Wireless Access

Hi,

I've been trying to find an explanation on how to assign a VLAN to a wireless client based on the AP that it is connected to. For example users on location X should receive VLAN x and users on location Y should receive VLAN y.

I''m using MS NPS but as the VLAN assignment is based on the specific AP (or AP group) I'm not sure if NPS is capable of doing this.

My current WLAN solution uses a so called 'location policy' in which AP groups are defined on a per office base. Once the user is authenticated the WLAN controllers assigns the correct VLAN based on the AP groups that are defined.

I would like to know if I can accompish the same with the Aruba solution.

The setup will be based on 2x 7220's with remote 325's.

Thanks for the reply!

It all depends on how many offices you have.

If it is a few offices, you can duplicate the Virtual AP, change the VLAN in that Virtual AP and then assign it to a different ap-group.  Everything in the new ap-group will be the same besides the name of the Virtual AP (WLAN) and the VLAN that users are assigned.

If you want more flexibility (many more offices), you would get a radius server like ClearPass that will check the ap-group attribute and return a VLAN attribute based on the ap-group.

NPS cannot detect an incoming ap-group radius attribute and decide what VLAN to send back.

Hi Colin,

Thanks for your response.

There are around 50 offices and all need to have the same SSID broadcasted. The config is the same except there needs to be a difference in VLAN id due to the netwerok design.

How can this be achieved with Aruba WLAN?

Will all the offices be on separate controllers?  If yes, you could use Named VLANs, where you assign the "Employee" name to a WLAN and it is defined as different VLANs depending on the controller the access point is connected to.

The AP's on all offices will be connected using HA fast failover on two 7220's. So no local controllers on the offices.

It would need something like an AP group which can assign a unique VLAN id back to the authenticated client. Can Aruba do this or a similar way to accomplish this (like Juniper)?

It is absolutely possible.  The specifics of it would depend on your office/Vlan mapping.

Great, even without ClearPass?

The mayority of offices have 3 VLAN's (1 per SSID). Two layer2 which are distributed over all offices so I do have the possibility to use use a static VLAN on these, although I prefer to use dynamically assigned.

One VLAN is layer 3 and needs to be dynamically assigned to wireless clients. Some offices do have multiple layer 3 VLAN's (different floors are divided in multiple VLAN's). L3 roaming is not required.

I've build this setup using other WLAN vendor solutions by using, for example, location policies. With Aruba I'm not able to find a similar way to do so. I tried configuring multiple AP groups but then I hit the limitation of only being able to select 1 SSID per AP group.

Are all of the VLANs tunneled back to the controller, or is the default gateway for the VLANs located at the Offices?

Hi Colin, all VLAN's will be tunneled back to the controlller. There will be no AP's in bridging mode.

Jer,

So you will be creating 50*3 vlans on the controller?

that is correct. 50 VLAN's on the controllers, with gateway on the corerouters directly connected to these controllers.

How are your sites connected to your main site?  Are they working today?  Do they currently have wireless?  How many users at the biggest site?  How many users at the smallest site?

All offices are connected to a datacenter with routing in between (L3).

These are operational for more than 10 years.

All offices have wireless available, some offices are wireless only.

Smallest site has 10 users (20 clients), biggest site has around 1500 users (3000 clients).

Let me know if you need more info.

I want to say that you should work with someone closely to deploy your network.  

To answer your initial question; In the simplest form, you can have 1 Vlan per site and create  an ap-group and a virtual AP for each site and have 50 Vlans and 50 Virtual APs that simply assign the correct VLAN for each site (you would just duplicate the first Virtual AP and just change the VLAN).  You could use NPS, because the VLAN would be defined by the Virtual AP and not any radius attribute. This approach can make your configuration very large however and there is the fact that you would have to create and maintain 50 VLANs on top of the VLANs that are already assigned for each site.

The other concern is tunneling;  Depending on the latency between at your sites, if you have significant local traffic at the site, your users would have to send traffic to the controller and it would have to be routed back to the wired network at each site.  If there is limited bandwidth between the controler and the site, that could make accessing local files for users very, very painful.  For sites with significant local resources, I would consider placing a controller at that site, or bridging the user traffic locally so that there is no latency between users and their local applications.

In my limited view, for smaller sites, where all traffic is going back to the datacenter, it would be okay to have traffic tunneled to the controller.  For other sites, where significant traffic still stays locally, it would be better to have the traffic bridged to the local wired network, where your existing infrastructure can route it.  All Aps with sites where traffic is bridged locally can be in the same AP group and do not require any site-specific configuration; you could make them bridge to VLAN1 and all of the traffic would simply be sent to the physical local network untagged and obtain ip addresses from the local LAN so that you do not have to define VLANs and route them in your datacenter;  it would leverage your existing wired network at those sites.

Again at the scale you would like to deploy, you should get a reseller or consultant so that they can advise you on the most efficient way to deploy your upcoming network.  There are definitely ways to do everything you mention, but there are easier ways that do not involve duplicating the same thing 50 times.

Hi Colin, thanks a lot for your extensive response, appreciated.

I did have discussed the setup with my local Aruba contact and shared my concern regarding local intended traffic of the impact to tunnel traffic back to the Aruba controller first, instead of local switching. This should not be noticable according local Aruba contact. Also I was recommended to have all traffic flow through the controllers. This would ease deploying (security) policies and give more insight the traffic flows (Skype).

99% of the traffic is going to the datacenter as I don't host any data on the branch offices. I do have sufficient bandwidth available and low latency between the datacenter and farrest office (10ms). The only data that remains in an office would be VoIP. Currently we have offices using WLAN tunnel mode and all is fine in regards to VoIP quality. Therefore I think this also wouldn't be an issue with 'the new Aruba Gear that I have. During next tests this will be tested more thoroughly.

When looking at your recommendation, I might configure one L3 VLAN per office. This will reduce the amount of VLAN's to around 20.

You mention creating an AP group and a virtual AP for each site. Do you mean multiple virtual AP's under 1 AP group or multiple AP group each having their virtual AP?

Like I mentioned earlier I'm not able to select the same SSID on a second AP group if it is already assigned to the first AP group.

Jer,

If all traffic is going back to the controller, there is theoretically no need to have anything more than a single larger VLAN with all of your access points in the same ap-group.  An ip address is simply a way for your network devices to know where to deliver the traffic to a client.  When looking at the controller to see where a user is, if you have a naming convention for your access points, it would be easy to tell where a user is based on what access point that user is associated to.  There is honestly no need to segment sites by ip address if you have "drop broadcast and multicast" enabled on your Virtual AP.

To answer your question:  The Virtual AP is what represents an actual WLAN.  You would duplicate the Virtual AP and change the VLAN in the duplicated virtual AP.  You would then assign the new Virtual AP to a different ap group.

Hi Colin,

Thanks for your response. Again apreciate your time and effort looking into this.

I've checked to use one single VLAN for those clients based on the VRD on this topic. If this works at least as good as the setup with VLAN segmentation and with the benefits, I would prefer to use this single VLAN. I do have naming convention for the AP's, also for LBS activities so this is not an issue.

I will get in contact with my local Aruba contact again and have this question discussed.