Network Management

Hello everyone,

Recently we have installed 7 AP-505 and 3 AP-518 to cover our warehouse. While carrying out frame capture (for another need) I realized that the terminals were spending their time broadcasting with the IAP protocol (see screenshot).

Is this normal and if so is it possible to separate the communication between terminals in a dedicated VLAN so as not to pollute the rest of the network?

Thanks in advance.



------------------------------
Philippe Mal
------------------------------

Bonjour Philippe,

Yes, you can have a vlan for AP Management and a another for client

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message:
Sent: Nov 08, 2021 04:42 AM
From: Philippe Mal
Subject: IAP in VLAN

Hello everyone,

Recently we have installed 7 AP-505 and 3 AP-518 to cover our warehouse. While carrying out frame capture (for another need) I realized that the terminals were spending their time broadcasting with the IAP protocol (see screenshot).

Is this normal and if so is it possible to separate the communication between terminals in a dedicated VLAN so as not to pollute the rest of the network?

Thanks in advance.

------------------------------
Philippe Mal
------------------------------

Bonjour,

Ok I'll see how to set this up.
------
Ok je vais voir comment mettre ça en place.

Merci ;)

------------------------------
Philippe Mal
------------------------------

Original Message:
Sent: Nov 10, 2021 02:48 AM
From: Alexis La Goutte
Subject: IAP in VLAN

Bonjour Philippe,

Yes, you can have a vlan for AP Management and a another for client

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Nov 08, 2021 04:42 AM
From: Philippe Mal
Subject: IAP in VLAN

Hello everyone,

Recently we have installed 7 AP-505 and 3 AP-518 to cover our warehouse. While carrying out frame capture (for another need) I realized that the terminals were spending their time broadcasting with the IAP protocol (see screenshot).

Is this normal and if so is it possible to separate the communication between terminals in a dedicated VLAN so as not to pollute the rest of the network?

Thanks in advance.

------------------------------
Philippe Mal
------------------------------

Normally, you'd have the IAP management VLAN on the untagged/native VLAN and the client VLANs would be on a tagged VLAN.

------------------------------
Craig Syme
------------------------------

Original Message:
Sent: Nov 10, 2021 03:00 AM
From: Philippe Mal
Subject: IAP in VLAN

Bonjour,

Ok I'll see how to set this up.
------
Ok je vais voir comment mettre ça en place.

Merci ;)

------------------------------
Philippe Mal

Original Message:
Sent: Nov 10, 2021 02:48 AM
From: Alexis La Goutte
Subject: IAP in VLAN

Bonjour Philippe,

Yes, you can have a vlan for AP Management and a another for client

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Nov 08, 2021 04:42 AM
From: Philippe Mal
Subject: IAP in VLAN

Hello everyone,

Recently we have installed 7 AP-505 and 3 AP-518 to cover our warehouse. While carrying out frame capture (for another need) I realized that the terminals were spending their time broadcasting with the IAP protocol (see screenshot).

Is this normal and if so is it possible to separate the communication between terminals in a dedicated VLAN so as not to pollute the rest of the network?

Thanks in advance.

------------------------------
Philippe Mal
------------------------------

Correct, the trick is to assign your clients with a VLAN, which then will go out tagged from the AP.

Strong recommendation to keep your AP management traffic on the untagged. There is an option Management VLAN in the WebUI... stay away from that and leave the value empty.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 10, 2021 10:34 AM
From: Craig Syme
Subject: IAP in VLAN

Normally, you'd have the IAP management VLAN on the untagged/native VLAN and the client VLANs would be on a tagged VLAN.

------------------------------
Craig Syme

Original Message:
Sent: Nov 10, 2021 03:00 AM
From: Philippe Mal
Subject: IAP in VLAN

Bonjour,

Ok I'll see how to set this up.
------
Ok je vais voir comment mettre ça en place.

