Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Multiple VLANs in one Port

  • 1.  Multiple VLANs in one Port

    Posted Oct 24, 2018 09:25 AM

    Hi Guys!

     

    I have a project about assigning a VLAN in an SSID. I already know this process but a little, but confused in the back end part. In our office, we have 6 departments and we need to deploy 1 SSID per department so it'll be 6 SSIDs. I need to assign the same VLAN that they have in their LAN Ports through WIFI, so in case of an emergency that their LAN ports are not working, they'll be connected to the WIFI. Since our Aruba instant allows me to assign a VLAN in an SSID so it is possible to fetch those VLANs from our Switch. Are there any specific steps that I need to do to assign 6 VLANs in one port (which our AP is connected to)? Our AP is connected to a LAN Port. 

     

    THANK YOU.



  • 2.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 10:02 AM

    Your switch port would need to be configured as a trunk and allow the required VLANs. Your native VLAN would be used for the IAP Management VLAN and the client VLAN's would be a tagged VLAN.


    Are you intending on broadcasting 6 SSID's from a single IAP? This is not recommended due to the increased overhead and will reduce performance. You can configure various options to assigned a VLAN based on a client or authentication server attribute. So this means all users would share the same (1x SSID) SSID whilst in a different VLAN.

     

    You can use GVRP or MVRP to push VLANs down to the switch from the IAP.



  • 3.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 10:21 AM

    Hi!

     

    It's great that you tell me what will be the risk of taking this step. Can you please elaborate to me the alternative process that you suggested?

     

    "You can configure various options to assign a VLAN based on a client or authentication server attribute. So this means all users would share the same (1x SSID) SSID whilst in a different VLAN.

     

    You can use GVRP or MVRP to push VLANs down to the switch from the IAP."

     

    Also, can you walk me through or give me some steps to do this so I can study it well as preparation for my project?

     

    Thank you!



  • 4.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 10:30 AM

    The first part we'd need to understand is how do your users authentication to the SSID? Is there a context aware authentication server such as ClearPass or RADIUS? The part you will need to understand is detailed under the Derivation Rules located in the User Guide. This will allow you return a User Role or VLAN based on a RADIUS attribute.

     

    If you are using PSK, there is the method below but this can be a large management task depending on the amount of MACs in use. You can specify the VLAN within the assigned User Role.

     

    https://community.arubanetworks.com/t5/Controller-less-WLANs/Role-derivation-based-on-MAC-address-for-Open-or-PSK-based-SSID/ta-p/234830



  • 5.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 12:10 PM

    Usually, they are authenticated as employees and currently, we are using the MAC Filtering.



  • 6.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 12:14 PM

    So, is the SSID authentication Open, WPA2-PSK, or Enterprise with MAC auth layered as well?



  • 7.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 12:18 PM

    We use the WPA-2 Personal with mac authentication and pass phrase



  • 8.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 12:27 PM
    Okay, in that case then you will need to use the example previously
    supplied.

    Cheers,
    Craig


  • 9.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 12:36 PM

    To be clear, the Role Derivation?



  • 10.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 12:42 PM


  • 11.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 12:48 PM

    Will this process allow the employees to connect to the SSID with the same vlan(policy) that they have in their lan ports?



  • 12.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 01:24 PM
    This will allow you to assign different VLANs to users with a single SSID.

    Sent from my iPhone


  • 13.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 02:11 PM

    So after doing the configuration with my switch, I'll do this one? How would I know that the user must be connected to their corresponding vlans?



  • 14.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 02:14 PM
    You’ll specify the User VLAN in the User Role.

    Sent from my iPhone


  • 15.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 03:52 PM

    So I'll specify their Mac addresses so the IAP will know to which VLAN they'll be assigned? Is that correct? Same SSID but different VLANs



  • 16.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 04:00 PM
    You’ll specify a User Role based on the MAC and within that User Role you specify the VLAN for the Client.

    Sent from my iPhone


  • 17.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 04:11 PM
      |   view attached

    Here. How will I assign this role that I created to one of our VLANs?



  • 18.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 04:16 PM
    If you create the User Role, there is an option to select a VLAN which is also assigned.

    Sent from my iPhone


  • 19.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 04:24 PM

    Where can I find that User Role? I'm a bit lost LOL. Are there any steps to specifically assign a VLAN to a User Role? 

     

    Thanks!



  • 20.  RE: Multiple VLANs in one Port

    Posted Oct 24, 2018 04:29 PM
    It’s not a problem :) Here you go, this shows you how to specify a VLAN within the User Role

    In the Instant UI

    To configure a user role for VLAN derivation:
    1. Click the Security at the top right corner of Instant main window.
    2. Click the Roles tab. The Roles tab contents are displayed.
    3. Under Roles, click New.
    4. Enter a name for the new role and click OK.
    5. Under the Access rules, click New.
    6. Select the Rule type as VLAN assignment.
    7. Enter the ID of the VLAN in the VLAN ID text box.
    8. Click OK.

    https://www.arubanetworks.com/techdocs/Instant_41_Mobile/Advanced/Content/UG_files/Roles_and_policies/ConfUserRoleforVLAN.htm

    Sent from my iPhone