Controllerless Networks

I must be missing something here, this can't be unusual?

We have just purchased 10 IAP-215's.  The topology of our network is as follows. The default VLAN that IAPs are plugged into (172.16.150.0/24) is distributed across all distribution points.  This is what we will use for management between IAPs, and ONLY for management.

Most other IAPs are on individual subnets/VLANs, only a few are shared.  So for instance in our Sales department we have 2 IAPs, each switchport they are connected to is native on the 172.16.150.0/24 while they both also have a tagged 113 VLAN (172.16.113.0/24), which is the VLAN we want wireless clients in this area to use.

In the engineering section we have a single IAP, again on it's port native is the 172.16.150.0/24 network and tagged is the 130 VLAN (172.16.130.0/24).  

Etc...etc...etc...

We don't use radius for authentication.  We are simply using personal level security, so I can't return any results via radius.  In fact, it really wouldn't make sense for us to do so because if a user connects a device while in one area of the building we want them to be assigned an IP and VLAN based on the area they are working in at the time, not based on their username, etc.

To me it seemed like this would be a simple thing.  Each IAP has a name.  There are rules for dynamically assigning VLAN, one of which is "AP-Name".  One would assume then if the two IAPs in sales are called Sales1 and Sales2 respectively for instance, that having a rule that states "If AP-Name begins with Sales then VLAN = 113" would do exactly what we're trying to accomplish.  

It doesn't... And the only info I can find refers back to using radius to pass attributes for specific users.  Again we don't want user specific VLANs, we want IAP specific VLANs.  

What am I missing here?

Can users roam between IAPs?  Is the RF from the advertised SSIDs continuous?

Yes, we intend to have L3 mobility.  Yes, single continuous SSID throughout.

The only other solution I've come up with thus far would be to put the IAPs client VLAN as native and change the management to a tagged, but I know I've seen mention in VRDs that it's not recommended to use a tagged management VLAN, and if nothing else it certainly makes deployment slightly more involved.

A technical issue is that most clients will not re-dhcp when the underlying layer 2 network changes from AP to AP if they roam to the same SSID, so they will have no connectivity after a roam.

You might want to consider a single routable VLAN for all clients  that can reach whatever you need them to.

Ok now I think I'm very confused...  The whole reason we bought these IAPs was because of their ability to roam.  Every piece of documentation I've read has suggested this wouldn't be any problem at all...

That when a client moved from one IAP to another IAP in a different subnet, a GRE tunnel would be built over the management LAN between the home IAP and the new IAP they are roaming to.  Hence their IP never has to change as any traffic from that point forward is simply forwarded back to their home IAP???

And a single VLAN is not an option.  That's one of the big reasons we are moving to these in the first place, because the existing wireless network is one VLAN but we have way too many clients and the performance is terrible due to the amount of broadcast traffic, etc.

As I said, I hope I'm not being dense here, I just don't understand... ???

So, two a few things:

- If you are moving away from a single VLAN because of broadcast/multicast traffic, there is an option to drop that traffic and maintain your performance.  It would be a no-brainer if that was your only issue.

- Clients that roam typically expect to be on the same layer 2 subnet, so by default that works very well.

- It is absolutely supported to do layer 3 mobility between Virtual Clusters, yes: http://www.arubanetworks.com/techdocs/Instant_42_WebHelp/InstantWebHelp.htm?_ga=1.43038629.1615771646.1440445030#UG_files/L3_mobility/Configuring_a_mobility_d.htm?Highlight=mobility  The only drawback is that each group of APs that put users in a single VLAN must form its own cluster, which would mean a separate management subnet for each group of APs that share a common client VLAN.

- Having clients do layer 3 roaming is the exception and at most there are two separate virtual controllers that clients would need to roam back and forth between to maintain their same ip address.  It is typically done when two clusters on different subnets happen to be within earshot of each other.  The link above would tell you how to configure that.

- Administrators typically stay away from layer 3 mobility because clients that connect to them are harder to troubleshoot.

