Wireless Access

Reply
New Contributor
Posts: 3
Registered: ‎04-30-2010

User Roles and VLAN Pools

I'm in the process of re-designing our wireless deployment and I've run into a problem that I can't seem to solve.  I could really use some advice on how to fix this.

 

We run an MPLS network.  Our NAC solution determines what VLAN a user belongs in and reports that back to the switches.  VLANs are not the same on each switch, but we have an internal scheme as to what "role" each VLAN falls into.

 

We want to do the same thing for wireless.  We have full PEF licensing on our controller (M3) and my initial take on this was to create user roles that matched the roles we have defined for the wired network.  In development, this works fine.  I have the various VLANs defined on the controller and trunked into our distribution switch.  I also have user roles created.  Our NAC solution identifies the user and reports back the user role and vlan to use.  So far, so good.  The problem, however, is that we have several thousand devices that will be in each role.  It doesn't seem wise to use a single VLAN for all of those devices.

 

I poked around a bit and found named vlans which can be specified as pools.  I attempted to use a named vlan pool with server derivation rules to set the named vlan as the vlan to use for a given user role.  However, the system rejects this.

 

I can't be the only person to ever attempt this, but thus far I have not found a solution.  Aruba TAC hasn't been much of a help beyond telling me that the config wouldn't work.  Can someone please assist?

 

Thanks,

 

Jason

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: User Roles and VLAN Pools

Starting with 6.3, which is now posted on the Aruba support site, named VLAN pools are supported. Prior to 6.3, you couldn't do what you want to do.
Guru Elite
Posts: 21,028
Registered: ‎03-29-2007

Re: User Roles and VLAN Pools

[ Edited ]

EDIT:  Thanks Olin.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎04-30-2010

Re: User Roles and VLAN Pools

So is 6.3 the only way to do this?  Running a brand new release, marked as early deployment, in a production network seems foolish...  I still cannot believe that large networks have not run into this problem and somehow solved it...

Guru Elite
Posts: 21,028
Registered: ‎03-29-2007

Re: User Roles and VLAN Pools

XenoPhage,

 

It would probably be simpler to understand why you would Need to put wireless users in different VLANs and we can solve your problem from there.  There are many wired vs. wireless paradigms that do not translate and this might be one of them.  What problem are you trying to solve?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎04-30-2010

Re: User Roles and VLAN Pools

I'm not sure how to explain it any better than I've already tried.  We have a number of MPLS networks.  Each network is designed for a specific user role.  In order to get into that network, you need to be assigned to a vlan.  This works fine on the wired side as each switch stack can be assigned a set of vlans, one for each user role.  On wireless, however, all users go through the same controller.  The only way I can see to handle the large number of users is to assign them to vlan pools.  Otherwise we would have several thousand devices in the same vlan.

 

So, I want to assign a wireless user to a role which maps them to a vlan pool.

 

Does that help any?

Guru Elite
Posts: 21,028
Registered: ‎03-29-2007

Re: User Roles and VLAN Pools

I understand.

 

There is nothing wrong with having larger VLANs (/22s) and mapping those to roles to accomodate larger numbers of users.  You can suppress broadcasts at the Virtual AP level (broadcast-filter-all and broadcast-filter arp) on the controller to deal with broadcast issues for those larger subnets.  You can also on each VLAN on a controller enable "broadcast multicast optimization" which will do the same thing.  Larger VLANs are okay as long as you control your broadcasts with those knobs.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: