Wireless Access

Hi Airheads Community,

 

I`ve a design question which I´m struggling with... please assume that I´m using a distributed enterprise MPLS environment with a Mobility Controller in a DC and ~30 Branch Offices where CAPs are used which are configured in Tunnel-Mode!
Mobility Controller / w CAP (tunneled mode) + AirWave only for Monitoring should be used!

 

the question for me is now, is it possible to broadcast an SSID on all those sites, but use for example several different VLANs and IP subnets each for every location behind the controller?
one reason is, that I would like to make a distinction of the clients based on the IP addresses... or is the only way to use several different SSIDs and VLANs on the MC to get this running done...

maybe some of you - hopefully not all :) would say to use Branch Controller in the offices and a Mobility Master in the DC as alternate solution or recommendation... if so, is there an overview comparison with advantages and disadvantges between MC /w CAP, MM /w BC and maybe IAP you can point me to?

 

thank you and kind greets

Is the majority if the user traffic going back to the DC?  If yes, tunnel all traffic back to the DC controller using a Campus AP.  If you are using Airwave, it will tell you what access point the user is connected to, so you will know the physical location.  No need to have separate, VLAN spaces for users.

 

That is my opinion based on the limited information in your post.

ok, I know that but would it technically be possible to use different vlans behind one ssid? ... you said limited information - what would be necessary else to know?

greets

Yes it would.

If you had a radius server and/or user derivation rules that would apply a different VLAN for each site, that would work, but it does not scale.

Hi

Like Colin said you can use user derived rules. Or maybe create a AP group per location and use the different vlan in the different AP groups. The ssid can be one, based on the VAP within the AP group you assign a different vlan.

Hope it helps

as of you say a Radius Server or Clearpass for server derivation rules is unfortunately not available... so I´ve to if possible to deal with another solution! It is actually planned for a guest access so I´m not sure if that fits as well?!

 

there are already AP groups configured for each site but I don`t be able to configure it the way you are suggesting, because where in the AP Group I can specify a Vlan -  that has to be done in the WLAN (SSID) Tab or I´m wrong?!

 

greets

The VLAN is specified in the Virtual AP profile.  You would just duplicate that Virtual AP and change the VLAN for every ap-group

 

 

Like i already mentioned.

 

That should work fine

 

 

hm, I can`t find a configuration parameter where I can specify a Virtual AP Group?! where should this be done in 8.2.1.0?

It is a challenge to tell you what to do without knowing what you have already done. Did you already create ap-groups?  Do you know at what folder level you created them?

 

there is a folder called Mobility Controller with two AP Groups = default and NoAuthApGroup // underneath that Folder there`s the Controller itself named MCLABT01 in which under AP Groups for every location in my case 4 an AP Group (Group-MC-BO1 -- BO4) is configured!

 

e.g. the AP Group "Group-MC-Bo1) has under the tab WLAN a WLAN Name (which is for my understandig also the SSID) called "Guest" associated... in this WLAN "Guest" there are all relevant parameter like Vlan, Forwarding Mode, Security, etc. defined!

Hi

 

You should activate advanded profiles under your account on the MM. Then you can see the profiles underneath.

 

That will help you

 

 

Hi

 

You can use user derived rules to assign a vlan based on location (ap-name) info from a older post : https://community.arubanetworks.com/t5/Wireless-Access/User-Derived-Vlan-from-Location-Rule/td-p/62572  look at the reply of cjoseph.

 

But as he posted earlier, this will not scale. As the value of location can only be equals or not-equals. So it has to match the full ap-name, so contains can't be used, which would make it a suitable option. for the moment it is not.

 

Hi Collin, hi Frank!

 

you said following:

 

"Or maybe create a AP group per location and use the different vlan in the different AP groups. The ssid can be one, based on the VAP within the AP group you assign a different vlan."

 

"The VLAN is specified in the Virtual AP profile.  You would just duplicate that Virtual AP and change the VLAN for every ap-group."

 

i configured following in my lab:

!
vlan 300 description "AAA"
vlan 310 description "BBB"
!
vlan-name AAA
vlan AAA 300
vlan-name BBB
vlan BBB 310
!
spanning-tree vlan 300
spanning-tree vlan 310
!

interface vlan 300
 ip address w.w.w.w x.x.x.x
!
interface vlan 310
 ip address y.y.y.y z.z.z.z

!
aaa authentication dot1x "BBB"
!
aaa authentication dot1x "AAA"
!
!
aaa profile "BBB"
    authentication-dot1x "BBB"
!
aaa profile "AAA"
    authentication-dot1x "AAA"
!
!
wlan ssid-profile "Test"
    essid "TEST"
    opmode wpa2-psk-aes
    a-basic-rates 12 24
    a-tx-rates 12 18 24 36 48 54
    g-basic-rates
    g-tx-rates 9 11 12 18 24 36 48 54
    wpa-passphrase xyz1234abc
!
!
wlan virtual-ap "BBB"
    aaa-profile "BBB"
    vlan 310
    ssid-profile "Test"
    band-steering
    deny-inter-user-traffic
!
wlan virtual-ap "AAA"
    aaa-profile "AAA"
    vlan 300
    ssid-profile "Test"
    band-steering
    deny-inter-user-traffic
!

 

should this work?

because when i go into the VAP Profile (as example "BBB") and i choose the SSID "Test" and save, nothing happened!

BR & thx

Richard

 

Hi Richard,

 

You should create two AP-groups, and then apply VAP AAA to ap-group1 (they get vlan 300) and apply VAP BBB to ap-group2 (they should get vlan 310). In my case below as example vlan 200 and vlan 1.

 

Hope this helps.

 

 

 

Hi Frank!

 

Now it works! I had a config problem!

 

thx & BR

Richard

Hi Richard,

Great to hear. Happy to help