Wireless Access

Working on upgrading to Aruba 8 from 6, currently have one of our two A6 controllers replaced with an A8 cluster of two. One key simplification is before, with A6, Clearpass had to know the proper VLANs for each AP group.

In our first A8 instance, Clearpass returns a VLAN name, so each controller can have its own VLAN tags for that name.

We use NAT IPs for Staff, NAT IPs for Student Academic spaces, but, have been using Global IPs for Student dorms. 

With NAT, it is no big deal to have a large single VLAN, with the proper names, eg: Staff-wifi-NAT, Student-wifi-NAT.

And, for the first half of campus on Aruba 8, the global IPs are a single /21, so it is VLAN name Student-wifi-Global.

But on the other half of campus, the address range is more broken up: In Aruba 6, we had one of these subnets per dorm, and even had one VLAN with  two subnets in it, which Aruba controllers don't like at all! I am hoping VLAN pools can help me map all these assorted  subnets into one named pool, but not actually sure what is possible. Recommendations are to have all the VLANs the same size, but I fear that might mean I need to split everything up into a bunch of /24s

I'm hoping there is some way the controller can split users across different sized subnets -- the Aruba VLAN definitions include the masks, so it should know how big the pools are.

To be concrete, for global addresses, we have a /19,  x.y.64.0 to x.y.95.255 . For various historic reasons, they are split up as follows:

vlan A: Staff wired, x.y.64.0/21
vlan B: Student dorms, A8, x.y.72.0/21
vlan C: DMZ servers, x.y.80.0/24
vlan D: More servers, x.y.81.0/24
vlan E:  A6 Dorm 1, x.y.82.0/23
vlan F:  A6 Dorm 2, x.y.84.0/22
vlan G: A6 Dorm 1, x.y.88.0/22
vlan H: Servers, x.y.92.0/24
vlan J: Student wired, x.y.93.0/24
range K: external NAT, assorted net, x.y.94/24
vlan L: A6 dorm available, x.y.95.0/24

Currently, Vlan B is a named vlan in our first half of Aruba 8, but it would be handy if this Student-wifi-Global vlan became a named vlan pool in stead, so that we can add some ranges from vlan A as we shift staff out of it.

But for all of the  "A6 Dorm" vlans, it would be convenient if they could all be a single named pool, though they range from /24 to /21. It may be that the only way to handle them will be to split them into a bunch of /24 student VLANs, but this seems like a lot of clutter.

So:
Is it required that the VLANs in a pool are all the same size?

Is there some other way than a VLAN pool to group multiple IP subnets together?

(Again, hoping to have clearpass just return names like Staff-wifi-NAT, Student-wifi-NAT, student-wifi-Global, etc. I'd like to keep the mappings of names to VLANs with in the MDs)



------------------------------
Steve Bohrer
------------------------------

With VLAN pools, it is important to have the same size subnets, otherwise you will have some subnets running out of ip addresses, because the controller is not aware of the size of VLAN pools.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Feb 02, 2022 03:39 AM
From: Steve Bohrer
Subject: Named VLAN Pool for assorted Global IP subnets?

Working on upgrading to Aruba 8 from 6, currently have one of our two A6 controllers replaced with an A8 cluster of two. One key simplification is before, with A6, Clearpass had to know the proper VLANs for each AP group.

In our first A8 instance, Clearpass returns a VLAN name, so each controller can have its own VLAN tags for that name.

We use NAT IPs for Staff, NAT IPs for Student Academic spaces, but, have been using Global IPs for Student dorms. 

With NAT, it is no big deal to have a large single VLAN, with the proper names, eg: Staff-wifi-NAT, Student-wifi-NAT.

And, for the first half of campus on Aruba 8, the global IPs are a single /21, so it is VLAN name Student-wifi-Global.

But on the other half of campus, the address range is more broken up: In Aruba 6, we had one of these subnets per dorm, and even had one VLAN with  two subnets in it, which Aruba controllers don't like at all! I am hoping VLAN pools can help me map all these assorted  subnets into one named pool, but not actually sure what is possible. Recommendations are to have all the VLANs the same size, but I fear that might mean I need to split everything up into a bunch of /24s

I'm hoping there is some way the controller can split users across different sized subnets -- the Aruba VLAN definitions include the masks, so it should know how big the pools are.

To be concrete, for global addresses, we have a /19,  x.y.64.0 to x.y.95.255 . For various historic reasons, they are split up as follows:

vlan A: Staff wired, x.y.64.0/21
vlan B: Student dorms, A8, x.y.72.0/21
vlan C: DMZ servers, x.y.80.0/24
vlan D: More servers, x.y.81.0/24
vlan E:  A6 Dorm 1, x.y.82.0/23
vlan F:  A6 Dorm 2, x.y.84.0/22
vlan G: A6 Dorm 1, x.y.88.0/22
vlan H: Servers, x.y.92.0/24
vlan J: Student wired, x.y.93.0/24
range K: external NAT, assorted net, x.y.94/24
vlan L: A6 dorm available, x.y.95.0/24

Currently, Vlan B is a named vlan in our first half of Aruba 8, but it would be handy if this Student-wifi-Global vlan became a named vlan pool in stead, so that we can add some ranges from vlan A as we shift staff out of it.

But for all of the  "A6 Dorm" vlans, it would be convenient if they could all be a single named pool, though they range from /24 to /21. It may be that the only way to handle them will be to split them into a bunch of /24 student VLANs, but this seems like a lot of clutter.

So:
Is it required that the VLANs in a pool are all the same size?

Is there some other way than a VLAN pool to group multiple IP subnets together?

(Again, hoping to have clearpass just return names like Staff-wifi-NAT, Student-wifi-NAT, student-wifi-Global, etc. I'd like to keep the mappings of names to VLANs with in the MDs)



------------------------------
Steve Bohrer
------------------------------

Thanks CJoseph,

So that confirms that uniformly-sized subnets are required for VLAN pools.

Just to be sure I am asking the right question, is there any better way to assign users to a range of different subnets, of different sizes? (These are the Global IP ranges we have available, so can't consolidate them more. 

To make it work with VLAN pools, I think I would need to split my existing /24, /23. /22, and /21 global IP VLANs in to a bunch of separate /24 VLANs, then combine a number of them into a named VLAN pool.

Then Clearpass could return the pool name, and it wouldn't need to care about which subnets are where.

Any other issues? Would Airgroup do the right thing with connecting users to their devices across these subnets? E.g. students would very likely be in a different subnet than their wifi printer. 


OR, is there a better way to do this?

Thanks,
Steve

------------------------------
Steve Bohrer
------------------------------

Original Message:
Sent: Feb 02, 2022 05:45 AM
From: Colin Joseph
Subject: Named VLAN Pool for assorted Global IP subnets?


With VLAN pools, it is important to have the same size subnets, otherwise you will have some subnets running out of ip addresses, because the controller is not aware of the size of VLAN pools.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Feb 02, 2022 03:39 AM
From: Steve Bohrer
Subject: Named VLAN Pool for assorted Global IP subnets?

Working on upgrading to Aruba 8 from 6, currently have one of our two A6 controllers replaced with an A8 cluster of two. One key simplification is before, with A6, Clearpass had to know the proper VLANs for each AP group.

In our first A8 instance, Clearpass returns a VLAN name, so each controller can have its own VLAN tags for that name.

We use NAT IPs for Staff, NAT IPs for Student Academic spaces, but, have been using Global IPs for Student dorms. 

With NAT, it is no big deal to have a large single VLAN, with the proper names, eg: Staff-wifi-NAT, Student-wifi-NAT.

And, for the first half of campus on Aruba 8, the global IPs are a single /21, so it is VLAN name Student-wifi-Global.

But on the other half of campus, the address range is more broken up: In Aruba 6, we had one of these subnets per dorm, and even had one VLAN with  two subnets in it, which Aruba controllers don't like at all! I am hoping VLAN pools can help me map all these assorted  subnets into one named pool, but not actually sure what is possible. Recommendations are to have all the VLANs the same size, but I fear that might mean I need to split everything up into a bunch of /24s

I'm hoping there is some way the controller can split users across different sized subnets -- the Aruba VLAN definitions include the masks, so it should know how big the pools are.

To be concrete, for global addresses, we have a /19,  x.y.64.0 to x.y.95.255 . For various historic reasons, they are split up as follows:

vlan A: Staff wired, x.y.64.0/21
vlan B: Student dorms, A8, x.y.72.0/21
vlan C: DMZ servers, x.y.80.0/24
vlan D: More servers, x.y.81.0/24
vlan E:  A6 Dorm 1, x.y.82.0/23
vlan F:  A6 Dorm 2, x.y.84.0/22
vlan G: A6 Dorm 1, x.y.88.0/22
vlan H: Servers, x.y.92.0/24
vlan J: Student wired, x.y.93.0/24
range K: external NAT, assorted net, x.y.94/24
vlan L: A6 dorm available, x.y.95.0/24

Currently, Vlan B is a named vlan in our first half of Aruba 8, but it would be handy if this Student-wifi-Global vlan became a named vlan pool in stead, so that we can add some ranges from vlan A as we shift staff out of it.

But for all of the  "A6 Dorm" vlans, it would be convenient if they could all be a single named pool, though they range from /24 to /21. It may be that the only way to handle them will be to split them into a bunch of /24 student VLANs, but this seems like a lot of clutter.

So:
Is it required that the VLANs in a pool are all the same size?

Is there some other way than a VLAN pool to group multiple IP subnets together?

