Wireless Access

I'm in the process of re-designing our wireless deployment and I've run into a problem that I can't seem to solve.  I could really use some advice on how to fix this.

 

We run an MPLS network.  Our NAC solution determines what VLAN a user belongs in and reports that back to the switches.  VLANs are not the same on each switch, but we have an internal scheme as to what "role" each VLAN falls into.

 

We want to do the same thing for wireless.  We have full PEF licensing on our controller (M3) and my initial take on this was to create user roles that matched the roles we have defined for the wired network.  In development, this works fine.  I have the various VLANs defined on the controller and trunked into our distribution switch.  I also have user roles created.  Our NAC solution identifies the user and reports back the user role and vlan to use.  So far, so good.  The problem, however, is that we have several thousand devices that will be in each role.  It doesn't seem wise to use a single VLAN for all of those devices.

 

I poked around a bit and found named vlans which can be specified as pools.  I attempted to use a named vlan pool with server derivation rules to set the named vlan as the vlan to use for a given user role.  However, the system rejects this.

 

I can't be the only person to ever attempt this, but thus far I have not found a solution.  Aruba TAC hasn't been much of a help beyond telling me that the config wouldn't work.  Can someone please assist?

 

Thanks,

 

Jason

Starting with 6.3, which is now posted on the Aruba support site, named VLAN pools are supported. Prior to 6.3, you couldn't do what you want to do.

So is 6.3 the only way to do this?  Running a brand new release, marked as early deployment, in a production network seems foolish...  I still cannot believe that large networks have not run into this problem and somehow solved it...

XenoPhage,

 

It would probably be simpler to understand why you would Need to put wireless users in different VLANs and we can solve your problem from there.  There are many wired vs. wireless paradigms that do not translate and this might be one of them.  What problem are you trying to solve?

 

I'm not sure how to explain it any better than I've already tried.  We have a number of MPLS networks.  Each network is designed for a specific user role.  In order to get into that network, you need to be assigned to a vlan.  This works fine on the wired side as each switch stack can be assigned a set of vlans, one for each user role.  On wireless, however, all users go through the same controller.  The only way I can see to handle the large number of users is to assign them to vlan pools.  Otherwise we would have several thousand devices in the same vlan.

 

So, I want to assign a wireless user to a role which maps them to a vlan pool.

 

Does that help any?

I understand.

 

There is nothing wrong with having larger VLANs (/22s) and mapping those to roles to accomodate larger numbers of users.  You can suppress broadcasts at the Virtual AP level (broadcast-filter-all and broadcast-filter arp) on the controller to deal with broadcast issues for those larger subnets.  You can also on each VLAN on a controller enable "broadcast multicast optimization" which will do the same thing.  Larger VLANs are okay as long as you control your broadcasts with those knobs.

 

EDIT:  Thanks Olin.