Merci ;)

------------------------------
Philippe Mal

Original Message:
Sent: Nov 10, 2021 02:48 AM
From: Alexis La Goutte
Subject: IAP in VLAN

Bonjour Philippe,

Yes, you can have a vlan for AP Management and a another for client

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Nov 08, 2021 04:42 AM
From: Philippe Mal
Subject: IAP in VLAN

Hello everyone,

Recently we have installed 7 AP-505 and 3 AP-518 to cover our warehouse. While carrying out frame capture (for another need) I realized that the terminals were spending their time broadcasting with the IAP protocol (see screenshot).

Is this normal and if so is it possible to separate the communication between terminals in a dedicated VLAN so as not to pollute the rest of the network?

Thanks in advance.

------------------------------
Philippe Mal
------------------------------

Hi Herman,
sometimes I need to use "management vlan, cause of default vlan 1.  Why I should stay away?
For example, If I have vlan 4 for management IAP, untagged, and vlan 1 for SSID1, tagged, if I don't set management vlan = 4, it does't work.
There is another way?

Thanks

------------------------------
Carabina5
------------------------------

Original Message:
Sent: Nov 10, 2021 12:09 PM
From: Herman Robers
Subject: IAP in VLAN

Correct, the trick is to assign your clients with a VLAN, which then will go out tagged from the AP.

Strong recommendation to keep your AP management traffic on the untagged. There is an option Management VLAN in the WebUI... stay away from that and leave the value empty.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 10, 2021 10:34 AM
From: Craig Syme
Subject: IAP in VLAN

Normally, you'd have the IAP management VLAN on the untagged/native VLAN and the client VLANs would be on a tagged VLAN.

------------------------------
Craig Syme

Original Message:
Sent: Nov 10, 2021 03:00 AM
From: Philippe Mal
Subject: IAP in VLAN

Bonjour,

Ok I'll see how to set this up.
------
Ok je vais voir comment mettre ça en place.

Merci ;)

------------------------------
Philippe Mal

Original Message:
Sent: Nov 10, 2021 02:48 AM
From: Alexis La Goutte
Subject: IAP in VLAN

Bonjour Philippe,

Yes, you can have a vlan for AP Management and a another for client

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Nov 08, 2021 04:42 AM
From: Philippe Mal
Subject: IAP in VLAN

Hello everyone,

Recently we have installed 7 AP-505 and 3 AP-518 to cover our warehouse. While carrying out frame capture (for another need) I realized that the terminals were spending their time broadcasting with the IAP protocol (see screenshot).

Is this normal and if so is it possible to separate the communication between terminals in a dedicated VLAN so as not to pollute the rest of the network?

Thanks in advance.

------------------------------
Philippe Mal
------------------------------

If VLAN 4 is your management VLAN, assign that 'untagged' or 'native' to the port that has the IAP attached.

I've never seen VLAN1 tagged before, and personally never use VLAN 1 because it is not handled consistently across different products. For IAP I think VLAN 1 is the same as 'untagged', so I don't think it is tagged by your switch either... seems to me that your clients are untagged and the IAP management VLAN is now tagged, and I try to stay away from tagged management VLANs because it's just not how IAP has been designed, and it is not how the vast majority of customer runs, and you need manual configuration on the AP to make that work so you can't easily add APs, move them, or replace them.

Move you clients to another VLAN, and have vlan 4 untagged/native to your AP, and the client VLAN tagged/allowed.

If you use VLAN1, there is also a big chance that you have other (wired) devices in there, which also is deprecated. Don't mix your wired and wireless client VLANs; which at scale would introduce performance issues. It's just not following best practices.

If you have a 2 or 3 AP network, it probably will not lead to big issues, but I would just try to stay away from non-standard deployments.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 18, 2021 06:39 AM
From: Emanuele Muneretto
Subject: IAP in VLAN

Hi Herman,
sometimes I need to use "management vlan, cause of default vlan 1.  Why I should stay away?
For example, If I have vlan 4 for management IAP, untagged, and vlan 1 for SSID1, tagged, if I don't set management vlan = 4, it does't work.
There is another way?