(Again, hoping to have clearpass just return names like Staff-wifi-NAT, Student-wifi-NAT, student-wifi-Global, etc. I'd like to keep the mappings of names to VLANs with in the MDs)



------------------------------
Steve Bohrer
------------------------------

"To make it work with VLAN pools, I think I would need to split my existing /24, /23. /22, and /21 global IP VLANs in to a bunch of separate /24 VLANs, then combine a number of them into a named VLAN pool.

Then Clearpass could return the pool name, and it wouldn't need to care about which subnets are where."
--- Without knowing your exact situation, that is the best way.

As long as an airgroup device can route to another airgroup device and is not blocked by any ACL, they should find it.  You should be aware that one of my colleagues found a situation where a Google Chromecast device, whenever it got a public ip address, did not respond to any inbound traffic, so be careful with that.  That is something that did not always exist, can can just crop up with a software update out of the blue.

****I am answering your questions in general.  I would ask someone who knows your whole design and challenges so that they can understand your challenges and give you a full set of options.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Feb 02, 2022 04:55 PM
From: Steve Bohrer
Subject: Named VLAN Pool for assorted Global IP subnets?

Thanks CJoseph,

So that confirms that uniformly-sized subnets are required for VLAN pools.

Just to be sure I am asking the right question, is there any better way to assign users to a range of different subnets, of different sizes? (These are the Global IP ranges we have available, so can't consolidate them more. 

To make it work with VLAN pools, I think I would need to split my existing /24, /23. /22, and /21 global IP VLANs in to a bunch of separate /24 VLANs, then combine a number of them into a named VLAN pool.

Then Clearpass could return the pool name, and it wouldn't need to care about which subnets are where.

Any other issues? Would Airgroup do the right thing with connecting users to their devices across these subnets? E.g. students would very likely be in a different subnet than their wifi printer. 


OR, is there a better way to do this?

Thanks,
Steve

------------------------------
Steve Bohrer

Original Message:
Sent: Feb 02, 2022 05:45 AM
From: Colin Joseph
Subject: Named VLAN Pool for assorted Global IP subnets?


With VLAN pools, it is important to have the same size subnets, otherwise you will have some subnets running out of ip addresses, because the controller is not aware of the size of VLAN pools.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Feb 02, 2022 03:39 AM
From: Steve Bohrer
Subject: Named VLAN Pool for assorted Global IP subnets?

Working on upgrading to Aruba 8 from 6, currently have one of our two A6 controllers replaced with an A8 cluster of two. One key simplification is before, with A6, Clearpass had to know the proper VLANs for each AP group.

In our first A8 instance, Clearpass returns a VLAN name, so each controller can have its own VLAN tags for that name.

We use NAT IPs for Staff, NAT IPs for Student Academic spaces, but, have been using Global IPs for Student dorms. 

With NAT, it is no big deal to have a large single VLAN, with the proper names, eg: Staff-wifi-NAT, Student-wifi-NAT.

And, for the first half of campus on Aruba 8, the global IPs are a single /21, so it is VLAN name Student-wifi-Global.

But on the other half of campus, the address range is more broken up: In Aruba 6, we had one of these subnets per dorm, and even had one VLAN with  two subnets in it, which Aruba controllers don't like at all! I am hoping VLAN pools can help me map all these assorted  subnets into one named pool, but not actually sure what is possible. Recommendations are to have all the VLANs the same size, but I fear that might mean I need to split everything up into a bunch of /24s

I'm hoping there is some way the controller can split users across different sized subnets -- the Aruba VLAN definitions include the masks, so it should know how big the pools are.

To be concrete, for global addresses, we have a /19,  x.y.64.0 to x.y.95.255 . For various historic reasons, they are split up as follows:

vlan A: Staff wired, x.y.64.0/21
vlan B: Student dorms, A8, x.y.72.0/21
vlan C: DMZ servers, x.y.80.0/24
vlan D: More servers, x.y.81.0/24
vlan E:  A6 Dorm 1, x.y.82.0/23
vlan F:  A6 Dorm 2, x.y.84.0/22
vlan G: A6 Dorm 1, x.y.88.0/22
vlan H: Servers, x.y.92.0/24
vlan J: Student wired, x.y.93.0/24
range K: external NAT, assorted net, x.y.94/24
vlan L: A6 dorm available, x.y.95.0/24

Currently, Vlan B is a named vlan in our first half of Aruba 8, but it would be handy if this Student-wifi-Global vlan became a named vlan pool in stead, so that we can add some ranges from vlan A as we shift staff out of it.

But for all of the  "A6 Dorm" vlans, it would be convenient if they could all be a single named pool, though they range from /24 to /21. It may be that the only way to handle them will be to split them into a bunch of /24 student VLANs, but this seems like a lot of clutter.

So:
Is it required that the VLANs in a pool are all the same size?

Is there some other way than a VLAN pool to group multiple IP subnets together?

(Again, hoping to have clearpass just return names like Staff-wifi-NAT, Student-wifi-NAT, student-wifi-Global, etc. I'd like to keep the mappings of names to VLANs with in the MDs)



------------------------------
Steve Bohrer
------------------------------