Controllerless Networks

I’ve read about hierarchical deployment in the Aruba Instant Validated Reference Design - V2.0, this is something I’ve personally not seen in the wild.

This got me thinking on how this could apply to using the IAP as a CPE.

I could not find any recent examples; here is the older one https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-configure-and-troubleshoot-a-hierarchical-deployment/ta-p/179760

I’ve configured the Hierarchical deployment in my lab using Aruba Instant OS 8.3.0.6.

AP-203R eth 0 connected to the internet and eth1 connected to port 1 on the 2530.

The 2530 connects to other IAPs (315 on port 8) and wired clients.

I’ve kept the switch configuration basic

Log into Instant WebUI

Click on "Wired" from the Main menu in the top-right corner.

Click on "New" to create Wired Ethernet Profile:

Configure Wired Settings for downlink to the LAN switch.

Under VLAN Management, configure Port mode (Trunk). Add allowed VLANs for Eth1, in my case I used; 101 (IAP), 102 (Switch), 201 (Employee) and 202 (Guest). Note the native VLAN is not specified, we will come back to this later.

I did not set any L2 Security on this downlink port, I did not want to complicate adding other Access Points to the cluster in my test lab.

I did not set any policy, everything is allowed on the downlink port.

After finishing the wired profile, I assigned it to eth1 on the 203R

I used Local DHCP Scopes on the IAP for the VLANs setup in the Wired Ethernet Profile.

Note the VLAN IDs in the scope should match the VLAN IDs in the Wired Ethernet Profile.

IAP Private VLAN for other Instant Access Points to form the IAP Cluster

Infra for managing local site infrastructure like the switch.

Employee, I used this scope for both wired and wireless client end devices.

Last the Guest scope

At this point I went back to edit my Wired Downlink Profile, remember we had no untagged/native VLAN set on the IAP and the switch is expecting IAP Private VLAN 101 as untagged/native. This bit is not obvious, but “Client VLAN assignment” sets the untagged/native VLAN.

My LAN switch was now getting an IP address from DHCP on the 203R IAP

The 315 joined the cluster

I configured a basic employee WLAN Network

I used the same VLAN 201 for the wireless and wired devices

I set a basic PSK

I used the same open allow all access as wired

Lastly, I connected Clients.

Tinkerbell plugged into the 2530 and a wireless client on each Access Point.

I even managed to get decent speeds, my UFB is limited to 100Mbps down and 20Mbps up.

Note the uplink on the 203R is ethernet with DHCP provided, standard UFB / NBN stuff in ANZ.

Some ISPs in NZ require you to add an 802.1q VLAN tag on the uplink.

You may even want to use 4G as backup

https://community.arubanetworks.com/t5/Education-Australia-New-Zealand/IAP-4G-Modem-Configuration/gpm-p/296720

Hi, I'm following your tutorial with IAP-325 but electing Root IAP as master IAP doesn't work and slave IAP's although they get IP address from local DHCP server on Root IAP doesn't form a cluster with Root IAP.

Could you clarify a bit how do you setup static IP address for uplink on Root IAP (eth0). How do you setup IP address for (eth1) on Root IAP?

How can I force Root IAP to become master?

I was trying iap-master in CLI and prefered-master in GUI but neither of them work and when I run command sho aps there is info in last column which is "Hierarchy Mode" that this Root IAP is "slave"

Should this work in 8.7.0.0 firmware?

After numerous retries I managed to set it up. In case anyone would be interested how does it look like from CLI of Root IAP perspective:

apboot>
setenv ipaddr PUBLIC_IP
setenv netmask 255.255.255.240
setenv gatewayip PUBLIC_IP_GW
setenv dnsip 1.1.1.1

XX:XX:XX:XX:XX:XX# show run

version 8.7.0.0-8.7.0
virtual-controller-country PL
virtual-controller-key ************
name SetMeUp-XX:XX:XX
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap XX:XX:XX:XX:XX:XX
allowed-ap YY:YY:YY:YY:YY:YY

arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

hash-mgmt-password
hash-mgmt-user admin password hash ************

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule downlink
index 3
rule any any match any any any permit

auth-survivability cache-time-out 24

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
wireless-containment none

ip dhcp MGMT
server-type Local
server-vlan 100
subnet 192.168.100.0
subnet-mask 255.255.255.240
exclude-address 192.168.100.0 192.168.100.10
lease-time 1200
default-router 192.168.100.1
dns-server 1.1.1.1

wired-port-profile downlink
switchport-mode trunk
allowed-vlan 100,10,20,30
native-vlan 100
no shutdown
access-rule-name downlink
speed auto
duplex auto
poe
type employee
auth-server InternalServer
captive-portal disable
no dot1x

wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile
enet1-port-profile downlink