Thanks

------------------------------
Carabina5

Original Message:
Sent: Nov 10, 2021 12:09 PM
From: Herman Robers
Subject: IAP in VLAN

Correct, the trick is to assign your clients with a VLAN, which then will go out tagged from the AP.

Strong recommendation to keep your AP management traffic on the untagged. There is an option Management VLAN in the WebUI... stay away from that and leave the value empty.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 10, 2021 10:34 AM
From: Craig Syme
Subject: IAP in VLAN

Normally, you'd have the IAP management VLAN on the untagged/native VLAN and the client VLANs would be on a tagged VLAN.

------------------------------
Craig Syme

Original Message:
Sent: Nov 10, 2021 03:00 AM
From: Philippe Mal
Subject: IAP in VLAN

Bonjour,

Ok I'll see how to set this up.
------
Ok je vais voir comment mettre ça en place.

Merci ;)

------------------------------
Philippe Mal

Original Message:
Sent: Nov 10, 2021 02:48 AM
From: Alexis La Goutte
Subject: IAP in VLAN

Bonjour Philippe,

Yes, you can have a vlan for AP Management and a another for client

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Nov 08, 2021 04:42 AM
From: Philippe Mal
Subject: IAP in VLAN

Hello everyone,

Recently we have installed 7 AP-505 and 3 AP-518 to cover our warehouse. While carrying out frame capture (for another need) I realized that the terminals were spending their time broadcasting with the IAP protocol (see screenshot).

Is this normal and if so is it possible to separate the communication between terminals in a dedicated VLAN so as not to pollute the rest of the network?

Thanks in advance.

------------------------------
Philippe Mal
------------------------------

Hi,
I agree with youz.
In an ideal world, vlan 1 shouldn't be used. But, in the real world, sometimes one has to adapt to the existing situation.
I don't want to use vlan 1, but I have to. 
In switch configuration ou can use vlan 1 tagged or untagged, just like all others, the only thing you can't do is delete it. In IAP configuration, vlan 1 can create problems if it isn't the management vlan.
If customer want an ssid on vlan 1 and I have managed iaps on a different vlan, the only way is to tag vllan 1 and use "management vlan" for this situation. I've tried some other configuration, but it doesn't work for me.

------------------------------
Carabina5
------------------------------

Original Message:
Sent: Nov 18, 2021 08:47 AM
From: Herman Robers
Subject: IAP in VLAN

If VLAN 4 is your management VLAN, assign that 'untagged' or 'native' to the port that has the IAP attached.

I've never seen VLAN1 tagged before, and personally never use VLAN 1 because it is not handled consistently across different products. For IAP I think VLAN 1 is the same as 'untagged', so I don't think it is tagged by your switch either... seems to me that your clients are untagged and the IAP management VLAN is now tagged, and I try to stay away from tagged management VLANs because it's just not how IAP has been designed, and it is not how the vast majority of customer runs, and you need manual configuration on the AP to make that work so you can't easily add APs, move them, or replace them.

Move you clients to another VLAN, and have vlan 4 untagged/native to your AP, and the client VLAN tagged/allowed.

If you use VLAN1, there is also a big chance that you have other (wired) devices in there, which also is deprecated. Don't mix your wired and wireless client VLANs; which at scale would introduce performance issues. It's just not following best practices.

If you have a 2 or 3 AP network, it probably will not lead to big issues, but I would just try to stay away from non-standard deployments.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 18, 2021 06:39 AM
From: Emanuele Muneretto
Subject: IAP in VLAN

Hi Herman,
sometimes I need to use "management vlan, cause of default vlan 1.  Why I should stay away?
For example, If I have vlan 4 for management IAP, untagged, and vlan 1 for SSID1, tagged, if I don't set management vlan = 4, it does't work.
There is another way?

Thanks

------------------------------
Carabina5

Original Message:
Sent: Nov 10, 2021 12:09 PM
From: Herman Robers
Subject: IAP in VLAN

Correct, the trick is to assign your clients with a VLAN, which then will go out tagged from the AP.

Strong recommendation to keep your AP management traffic on the untagged. There is an option Management VLAN in the WebUI... stay away from that and leave the value empty.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 10, 2021 10:34 AM
From: Craig Syme
Subject: IAP in VLAN

Normally, you'd have the IAP management VLAN on the untagged/native VLAN and the client VLANs would be on a tagged VLAN.

------------------------------
Craig Syme

Original Message:
Sent: Nov 10, 2021 03:00 AM
From: Philippe Mal
Subject: IAP in VLAN

Bonjour,

Ok I'll see how to set this up.
------
Ok je vais voir comment mettre ça en place.

Merci ;)

------------------------------
Philippe Mal

Original Message:
Sent: Nov 10, 2021 02:48 AM
From: Alexis La Goutte
Subject: IAP in VLAN

Bonjour Philippe,

Yes, you can have a vlan for AP Management and a another for client

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Nov 08, 2021 04:42 AM
From: Philippe Mal
Subject: IAP in VLAN

Hello everyone,

Recently we have installed 7 AP-505 and 3 AP-518 to cover our warehouse. While carrying out frame capture (for another need) I realized that the terminals were spending their time broadcasting with the IAP protocol (see screenshot).

Is this normal and if so is it possible to separate the communication between terminals in a dedicated VLAN so as not to pollute the rest of the network?

Thanks in advance.

------------------------------
Philippe Mal
------------------------------

You can use "uplink-vlan" feature for this (with you set value to 4)
and on this case when you set vlan 1 on SSID it is tagged with vlan 1 (need to set vlan 1 tagged on the port)

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message:
Sent: Nov 18, 2021 06:39 AM
From: Emanuele Muneretto
Subject: IAP in VLAN

Hi Herman,
sometimes I need to use "management vlan, cause of default vlan 1.  Why I should stay away?
For example, If I have vlan 4 for management IAP, untagged, and vlan 1 for SSID1, tagged, if I don't set management vlan = 4, it does't work.
There is another way?

Thanks

------------------------------
Carabina5

Original Message:
Sent: Nov 10, 2021 12:09 PM
From: Herman Robers
Subject: IAP in VLAN

Correct, the trick is to assign your clients with a VLAN, which then will go out tagged from the AP.

Strong recommendation to keep your AP management traffic on the untagged. There is an option Management VLAN in the WebUI... stay away from that and leave the value empty.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 10, 2021 10:34 AM
From: Craig Syme
Subject: IAP in VLAN

Normally, you'd have the IAP management VLAN on the untagged/native VLAN and the client VLANs would be on a tagged VLAN.

------------------------------
Craig Syme

Original Message:
Sent: Nov 10, 2021 03:00 AM
From: Philippe Mal
Subject: IAP in VLAN

Bonjour,

Ok I'll see how to set this up.
------
Ok je vais voir comment mettre ça en place.

Merci ;)

------------------------------
Philippe Mal

Original Message:
Sent: Nov 10, 2021 02:48 AM
From: Alexis La Goutte
Subject: IAP in VLAN

Bonjour Philippe,

Yes, you can have a vlan for AP Management and a another for client

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Nov 08, 2021 04:42 AM
From: Philippe Mal
Subject: IAP in VLAN

Hello everyone,

Recently we have installed 7 AP-505 and 3 AP-518 to cover our warehouse. While carrying out frame capture (for another need) I realized that the terminals were spending their time broadcasting with the IAP protocol (see screenshot).

Is this normal and if so is it possible to separate the communication between terminals in a dedicated VLAN so as not to pollute the rest of the network?

Thanks in advance.

------------------------------
Philippe Mal
------------------------------