Wireless Access

last person joined: 6 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Multiple Access Point VLANs

This thread has been viewed 53 times
  • 1.  Multiple Access Point VLANs

    Posted Apr 19, 2021 05:48 PM
    Hi everyone,

    TL;DR - Is it possible to have 2/multiple vlans with APs connected to the same controller and use ADP on both VLANs?

    We have a controller cluster which so far always used vlan X as the vlan on which APs connect, now to allow 2 locations to continue to function in a split brain situation we added vlan Y as a second AP vlan (both locations have their own Internet connection and router the seperate vlans allow local DHCP to the location).
    However when I connect an AP to vlan Y it doesn't actually succeed in finding the controller using ADP even though it has an interface on both vlan X and Y (and is pingable on both too).

    Both vlan X and vlan Y are setup on an LACP aggregate ("port channel" on ArubaOS) from the controller to the switch and the "port channel" is trusted.

    ------------------------------
    Keeper of the Keys
    ------------------------------


  • 2.  RE: Multiple Access Point VLANs

    Posted Apr 22, 2021 06:11 AM
    bumping...

    ------------------------------
    Keeper of the Keys
    ------------------------------



  • 3.  RE: Multiple Access Point VLANs

    Posted Apr 22, 2021 04:22 PM
    Hi ER58,

    I do not understand your topology with the information you provided. My recommendation would be to use DNS to discover the controller(s). Just make sure, that the AP's in each VLAN can reach the controller on its controller-ip and that this IP is resolved through DNS (aruba-master.your-domain.tld). 

    BR
    Florian

    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------



  • 4.  RE: Multiple Access Point VLANs

    Posted Apr 22, 2021 05:42 PM
    Hey Florian!

    Thanks for trying to understand, the setup is probably a bit weird/crazy so I'll try to explain it a bit better.

    We have 2 buildings (old, new), they are linked by a p2p fibre connection and can function as a single network.
    Each building has it's own Internet connection and firewall and can thus function as a standalone network.
    We have a cluster of 2 7030 controllers that manages APs in both buildings.
    To make sure that in the event of a disruption to the p2p link between the buildings the users don't feel anything we will be moving one of the 2 controllers to the new building, also all WLANs have a "new building" version that runs on a vlan in the new building using the local firewall instead of the old building.

    I wanted there to also be 2 access point networks so that in the event of a split the access points are also guaranteed to continue functioning and lack any dependence on the other building.

    To the best of my understanding though the controller can have IP addresses on multiple vlans it can only have one "controller-ip" and my guess is that this is the only IP that will respond to ADP requests.

    I am considering using the DNS based method and to send a different reply depending on the source of the request thus a dns request originating on the new building access point vlan would get the new building vlan IP address of the controller, however as I did not have experience with this use of DNS yet I figured I would first try a plain setup and use ADP also as I recall while I was playing around with this I create a DNS record using the new building IP address but I think even like that it did not work but I would have to recheck that next week.

    As I'm writing this I actually also think that maybe I could add resilience to the Access Point vlan by just moving the DHCP server to be on the controller cluster for this vlan since the APs don't need a default-gateway and only the controller does.

    ------------------------------
    Keeper of the Keys
    ------------------------------



  • 5.  RE: Multiple Access Point VLANs

    Posted Apr 23, 2021 12:22 AM
    Hi ER58,

    I think this will not work. 

    In a cluster, the AP will connect to the Cluster (either the Cluster VIP or an individual Cluster) to get a list of all Controllers in the Cluster. Then, the AP will get an AP Achor Controller (the one, having the primary connection with the AP) and a Standby AP Anchor Controller (the one, having the backup connection with the AP). You do not have control over which controller is used for which AP, this is done automatically in the cluster. 

    You should configure a VIP (VRRP) for the cluster and point your DNS record to this VIP. This also makes sure, that the VIP is always available even if the ptp link fails. 
    The AP's will use this VIP only for the first connection and afterward will use the controller-ip learned from the cluster to connect to individual members of the cluster. 

    Hope this makes it more clear :) 

    BR
    Florian

    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------



  • 6.  RE: Multiple Access Point VLANs

    Posted Apr 23, 2021 11:05 AM
    Hey Florian,

    Thanks again for the reply!