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

cluster-security
allow-low-assurance-devices


XX:XX:XX:XX:XX:XX# sho ip inter br
Interface IP Address / IP Netmask Admin Protocol
br0 PUBLIC_IP / 255.255.255.240 up up
br0.100 192.168.100.1 / 255.255.255.240 up up
br0.3333 172.31.98.1 / 255.255.254.0 up up

XX:XX:XX:XX:XX:XX# sho aps
2 Access Points
---------------
Name IP Address Mode Spectrum Clients Type IPv6 Address Mesh Role Zone Serial # radio0 Channel radio0 Power (dBm) radio0 Utilization (%) radio0 Noise Floor (dBm) radio1 Channel radio1 Power (dBm) radio1 Utilization (%) radio1 Noise Floor (dBm) radio2 Channel radio2 Power (dBm) radio2 Utilization (%) radio2 Noise Floor (dBm) Need Antenna Config From Port Config Id Config Csum Ext SSID Active Age Link Local IP Address Uplink Port Hierarchy Mode
---- ---------- ---- -------- ------- ---- ------------ --------- ---- -------- -------------- ------------------ ---------------------- ------------------------ -------------- ------------------ ---------------------- ------------------------ -------------- ------------------ ---------------------- ------------------------ ------------------- --------- --------- ----------- --------------- --- --------------------- ----------- --------------
XX:XX:XX:XX:XX:XX PUBLIC_IP* access disable 0 325(indoor) -- N/A - SERIAL_AA - - - - - - - - - - - - No none 3 20812 enable 21m:29s -- eth0 Hierarchy
YY:YY:YY:YY:YY:YY 192.168.100.11 access disable 0 325(indoor) -- N/A - SERIAL_BB - - - - - - - - - - - - No none 3 20812 enable 19m:3s -- eth0 Hierarchy

XX:XX:XX:XX:XX:XX# sho dhcps

Distributed DHCP Scopes
-----------------------
Name  Type  VLAN  Netmask  Default Router  DNS Server  Domain Name  Lease Time  IP Address Range  Client Count  DHCP Option  Reserve First  Reserve Last  Branch ID  Branch Netmask  Branch Router  DHCP Host  DHCP DDNS  DDNS Key
----  ----  ----  -------  --------------  ----------  -----------  ----------  ----------------  ------------  -----------  -------------  ------------  ---------  --------------  -------------  ---------  ---------  --------

Centralized DHCP Scopes
------------------------
Name  Type  VLAN  DHCP Relay  DHCP Relay Servers  DHCP Option 82  VLAN IP  VLAN Mask  Split Tunnel  Tunnel Profile
----  ----  ----  ----------  ------------------  --------------  -------  ---------  ------------  --------------

Local DHCP Scopes
------------------
Name            Type   VLAN  Network        Netmask          Exclude Address               Default Router  DNS Server       Domain Name  Lease Time  DHCP Option  DHCP Host  DNS Cache  Available Address Range          VLAN IP  VLAN Mask
----            ----   ----  -------        -------          ---------------               --------------  ----------       -----------  ----------  -----------  ---------  ---------  -----------------------          -------  ---------
MGMT            Local  100   192.168.100.0  255.255.255.240  192.168.100.0-192.168.100.10  192.168.100.1   1.1.1.1                       1200                                Disabled   192.168.100.11 - 192.168.100.15  0.0.0.0  0.0.0.0

XX:XX:XX:XX:XX:XX# sho dhcp subnets

DHCP Subnet Table
-----------------
VLAN  Type  Subnet         Mask             Gateway        Mode                       Rolemap  Index  TunIdx
----  ----  ------         ----             -------        ----                       -------  -----  ------
100   nat   192.168.100.0  255.255.255.240  192.168.100.1  local,split-tunnel,direct           0

