Wireless Access

Hi all, 

I am wondering is some one can provide me some information on the features aruba offers. WE are running airwave version 8.6.0 with AP 305 access points, and an Aruba 7030 controller. 

I know i can set traffic to be switched at the controler, or switched local, but i want to know if i aruba has the same ability as CISCO to do both on a single SSID while we are going through a migration phase. This is not a aruba vs CISCO post we run a large deployment of both solution and are looking at how we can leverage the features of both to provide a more unified end user experince when staff move between locations. 

So with CISCO we can return a VLAN id / name from radius and if the vlan is configured on the AP it is switched locally, if it not configured on the AP it is tunneld back to the controler to be switched. 

One user case is for guest onboarding, we have one vlan that is central switched that is used for onboarding (it can speak to the authentication servers and other services required) and then once authenticated the guest are switched out local on a vlan at the individual sites using the vlan id in the radius permit packet. These site specific vlans all use the same IP ranges and are not routable in to the corporate network. We like this set up as it means we dont need to have an onboarding vlan at each site or have routing between the guest vlan and corporate. 

Does anyone know if this is something that can be achieved in aruba, depending on the radius accept packet vlan attribute (or other attribute) to tunnel traffic to control or switch local to ap? 

Thank you 

Aaron 

------------------------------
Aaron Street
------------------------------

Yes, split tunnel is supported for RAPs. And you can convert CAP into RAP mode, and enable split tunnel. You can run a RAP connection over your LAN/WAN as well. Split-tunnel allows per-flow tunnel/local breakout on the AP. What you describe is more mixed-mode (as introduced in AOS10) though...

The split tunneling is then controlled by the role. Note that because the client will get an IP from the controller, that bridged traffic will require NAT on the AP, and NAT breaks roaming. So that is why split-tunnel is only possible on RAPs, and also only on a single AP per site if you need to support roaming. If you just have roles that bridge everything, or tunnel everything, you should be able to do it with multiple APs on a site as well, although bridging is deprecated and unsupported above 32 APs in a single L2 domain.

You may reach out to your Aruba partner or Aruba SE, as with AOS10 you will get more flexibility with the mixed-mode SSIDs to do exactly what you mention: based on the RADIUS VSA tunnel or bridge the traffic locally from the AP. And bridging in larger networks is fully supported.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 29, 2021 08:31 AM
From: Aaron Street
Subject: Can you split traffic to tunnel to controller and be switched locally on a single SSID

Hi all, 

I am wondering is some one can provide me some information on the features aruba offers. WE are running airwave version 8.6.0 with AP 305 access points, and an Aruba 7030 controller. 

I know i can set traffic to be switched at the controler, or switched local, but i want to know if i aruba has the same ability as CISCO to do both on a single SSID while we are going through a migration phase. This is not a aruba vs CISCO post we run a large deployment of both solution and are looking at how we can leverage the features of both to provide a more unified end user experince when staff move between locations. 

So with CISCO we can return a VLAN id / name from radius and if the vlan is configured on the AP it is switched locally, if it not configured on the AP it is tunneld back to the controler to be switched. 

One user case is for guest onboarding, we have one vlan that is central switched that is used for onboarding (it can speak to the authentication servers and other services required) and then once authenticated the guest are switched out local on a vlan at the individual sites using the vlan id in the radius permit packet. These site specific vlans all use the same IP ranges and are not routable in to the corporate network. We like this set up as it means we dont need to have an onboarding vlan at each site or have routing between the guest vlan and corporate. 

Does anyone know if this is something that can be achieved in aruba, depending on the radius accept packet vlan attribute (or other attribute) to tunnel traffic to control or switch local to ap? 

Thank you 

Aaron 

------------------------------
Aaron Street
------------------------------

Hi Herman, 

Thank you for that detailed reply, I will indeed reach out and look at upgrading our platform as i think mix mode is really the way we want to go. In most cases we want to split traffic out local but there are a number of cases it is useful to separate and tunnel specific user cases. 

Thank you 

aaron

------------------------------
Aaron Street
------------------------------

Original Message:
Sent: Jul 30, 2021 05:20 AM
From: Herman Robers
Subject: Can you split traffic to tunnel to controller and be switched locally on a single SSID

Yes, split tunnel is supported for RAPs. And you can convert CAP into RAP mode, and enable split tunnel. You can run a RAP connection over your LAN/WAN as well. Split-tunnel allows per-flow tunnel/local breakout on the AP. What you describe is more mixed-mode (as introduced in AOS10) though...

The split tunneling is then controlled by the role. Note that because the client will get an IP from the controller, that bridged traffic will require NAT on the AP, and NAT breaks roaming. So that is why split-tunnel is only possible on RAPs, and also only on a single AP per site if you need to support roaming. If you just have roles that bridge everything, or tunnel everything, you should be able to do it with multiple APs on a site as well, although bridging is deprecated and unsupported above 32 APs in a single L2 domain.

You may reach out to your Aruba partner or Aruba SE, as with AOS10 you will get more flexibility with the mixed-mode SSIDs to do exactly what you mention: based on the RADIUS VSA tunnel or bridge the traffic locally from the AP. And bridging in larger networks is fully supported.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 29, 2021 08:31 AM
From: Aaron Street
Subject: Can you split traffic to tunnel to controller and be switched locally on a single SSID

Hi all, 

I am wondering is some one can provide me some information on the features aruba offers. WE are running airwave version 8.6.0 with AP 305 access points, and an Aruba 7030 controller. 

I know i can set traffic to be switched at the controler, or switched local, but i want to know if i aruba has the same ability as CISCO to do both on a single SSID while we are going through a migration phase. This is not a aruba vs CISCO post we run a large deployment of both solution and are looking at how we can leverage the features of both to provide a more unified end user experince when staff move between locations. 

So with CISCO we can return a VLAN id / name from radius and if the vlan is configured on the AP it is switched locally, if it not configured on the AP it is tunneld back to the controler to be switched. 

One user case is for guest onboarding, we have one vlan that is central switched that is used for onboarding (it can speak to the authentication servers and other services required) and then once authenticated the guest are switched out local on a vlan at the individual sites using the vlan id in the radius permit packet. These site specific vlans all use the same IP ranges and are not routable in to the corporate network. We like this set up as it means we dont need to have an onboarding vlan at each site or have routing between the guest vlan and corporate. 

Does anyone know if this is something that can be achieved in aruba, depending on the radius accept packet vlan attribute (or other attribute) to tunnel traffic to control or switch local to ap? 

Thank you 

Aaron 

------------------------------
Aaron Street
------------------------------