AAA, NAC, Guest Access & BYOD

 View Only
last person joined: one year ago 

Solutions for legacy and existing products and solutions, including Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, and Introspect
Back to Library

How should the Aruba controller be configured to ensure proper VLAN tagging across a mesh bridge link? 

Jun 30, 2014 10:40 PM

Product and Software: This article applies to ArubaOS 3.3.2 and later.

When configuring a mesh link for bridging, it is important to ensure that VLAN tagging is properly implemented. Proper VLAN tagging includes having the same native VLAN throughout for untagged traffic.


On Aruba controllers, the following profiles are used for configuring bridging across a mesh link:

  • Wired AP profile: used for the wired ports on a mesh portal and on a mesh point. By default, the native VLAN in the wired AP profile is 1. The port is an access port, by default, meaning no VLAN tagging traffic is done and all traffic incoming on the port is considered untagged on the specified access VLAN.
  • AP system profile: used for specifying the native VLAN for traffic using the air across the mesh link. By default, the native VLAN is 1. Thus, any traffic received untagged on the wired port would be sent across the mesh link untagged and considered to be on VLAN 1. Upon receipt on the remote side of the mesh link, the mesh portal or point would attempt to put the traffic on any ports that have VLAN 1, except of course, the mesh link the traffic was received on.

    Another way of explaining the use of the native VLAN in the system profile.
    The VLAN in the AP system profile represents the VLAN of the mesh link. If the access VLAN configured in the wired-ap-profile is not the same as the native VLAN in the system profile, the Ethernet frames from the wired device will be tagged when sent on the mesh link. So the port to which the portal is connected will have to be made a trunk port and the VLAN should be enabled for it to work properly.
  • Interface switchport configurations on connected Ethernet switches. By default, the native VLAN is usually 1 and the port is considered an access port, meaning only untagged traffic for a specified VLAN is on the port.

    Suppose you want:
  • Untagged traffic on VLAN 10.
  • Tagged traffic on VLANs 100, 200, and 300.

To be specific, the configuration on an Aruba controller running ArubaOS 3.4.0.x would be as follows:



Wired AP profile

================
ap wired-ap-profile "mesh"
   wired-ap-enable
   forward-mode bridge
   switchport mode trunk
   switchport trunk native vlan 10
   switchport trunk allowed vlan 100,200,300
   trusted
!

AP system profile

=================
ap system-profile "mesh"
   native-vlan-id 10
!

AP group configuration

======================
ap-group "mesh"
   dot11a-radio-profile "mesh"
   dot11g-radio-profile "mesh"
   wired-ap-profile "mesh"
   ap-system-profile "mesh"
   mesh-cluster-profile "mesh" priority 1
!

Sample Ethernet configuration for the switch that may be connected to the mesh portal or mesh point

=====================================================================
interface fastethernet 2/4
        description "fe2/4"
        trusted
        switchport mode trunk
        switchport trunk native vlan 10
        switchport trunk allowed vlan 100,200,300
!

Note:

When the forwarding mode is changed in the wired AP profile, the AP reboots. The AP reboots even after the forwarding mode has been changed after the wired AP profile has been applied the AP group.

Statistics
0 Favorited
3 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.