XX:XX:XX:XX:XX:XX# sho dhcp-allocation

---------------------/etc/dnsmasq.conf--------------------
listen-address=127.0.0.1
addn-hosts=/etc/ld_eth_hosts
addn-hosts=/etc/ld_ppp_hosts
dhcp-src=172.31.98.1
dhcp-leasefile=/tmp/dnsmasq.leases
dhcp-authoritative
#magic-vlan
{
	vlan-id=3333
	dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
	dhcp-option=1,255.255.254.0
	dhcp-option=3,172.31.98.1
	dhcp-option=6,1.1.1.1,8.8.8.8
}
#profile: MGMT
{
	vlan-id=100
	dhcp-range=192.168.100.11,192.168.100.14,255.255.255.240,1200s
	dhcp-option=1,255.255.255.240
	dhcp-option=3,192.168.100.1
	dhcp-option=6,1.1.1.1
}
---------------------/tmp/dnsmasq.leases------------------
1594459970 YY:YY:YY:YY:YY:YY 192.168.100.11 100 * 01:YY:YY:YY:YY:YY:YY
---------------------dhcp relay conf--------------------

After numerous attempts I finally managed to set it up.

Here is the configuration for the Root IAP that works for me.

Maybe it will be helpful also for others.

apboot>
setenv ipaddr PUBLIC_IP
setenv netmask 255.255.255.240
setenv gatewayip PUBLIC_IP_GW
setenv dnsip 1.1.1.1

XX:XX:XX:XX:XX:XX# show run

version 8.7.0.0-8.7.0
virtual-controller-country PL
virtual-controller-key ************
name SetMeUp-XX:XX:XX
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps

allowed-ap XX:XX:XX:XX:XX:XX
allowed-ap YY:YY:YY:YY:YY:YY

arm
 wide-bands 5ghz
 80mhz-support
 min-tx-power 9
 max-tx-power 127
 band-steering-mode prefer-5ghz
 air-time-fairness-mode default-access
 channel-quality-aware-arm-disable
 client-aware
 scanning

rf dot11g-radio-profile
 max-distance 0
 max-tx-power 9
 min-tx-power 6
 disable-arm-wids-functions off
 free-channel-index 40

rf dot11a-radio-profile
 max-distance 0
 max-tx-power 18
 min-tx-power 12
 disable-arm-wids-functions off

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

hash-mgmt-password
hash-mgmt-user admin password hash ************

wlan access-rule default_wired_port_profile
 index 1
 rule any any match any any any permit

wlan access-rule wired-SetMeUp
 index 2
 rule masterip 0.0.0.0 match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule downlink
 index 3
 rule any any match any any any permit

auth-survivability cache-time-out 24

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"
 auto-whitelist-disable
 https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
 wireless-containment none

ip dhcp MGMT
 server-type Local
 server-vlan 100
 subnet 192.168.100.0
 subnet-mask 255.255.255.240
 exclude-address 192.168.100.0 192.168.100.10
 lease-time 1200
 default-router 192.168.100.1
 dns-server 1.1.1.1

wired-port-profile downlink
 switchport-mode trunk
 allowed-vlan 100,10,20,30
 native-vlan 100
 no shutdown
 access-rule-name downlink
 speed auto
 duplex auto
 poe
 type employee
 auth-server InternalServer
 captive-portal disable
 no dot1x

wired-port-profile wired-SetMeUp
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-SetMeUp
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x


enet0-port-profile default_wired_port_profile
enet1-port-profile downlink

uplink
 preemption
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180

airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint

cluster-security
 allow-low-assurance-devices


XX:XX:XX:XX:XX:XX# sho ip inter br
Interface                         IP Address / IP Netmask       Admin  Protocol
br0                           PUBLIC_IP / 255.255.255.240  up     up
br0.100                        192.168.100.1 / 255.255.255.240  up     up
br0.3333                         172.31.98.1 / 255.255.254.0    up     up

XX:XX:XX:XX:XX:XX# sho aps
2 Access Points
---------------
Name               IP Address       Mode    Spectrum  Clients  Type         IPv6 Address  Mesh Role  Zone  Serial #    radio0 Channel  radio0 Power (dBm)  radio0 Utilization (%)  radio0 Noise Floor (dBm)  radio1 Channel  radio1 Power (dBm)  radio1 Utilization (%)  radio1 Noise Floor (dBm)  radio2 Channel  radio2 Power (dBm)  radio2 Utilization (%)  radio2 Noise Floor (dBm)  Need Antenna Config  From Port  Config Id  Config Csum  Ext SSID Active  Age      Link Local IP Address  Uplink Port  Hierarchy Mode
----               ----------       ----    --------  -------  ----         ------------  ---------  ----  --------    --------------  ------------------  ----------------------  ------------------------  --------------  ------------------  ----------------------  ------------------------  --------------  ------------------  ----------------------  ------------------------  -------------------  ---------  ---------  -----------  ---------------  ---      ---------------------  -----------  --------------
XX:XX:XX:XX:XX:XX  PUBLIC_IP*  access  disable   0        325(indoor)  --            N/A        -     SERIAL_AA  -               -                   -                       -                         -               -                   -                       -                         -               -                   -                       -                         No                   none       3          20812        enable           21m:29s  --                     eth0         Hierarchy
YY:YY:YY:YY:YY:YY  192.168.100.11   access  disable   0        325(indoor)  --            N/A        -     SERIAL_BB  -               -                   -                       -                         -               -                   -                       -                         -               -                   -                       -                         No                   none       3          20812        enable           19m:3s   --                     eth0         Hierarchy


XX:XX:XX:XX:XX:XX# sho dhcps

Distributed DHCP Scopes
-----------------------
Name  Type  VLAN  Netmask  Default Router  DNS Server  Domain Name  Lease Time  IP Address Range  Client Count  DHCP Option  Reserve First  Reserve Last  Branch ID  Branch Netmask  Branch Router  DHCP Host  DHCP DDNS  DDNS Key
----  ----  ----  -------  --------------  ----------  -----------  ----------  ----------------  ------------  -----------  -------------  ------------  ---------  --------------  -------------  ---------  ---------  --------

Centralized DHCP Scopes
------------------------
Name  Type  VLAN  DHCP Relay  DHCP Relay Servers  DHCP Option 82  VLAN IP  VLAN Mask  Split Tunnel  Tunnel Profile
----  ----  ----  ----------  ------------------  --------------  -------  ---------  ------------  --------------

Local DHCP Scopes
------------------
Name            Type   VLAN  Network        Netmask          Exclude Address               Default Router  DNS Server       Domain Name  Lease Time  DHCP Option  DHCP Host  DNS Cache  Available Address Range          VLAN IP  VLAN Mask
----            ----   ----  -------        -------          ---------------               --------------  ----------       -----------  ----------  -----------  ---------  ---------  -----------------------          -------  ---------
MGMT            Local  100   192.168.100.0  255.255.255.240  192.168.100.0-192.168.100.10  192.168.100.1   1.1.1.1                       1200                                Disabled   192.168.100.11 - 192.168.100.15  0.0.0.0  0.0.0.0

XX:XX:XX:XX:XX:XX# sho dhcp subnets

DHCP Subnet Table
-----------------
VLAN  Type  Subnet         Mask             Gateway        Mode                       Rolemap  Index  TunIdx
----  ----  ------         ----             -------        ----                       -------  -----  ------
100   nat   192.168.100.0  255.255.255.240  192.168.100.1  local,split-tunnel,direct           0

XX:XX:XX:XX:XX:XX# sho dhcp-allocation

---------------------/etc/dnsmasq.conf--------------------
listen-address=127.0.0.1
addn-hosts=/etc/ld_eth_hosts
addn-hosts=/etc/ld_ppp_hosts
dhcp-src=172.31.98.1
dhcp-leasefile=/tmp/dnsmasq.leases
dhcp-authoritative
#magic-vlan
{
	vlan-id=3333
	dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
	dhcp-option=1,255.255.254.0
	dhcp-option=3,172.31.98.1
	dhcp-option=6,1.1.1.1,8.8.8.8
}
#profile: MGMT
{
	vlan-id=100
	dhcp-range=192.168.100.11,192.168.100.14,255.255.255.240,1200s
	dhcp-option=1,255.255.255.240
	dhcp-option=3,192.168.100.1
	dhcp-option=6,1.1.1.1
}
---------------------/tmp/dnsmasq.leases------------------
1594459970 YY:YY:YY:YY:YY:YY 192.168.100.11 100 * 01:YY:YY:YY:YY:YY:YY
---------------------dhcp relay conf--------------------

The important thing was to not set any vlan for eth0. If there was a VLAN for uplink (eth0) interface the AP connected to downlink was getting IP address but both APs weren't in hierarchy mode.

Hi Pawgol

In my case I did not have a static IP on the Uplink as this is provided by the fiber ISP over DHCP.

Thanks for testing this with 8.7.0.0 and for the tip on using the boot cli to set static IP for uplink.

Cheers
Phillip