Wireless Access

• ArubaOS: 6.4.3.7
• Controller setup: master and standby with 3 locals (all 7210's), and all AP's are terminated on the locals
• Campus setup: We have 27 schools, each with their own ap-group, all broadcasting a single SSID, all tunneled back to the controllers on a single VLAN.  All of our controllers are centrally located in our main datacenter.
• AirGroup setup: AirGroup Status is enabled on all controllers (with most services except allowall, DLNA Media, and DLNA Print), no CPPM, no AirGroup domains defined.

Before I ask my question about the function of the airgroup vlan <VLAN ID> disallow knob, let me preface by explaining what my goal is.  I want to isolate AirGroup traffic within a single school without the use of ClearPass.  That is, I want AirGroup servers in School A to only be visible to AirGroup users in School A, AirGroup servers in School B to only be visible to AirGroup users in School B, etc.  Right now we have one big wireless VLAN for all schools, so all AirGroup servers are visible to all AirGroup users on a given controller.  This summer I'll be creating new / separate wireless VLANs for each school.  Since I'm making new wireless VLANs for each school, I think I can limit AirGroup traffic within a single school by using the airgroup vlan <VLAN ID> disallow knob on each of the new VLANs.  But here is my question about this knob... At this link in the user guide it says:

• Restricting AirGroup Servers for a VLAN
• An AirGroup service is accessible to user devices in all VLANs configured on your controller by default. Use the following command to enable or disable AirGroup access to devices in a specific VLAN: 
• airgroup vlan <VLAN ID> {allow | disallow}

Am I correct in assuming that if I run airgroup vlan <VLAN ID> disallow then it will allow AirGroup services to continue running isolated within that VLAN only, but will not allow the AirGroup traffic to be shared with other VLANs on the controller?

That means that users on the VLAN specified would not be able to access the service you specified.  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/AirGroup/Integrated_Deployment_Model.htm#Restricting-AirGroup-Servers-on-a-VLAN-based-on-an-AirGroup-Service

You guess is correct.

Unfortunately, that will not scale to multiple locations.  ArubaOS 6.4.3.x and the autoassociate parameter might have the answer for you, however.  Basically if you do this:

..and only users who share the same AP or neighbors of the AP with the AppleTV is associated to will be able to see the wireless TV.  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/airgroupservice.htm?Highlight=autoassociate

That is assuming that you have Apple TVs that are wireless.  If you have wired devices, you can manually say what wireless APs or ap-groups those devices will be associated with.  Below, the wireless device below, I configured it to only be associated with the ap Office-225.  So users associated with that AP or neighbors of that AP will be able to see it.  It can be tedious managing so many devices without ClearPass, because the controller was not designed to really do tons and tons of devices this way:

You should try this and see if it works for you.

Many thanks, cjoseph!  How did I miss the autoassociate apgroup knob in the release notes?!  Your feedback is much appreciated.

Colin, this is a great feature that I'm sure will be very useful to many people.  I'm wondering about scaling.  In a large Higher Ed or K-12, this could be a few thousand ATV's and upwards of 50,000 users.  Do the controllers have the capability on maintaining those lists on that scale?  Does this feature have recommended sizing guidelines?

Thanks,

ON the same  controller?  The question is, what are you trying to do and what are you doing today?

As an example, I have a K-12 with (4) 7240's and about 35K clients currently, but still growing.   Same situation, ~50 vlans one per school.  The plan is to manage this with ClearPass, enforce registration and require the registrar to select the ap-name or ap-group for the ATV.  

Auto-association looks to be a much more elegant way to handle this.  That is if it can scale to very large implementations.

I think you need someone to look at your deployment in detail and come up with a plan.  I cannot say from the limited information that you give me whether it will work or not.  I know that the Airgroup Platform limit  on the 7240 is the user limit (32768), so the combined controller users and airgroup servers cannot pass the 32K number.  How you decide to split coverage of that K-12 among your controllers will determine if you can even use that strategy.  

Configuring "AutoAssociate" at the service level (Airplay for instance), would override any configuration that would be received from CPPM.  So if you want all of your Airplay devices on that controller to support autoassociate, you would configure autoassociate under the airplay service, and it does not matter if the device is in CPPM or not, users will automatically see all of the airplay devices that are associated to the ap or the neighbor of an AP that the user is associated to.  Configuring "autoassociate" at the specific device level will configure autoassociate for only that device and it will ignore anything that you have configured in CPPM, so you can selectively have autoassociate devices configured and limit access to others via CPPM if you would like.

Again, I don't know what is your setup, so you would look carefuly at your  deployment and make sure you are running some flavor of 6.4.4.x to support autoassociate, and do not go beyond the platform limit.