Controllerless Networks

Occasional Contributor I

IAPs and VLANs - please help



We've struggled a LOT to get to our current setup, and now that it appears to be working like we want it to, I would really like some feedback from someone who knows more about Aruba products than me.


To quickly (an over-simply) descripe our setup, we have some HP 5400zl switches with an internal VLAN (say VLAN 10) with our servers, clients, firewall, company internet line etc.

And then we have a VLAN connected to an ADSL internet line for guests (say VLAN 20).

We have 20 IAP315 APs that we would like to behave like this:


SSID 1 (Guests):

Connected clients are forwarded out the VLAN 20 to gain internet access and nothing else. The VLAN 20 has its own DHCP server already.



We would like the APs to "talk" to eachother, have an IP, and have a Virtual controller IP - all on VLAN 10. This way we can control the solution from our normal internal network, and guests on VLAN 20 can't connect to the AP management interface.


The way it is configured right now is like this:

- On the HP switches the AP interfaces are untagged on VLAN20 (guests) and tagged on VLAN 10 (internal).

- AP's have IP addresses in the VLAN 10 range.

- Virtual Controller IP is in the VLAN 10 IP range.

- Virtual Controller VLAN has been set to VLAN 10 in System settings.

- Uplink switch native VLAN in System settings has been set to VLAN 20.

- A "Guests" SSID has been created for Guest use

- The Guests SSID Client IP Assigment is "Network Assigned"

- The SSID VLAN is Static to VLAN 20

- The SSID Acces Rules are set to "Unrestricted".


That's it. Only downside, as I see it, is that we have to connect new AP's to the internal untagged VLAN when we receive them. Then configure the AP, and THEN place it on a port where VLAN 20 is untagged and VLAN 10 is tagged.


Can anyone tell me if this is the correct way of doing it? If the management part could somehow be the primary VLAN, it would be easier to configure new APs.





Aruba Employee

Re: IAPs and VLANs - please help

Hi rteglgaa,


Welcome to the community. 


So what I understand, you would like to have VLAN 10 untagged and VLAN 20 tagged in IAP ports?

If so, you need to configure the switch ports accordingly. that was the obvious one. 

Secondly, remove the uplink VLAN configuration completely. Also, remove the Virtual Controller VLAN. This will make the IAP's to send all management traffic untagged to switch, which is then translated to VLAN 10. 

For the Internal SSID, set the Network assignment to default. This will send the traffic from this SSID untagged to the uplink port as well. 


to make it short, everything which needs to be untagged on the uplink does not need any VLAN configuration, as untagged is the default behavior for the IAP. 




visit our Youtube Channel:
Please visit my personal blog as well:
Contributor I

Re: IAPs and VLANs - please help

I typically do this backwards from what you did I typically do a trunk port with a native VLAN which is the management or face so for example VLAN 10 I would native VLAN 10 and I would not tag it on the VC or on the AP settings I would just tag the additional a society's that I add like your 20. Inside the guest role you can add a firewall policy that prevents access to your internal Network.
Aruba Partner Ambassador ACMX #252, ACDX #824,ACCP, ACSA, AWMP, CCNP Wireless & Security
Occasional Contributor I

Re: IAPs and VLANs - please help

Hi Josh,


Thanks for getting back. That's exactly how we would like to do it, but all attempts has failed. We can only do it the other way around, tagging the management VLAN and untagging the guest SSID.


Can you run trough my settings in the first post, and specify what one would need to configure in each case?



Aruba Employee

Re: IAPs and VLANs - please help

Hi Rasmus,


have. look at this post:


This should describe the needed options. 




visit our Youtube Channel:
Please visit my personal blog as well:
Search Airheads
Showing results for 
Search instead for 
Did you mean: