Configuring Mobility Access Switch (MAS) and Aruba Instant (IAP) Integration

By ckokstar posted Sep 17, 2014 04:47 PM


Configuring Mobility Access Switch (MAS) and Aruba Instant (IAP) Integration



Starting with AOS and IAP 3.1, the Mobility Access Switch (MAS) and Instant AP (IAP) product lines now include features so they can work better when paired up with each other. Some features assist with deployments (e.g. Auto-PoE Priority, GVRP) while others are to support day to day health of the network (e.g. Rogue AP Enforcement).


IAP Visibility

IAPs sending LLDP messages alone is a very helpful feature. It helps the administrators identify which ports have IAPs and which don't. They will also natively send out a proprietary LLDP TLV to indicate the IAP model and software version running.


Auto PoE Priority

When an IAP is plugged into a PoE enabled port on the MAS, the MAS automatically increases the PoE priority from low (default) to high. This only occurs if the poe-profile associated with the given port is using the poe-factory-initial profile and the default poe-priorty has not been manually changed.


VLAN Sharing

When you create an SSID on the IAP, you can also associate a VLAN tag with that SSID. The IAP can then share that VLAN tag with the Mobility Access Switch so that you do not need to pre-provision the VLAN ID on the MAS. This makes it easier to build out new SSIDs as needed without having to touch the wired infrastructure.


Rogue AP Enforcement

When a rogue AP is detected by IAP, the IAP sends out the MAC Address of the rogue AP to the MAS using the Aruba’s proprietary LLDP TLV protocol (MAC information TLV with action as Blacklist). When the MAS finds the MAC address on a switchport configured for access mode, it will turn off the PoE to that port and administratively shuts down the port. If the MAS finds the AMC address on a switchport configured for trunk mode, the MAS installs an entry in it's MAC address table set to DROP packets originating from or carried to the Rouge AP. This occurs for a period of 5 minutes and then the port or table entry is cleared unless the IAP notifies us again that the Rogue has re-appeared.

  • To enable the rogue AP enforcement feature, connect the IAPs to the LLDP enabled MAS ports.
  • The rogue AP containment functionality is supported only on trusted ports.

Platform Tested

Aruba Mobility Access Switch S3500-24P-US running version (PoE capable model)

Instant Access Point (IAP) 105 running version