    We are indeed using a VIP with VRRP and the more I think about it the more it seems to me that I indeed don't need separate vlans for each building since the access points only need to be a controller and don't need a route to the Internet (default gateway) at the moment the DHCP server for this vlan lives on the old buildings firewall but I will move it to the controller cluster thus removing that dependence on location.

    There is one thing that has always puzzled me with the controller-ip setting  and that is why is the controller ui/management (ssh/web) available on this IP, isn't the whole point of having a controller + access point vlan that nothing is unnecessarily exposed on this network that bad actors can potentially freely plug in to?

    Thanks!

    ------------------------------
    Keeper of the Keys
    ------------------------------



  • 7.  RE: Multiple Access Point VLANs

    Posted Apr 24, 2021 07:22 AM
    Hi ER57,

    Yes, I fully agree, only one VLAN would make sense. But keep in mind, a controller cluster cannot be used as a DHCP server, to my knowledge. I would use the real DHCP server and use the firewall as DHCP forwarders. 

    The controller-ip is used to source traffic for all kind of connections from, like radius, ssh and so on. 
    If you need to block access to this IP, this can easily be done, by using ACL's in your roles for wireless clients. 

    BR
    Florian

    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------



  • 8.  RE: Multiple Access Point VLANs

    Posted Apr 25, 2021 04:52 AM
    Hey Florian thanks again!

    Why is it that we can't use the cluster as DHCP server, does it not maintain a shared state for the DHCP server across the members of the cluster?

    As for ACLs the point is not wireless clients but a bad actor who unplugs an AP and plugs themselves in.

    ------------------------------
    Keeper of the Keys
    ------------------------------



  • 9.  RE: Multiple Access Point VLANs

    Posted Apr 25, 2021 10:45 AM
    @ER87,

    It is best practice to have an external DHCP for consistency, no matter what controller is up or down.  The DHCP servers in controller cluisters are not unified...they are individual, so not appropriate for providing consistent DHCP for clients or APs for that matter...The external DHCP server would be able to provide better high availability, consistency and proper dhcp features you would not be able to get in a controller.

    With regards to the controller-ip,  the controller will answer ADP discovery requests on any VLAN that it has an ip address, but will ultimately redirect the AP to its controller IP, so an AP must have connectivity to the controller-ip, regardless of which  layer 3 interface of the controller it discovers it on​ for the AP to function.

    If your controllers are in a cluster, APs will only do discovery the first time they boot up, but once they contact a cluster, they will always try to reach all of the ip addresses of the controllers after that.  Initial Discovery (ADP, DNS, dhcp options 43 and 60) really only occurs the first time an AP boots up.  Discovery will occur ​if the AP cannot reach any of the ip addresses in  a cluster.

    It is not required that controllers be in a cluster.  Sometimes it makes more sense, if you have controllers that will be in separate geographic locations that you just use LMS and Backup LMS for redundancy, instead of clustering...

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 10.  RE: Multiple Access Point VLANs

    Posted Apr 27, 2021 04:35 AM
    you can apply port-security for switch port that connects access points by limiting 1 mac-address, this will avoid bad actors.
    make sure you are not bridging any ssid traffic, traffic forwarding should be tunnel.

    ------------------------------
    Harendra
    ACDX#1129,ACEP,CWSP,CWNA,CCNA
    ------------------------------



  • 11.  RE: Multiple Access Point VLANs

    Posted Apr 28, 2021 08:19 AM
    Thanks everyone for the replies!

    As for MAC address security that only takes care of the simplest bad actors any true bad actor can look at the APs MAC address by taking it off the wall and then set their computers MAC address to match.

    802.1x which the APs anyhow use would be a better solution but I am not sure that it is possible to issue them a cert for connecting to their uplink.

    cjoseph - what puzzles me in this whole story is why AOS doesn't have a "management-vlan" setting like AOS-Switch and/or AOS-CX which makes the management interfaces (web/cli) only exposed on the single IP address used for management while the APs can connect to the controller on the controller-ip.

    ------------------------------
    Keeper of the Keys
    ------------------------------



  • 12.  RE: Multiple Access Point VLANs

    Posted Apr 28, 2021 08:50 AM
    ER4,

    AOS has the firewall-cp command which allows you to determine what traffic is allowed to the controller on all interfaces:  
    https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=af0bda39-a0ad-4049-9814-ea45ad57d31e

    AOS-Switch and AOS-CX approach it differently.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------