What is remote AP "BACKUP" operation mode, how to configure it and troubleshoot it?
There are 6 key points for backup mode configuration:
- create a dummy vlan in the controller for the backup mode user
There is no need to configure an IP address for this vlan interface
- configure this vlan as the Remote-AP DHCP server vlan
(config) #ap system-profile test-bridge
(Aruba2400) #show ap system-profile test-bridge
AP system profile "test-bridge"
LMS IP N/A
Backup LMS IP N/A
Remote-AP DHCP Server VLAN 500
Heartbeat DSCP 0
create the inital role for the backup ssid user and apply it to the aaa profile
(config) #ip access-list session bridge-initial
any any svc-dhcp permit
any any any route src-nat
"any any svc-dhcp permit" is to allow the user to get ip address from the RAP.
"any any any route src-nat " will make sure all the user traffic being source NATed on the RAP uplink ethernet interface and guarantee the user 192.168.11.0 private ip addresses will never be leaked into the outside network.
(config) #user-role bridge-initial
When the RAP is in backup mode, it will function as an DHCP server and assign ip addresses from the static DHCP pool 192.168.11.0/24 for wireless users associated with the backup ssid. The ip addresses pool is within the range from 192.168.11.2 through 192.168.11.254. The RAP wireless interface ip is 192.168.11.1/24. Any RAP within backup mode will have the same DHCP address pool and the same wireless interface ip.
(Aruba2400) # show aaa profile test-aaa-profile
AAA Profile "test-aaa-profile"
Initial role bridge-initial
MAC Authentication Profile N/A
- create a virtual ap with remote ap backup mode enabled, forward mode as bridge,and apply the vlan & aaa profile & ssid profile created in previous steps
wlan virtual-ap "test-bridge"
RAP backup operation mode can only work at bridge forward mode
- create an RAP ap-group which has a backup mode virtual ap & ap system profile created in previous steps applied
- assign the RAP to the ap-group
Troubleshoot backup RAP
As backup RAP is running under bridge forward mode, there will not be any sessions in the controller. If there is any problem with backup RAP, we need to get into "Full access mode" of the AP itself, and use the command "apfcutil -r" to do the troubleshooting:
The most important thing we need to check is if the configuration of the backup RAP has been pushed into the RAP, ie, the intial role, the vlan, the rap operation mode, the forward mode
- apfcutil -r vaps RAP - gives the number of offline vaps stored (num_offline_vaps)
- apfcutil -i RAP - Clears the RAP sector, in case one wants to start afresh
x = the vap interested in. can vary from (0, ...... , num_offline_vaps-1)
- apfcutil -r 3x RAP - Gives the virtual profile parameters
- apfcutil -r 3x+1 RAP - Gives the ssid profile parameters
- apfcutil -r 3x+2 RAP - Gives other misc profile parameters
~ # apfcutil -r 0 RAP
~ # apfcutil -r 1 RAP
a_basic_rates 6 12 24
a_tx_rates 6 9 12 18 24 36 48 54
g_basic_rates 1 2
g_tx_rates 1 2 5 6 9 11 12 18 24 36 48 54
~ # apfcutil -r 2 RAP
In the controller:
(Aruba2400) # show rights bridge-initial
Derived Role = 'bridge-initial'
ACL Number = 41/0
1 any any svc-dhcp permit low
2 any any any route src-nat low