ‎04-13-2009

Re: Riddle me this.....

Thanks for the ideas guys your info is much appreciated.

 

I'm thinking another option would be to create a new VLAN (say 999) on the master controllers and assign it to the VAP. Make the controllers to DHCP and give out the correct DNS suffix and DNS servers. Then SRC NAT VLAN (999). As long as the controller can route through to the destination VLAN this should be fine as far as I can see.

 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite
Posts: 21,555
Registered: ‎03-29-2007

Re: Riddle me this.....


jrwhitehead wrote:

Thanks for the ideas guys your info is much appreciated.

 

I'm thinking another option would be to create a new VLAN (say 999) on the master controllers and assign it to the VAP. Make the controllers to DHCP and give out the correct DNS suffix and DNS servers. Then SRC NAT VLAN (999). As long as the controller can route through to the destination VLAN this should be fine as far as I can see.

 

 


If a controller is a master-back to a master, it means that controller is layer-2 connected to the first one.  Can't VLAN 999 be layer-2 connected to both controllers?  That might solve your problem...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: