Wireless Access

Hello,

I did my first AOS10 installation with a customer which had a lot of issues in the first stages of the installation; 

Now a HPE employee went on site and told the end-customer that it is best practice and following the VRDs that APs and controllers must be in seperate vlans. I have them installed in a dedicated WLAN-mgmt vlan, which means: only APs and gateways are in the same VLAN (and the  coreswitch has an IP for routing purpose off course) .  Now I am working for almost 11 years with Aruba products and I have never heard of this statement; more even searching on this community gives me posts where cjoseph is saying, APs and controllers just need to be able to reach each other no matter the vlan; - I mostly try to configure a dedicated AP/controller vlan, so no user traffic is disturbing in this vlan. 

Does this change in AOS10 ? Is there somewhere a VRD for AOS10 available ? 

Cheers

------------------------------
Thomas
------------------------------

Thomas, AOS10 is indeed different from AOS 6/8 as the datapath is in the AP and in the controller, rather than just in the controller. If you have the same VLAN in the AP and in the controller and a tunnel between them, you may imagine that there can be L2 loops. That is one of the reasons that gateway and AP need to be in different VLANs. For AOS 8 you can still put your APs adjacent to your controller (but don't need to).

Check the ESP Campus Design documents as well (formerly VRD). And some additional resources:

Check here for a nice video series on deploying AOS 10.

More official training in the AOS 10 Essentials Webinar.

For partners with access to Arubapedia for Partners, you can search 'AOS 10' in the Search Bar to get to a rich set of additional documentation.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Mar 16, 2023 06:12 AM
From: Thomasds
Subject: VLAN for APs and Controllers in AOS10

Hello,

I did my first AOS10 installation with a customer which had a lot of issues in the first stages of the installation; 

Now a HPE employee went on site and told the end-customer that it is best practice and following the VRDs that APs and controllers must be in seperate vlans. I have them installed in a dedicated WLAN-mgmt vlan, which means: only APs and gateways are in the same VLAN (and the  coreswitch has an IP for routing purpose off course) .  Now I am working for almost 11 years with Aruba products and I have never heard of this statement; more even searching on this community gives me posts where cjoseph is saying, APs and controllers just need to be able to reach each other no matter the vlan; - I mostly try to configure a dedicated AP/controller vlan, so no user traffic is disturbing in this vlan. 

Does this change in AOS10 ? Is there somewhere a VRD for AOS10 available ? 

Cheers

------------------------------
Thomas
------------------------------

Herman,

I can follow you with your statements about loops somehow, but this contradicts what is said about the branches in that documentationwhere is stated:

Network Overview | Validated Solution Guide (arubanetworks.com) =>

"Branch switches at each site have nine VLANs. Their default gateway is a virtual IP shared among the branch gateways at each site."

this means the vlans are know on the wireless as well as on the controller. since on each branch your AP termination is the branch controller as well. 

Even in the part about the campuses, where is stated that 1 of the access vlans is 15 which is also the mgmt vlan of the controllers. 

To complete my design info, I had a vlan  which was on my controller, on the AP side is was vlan 1 since only in vlan 1 he is doing DHCP, but access vlan x on the switch side. the VLAN x or vlan 1 is impossible to receive on the wireless side, and all SSIDs are tunneled to the gateway. There is as well an option "tunnel loop prevention" which I enabled, and there is an option to allow only the specified vlans on the uplink of the AP which is the native vlan, So loops could not be created (theoretically) 

My colleague who is experimenting with AOS 10 and branch setups even just told me that Aruba TAC themselves told him that it is better to have the gateways as default gateway for each vlan. 

Do I understand correctly that the vlans might exist on both and even an IP may exist for the AP-vlan, but the "controller-ip" itself should defined in another vlan? 

------------------------------
Thomas
------------------------------

Original Message:
Sent: Mar 16, 2023 07:17 AM
From: Herman Robers
Subject: VLAN for APs and Controllers in AOS10

Thomas, AOS10 is indeed different from AOS 6/8 as the datapath is in the AP and in the controller, rather than just in the controller. If you have the same VLAN in the AP and in the controller and a tunnel between them, you may imagine that there can be L2 loops. That is one of the reasons that gateway and AP need to be in different VLANs. For AOS 8 you can still put your APs adjacent to your controller (but don't need to).

Check the ESP Campus Design documents as well (formerly VRD). And some additional resources:

Check here for a nice video series on deploying AOS 10.

More official training in the AOS 10 Essentials Webinar.

For partners with access to Arubapedia for Partners, you can search 'AOS 10' in the Search Bar to get to a rich set of additional documentation.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 16, 2023 06:12 AM
From: Thomasds
Subject: VLAN for APs and Controllers in AOS10

Hello,

I did my first AOS10 installation with a customer which had a lot of issues in the first stages of the installation; 

Now a HPE employee went on site and told the end-customer that it is best practice and following the VRDs that APs and controllers must be in seperate vlans. I have them installed in a dedicated WLAN-mgmt vlan, which means: only APs and gateways are in the same VLAN (and the  coreswitch has an IP for routing purpose off course) .  Now I am working for almost 11 years with Aruba products and I have never heard of this statement; more even searching on this community gives me posts where cjoseph is saying, APs and controllers just need to be able to reach each other no matter the vlan; - I mostly try to configure a dedicated AP/controller vlan, so no user traffic is disturbing in this vlan. 

Does this change in AOS10 ? Is there somewhere a VRD for AOS10 available ? 

Cheers

------------------------------
Thomas
------------------------------