I hope any of that makes sense...

It makes sense, but I'm still not sure I follow the logic.  Let me state it another way and pose it as a different type of question(s).

Let's say I have a network that looks roughly like this

|Area 1              |        |Area 2              |        |Area 3              |      |Area 4               |

[Switch 1           ]        [Switch 2           ]        [Switch 3           ]      [Switch 4            |          

[VLAN: 10,15,5 ]        [VLAN: 20,25,5 ]        [VLAN: 30,35,5 ]       [VLAN: 40,45,5  ]

           |                                    |                                    |                                   |

           +----------------------------+---------------+-------------+----------------------------+

                                                                   |

                                                                   |

                                     |                          NOC                              |

                                     |                     VLAN ID: 50                       |

                                      [        Backbone Routing Switch             ]

                                      [  VLAN: 5,10,15,20,25,30,35,40,45,50  ]

So in this case we have 4 subnets in different distribution areas of a building.  The gateway for all is a central L3 routing backbone switch which ties all the edge switches together.

Let's assume that VLAN 10,20,30 and 40 are for wired clients.  So each area has it's own broadcast domain and therefore excess traffic is kept to a minimum.

What I'm getting from the docs I've read so far combined with what you're saying is this.  That if we want to use VLAN 15, 25, 35, and 45 respectively for our wireless clients, the ONLY way to do this would be to put the IAPs native VLAN to 5, but then we would need to set up VLAN pooling on the IAPs and use all 4 VLANs.  Which means that ALL four areas, area 1,2,3 and 4 switches would need to be configured to have all four VLANS sent to them, 15,25,35 and 45.  Or alternatively we just choose one of these VLANS (let's say 15) and put ALL clients on that VLAN and send that vlan to all 4 distribution switches.

Doesn't anyone else see a problem with that?  I swear I'm not trying to be dense, I'm just trying to understand.

If we have to send all 4 VLANS to EVERY distribution point we have, then aside from isolating a small amount of broadcast traffic, what have we gained at all from even using VLANS?  We're sending all the traffic to all our distribution poinits anyway, so what isolation have we really gained?  Our fiber uplinks to our edge switches instead of containing traffic for just 2 or 3 VLANS now has to pass traffic for 6 VLANS... So what's the point?

Wouldn't it make a LOT more sense to have each client VLAN seperated except the management for the cluster?  So that all APs can talk on a single VLAN, but that is management traffic which is somewhat minimal.  So a client connects in Area 1 and receives an IP address on VLAN 15.  That client then roams to Area 3.  When the AP there see's the client it knows that it is not directly attached to that VLAN, but it knows that the AP in Area 1 is, so a tunnel is established and any traffic for the client is forwarded to the AP in Area 1, which then passes it on through VLAN 15.  That's how I undertstood this all to work when talking to the sales rep, and to me it makes the most sense.

As I stated before, if we have to configure all the wireless VLANS to go out to ALL our edge switches anyway, then what's the point of even having separate VLANs? 

Is there something I'm just not getting here?

---

@rusirius wrote:

It makes sense, but I'm still not sure I follow the logic.  Let me state it another way and pose it as a different type of question(s).

 

  Or alternatively we just choose one of these VLANS (let's say 15) and put ALL clients on that VLAN and send that vlan to all 4 distribution switches.

 

 

That is how you should do it.  If you want to manage all APs from a single place, you would need a common VLAN to all of your switches so that they can see each other.  Assuming that your switches all have a management VLAN already, your IAPs can be on that VLAN and you can just trunk VLAN 15 to the port that your IAPs are on.  Your IAPs will be on the management VLAN, can see each other and would be managed from a single point (the VC).  Vlan 15 will be a wireless subnet that will be simply routed to any subnet by your backbone switch so your wireless clients can reach assets and they can be reached.  In the SSID configuration under advanced, you can enable broadcast filtering to stop broadcasts.

I hope that makes sense.