Wireless Access

Reply
Frequent Contributor I

VLAN Assignment reset

Hi

 

We have 2 Named Vlan Pools each with 3 vlans assigned to them. We have preserve client vlan enabled on the VAPs.

Upon implimentation we noticed that clients weren't being balanced across the vlans that well. Clients would join the vlans randomly and in no presice order or ballanced (this was when we had aproximately 60 clients) - when we reached our peak of around 900+ clients, 2 of the DHCP scopes (2 vlans) in the one named pool was full - in the other pool the one DHCP scope filled up.

The scopes that werent full in both the pools were utilised only 50%.

 

Looking at a clients vlan history - it shows that the client has had 3 different vlans (if I am reading it correctly) -- does this mean the presrve isn't working or how do I change the frequency of the VLAN resets seen below.

 

(master) #show aaa debug vlan user mac d0:22:be:84:2e:d4

VLAN types present for this User
================================

Default VLAN : 269
Dot1x Aruba VSA : 269

VLAN Derivation History
=======================

VLAN Derivation History Index : 4
1. VLAN 0 for Reset Role Based VLANs
2. VLAN 266 for Dot1x Aruba VSA
3. VLAN 0 for Reset Role Based VLANs
4. VLAN 266 for Current VLAN updated
5. VLAN 0 for Reset Dot1x VLANs
6. VLAN 265 for Dot1x Aruba VSA
7. VLAN 0 for Reset Role Based VLANs
8. VLAN 265 for Current VLAN updated
9. VLAN 265 for VLAN exported
10. VLAN 0 for Reset VLANs for Station up
11. VLAN 265 for Default VLAN
12. VLAN 265 for Current VLAN updated
13. VLAN 0 for Reset Role Based VLANs
14. VLAN 265 for Dot1x Aruba VSA
15. VLAN 0 for Reset Role Based VLANs
16. VLAN 265 for Current VLAN updated
17. VLAN 0 for Reset Dot1x VLANs
18. VLAN 269 for Dot1x Aruba VSA
19. VLAN 0 for Reset Role Based VLANs
20. VLAN 269 for Current VLAN updated
21. VLAN 269 for VLAN exported
22. VLAN 0 for Reset VLANs for Station up
23. VLAN 269 for Default VLAN
24. VLAN 269 for Current VLAN updated
25. VLAN 0 for Reset Role Based VLANs
26. VLAN 269 for Dot1x Aruba VSA
27. VLAN 0 for Reset Role Based VLANs
28. VLAN 269 for Current VLAN updated
29. VLAN 0 for Reset Dot1x VLANs
30. VLAN 269 for Dot1x Aruba VSA
31. VLAN 0 for Reset Role Based VLANs
32. VLAN 269 for Current VLAN updated

DHCP Discover/Request processing for options done

Current VLAN : 269 (Dot1x Aruba VSA)

 

Guru Elite

Re: VLAN Assignment reset

Hendrik,

 

Why are you using two VLAN pools instead of one?  Are the two VLAN pools for separate SSIDs or the same one?  Is your VLAN pool set to even?  Is this spread out over more than one controller?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: VLAN Assignment reset

Hi Colin

 

We are using Clear Pass for device Categorization - one category being SmartDevice (Wich is the one vlan pool) and the other is Computers (with a vlan Pool for them) -- if all works well the ultimate goal will be to redirect all the smardevices over a new proxy being installed - hence we are trying to split the devices into different vlans for routing and so forth.

 

So yes it is for one SSID. Both the Pools are set to Even Assignment. We are running a Master/Standby setup for failover - so in sence just one controller (we are aware that if failover occurs that the other won't know of the previous assignments and are prepared to deal with that). 

 

 

Guru Elite

Re: VLAN Assignment reset

Hendrik,

 

You should type "show vlan status" to get a sense of how many clients are in each VLAN.  I am not sure if "preserve VLAN" has a material effect on what happens.

 

Ultimately, if clients attach, but only clients that are in a specific vlan leave, things will be unbalanced, so there is room for things to NOT work perfectly.  You probably would need TAC to go over your configuration in detail and ensure that you are not doing anything specifically that is keeping you from reaching your goal.

 

Sending back the name of an even VLAN pool in a radius VSA should be all that is necessary in general to do what you are doing.  Unfortunately, if ClearPass has never even seen the DHCP fingerprint of a device it will not know what kind of device it is upon authentication and put it in the wrong pool, so there are weaknesses with your approach if you are using 802.1x.  Your approach assumes that we have already profiled the devices that are connecting so that we know where to place them.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: VLAN Assignment reset

Hi Collin

All the best to you in the new year.

Thanks for the reply and sorry for the slow response.

 

Maybe a bit more background would be good - I understand fully that a client will have to be seen by ClearPass before it gets the fingerprint for the device. So we did give it time to identify the devices (we also understand that as new devices come in, which hasn't been seen will first have to go through the fingerprinting).

 

Why I was asking about the vlan reset is that we suspected that some clients were identified, but utilising more than 1 adress on the DHCP server in different vlans.

 

BUT in the time that has passed we have done some other testing - I am suspecting that the even vlan pool balancing isn't working correctly.

We took one night with only a few clients connected stopped all the ssids from broadcasting cleared out all DHCP entries - and changed from Hash balancing to Even and switched the SSIDS on again (we did this several times going from even balancing to hash and back again).

 

As clients were connecting we were monitoring the DHCP scopes to see how users came in and got IPs assigned (this also confirmed that users werent going into more than one vlan - only 1 IP entry for each client) we could see the first vlan only getting one cleint for every 3 to 4 being assigned to the remaining two vlans. Using Hash and Even balancing appeared to have the same affect.

 

Perhaps the testing methodology is flawed but I am suspecting the VLAN pool balancing to be the culprit.

Out of interest we are running the "Early Realease" of 6.4.2.2  (haven't had chance to upgrade to GA 6.4.2.3 yet)

Guru Elite

Re: VLAN Assignment reset

Hendrik,

I hope you have a support case open. There are quite a few ways that this could go wrong, or you could be experiencing a bug. A TAC vase is the best way to sort through what you are trying to accomplish.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: VLAN Assignment reset

Hi Collin

 

When we impliment the rules again I will have a TAC case open -  but I think it best if we just do the upgrade to the GA 6.4.2.3 before going further -- there are a few funnies on 6.4.2.2 (like client counts on GUI) so I won't frown at anything.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: