Controllerless Networks

I have 1 subnet of IAPS around 20 X IAPs and 1 of the switch was faulty and no link to the 6 IAPs but there are power to these 6 APs. They are using static IP address they MESH up to the neighbor IAPs instead, anyway to disable the MESH on IAPs as my guess is that the neighbors APs are using the same subnet as our IAPs. Alternative is to change our IP address but hope we can disable the MESH instead.

 

Gordon

 

 

By mistake the other day I find out that if you enable the extended SSID option it will disable the mesh link 

 

 

Mesh_Portal_Upstairs# show  ap mesh link 
No mesh supported in current mode

 You could also try the no mesh but I'm not sure if that disables it

Gordon,

Are you confident in your observations?

This gives rise to a serious moment for reflection if what you claim is true: If Aruba's APs can mesh (always or by default) without performing robust peer authentication prior to forming/joining a mesh, it would be an epic security vulnerability in deployments. Think about the obvious implications that would flow from such behaviour... It could be exploited maliciously where there is intention to do so...

Had I noticed such an issue and was confident that it was not a misconfiguration or misunderstanding on my behalf, it would have driven me to go absolutely nuts at whoever supplied/supported my installation demanding answers, and yesterday. As well as requiring a fix, it would engender a whole host of wider questions for me.

You should definitely investigate this behaviour further. If it turns out to be true, Aruba would need to start a rapid security response process to the problem and issue a bulletin/notice to its customers.

Cheers,

Nick

This is 100% true.

 

Bizarre isn't it?

Two separate and distinct IAP clusters (that is two IAP clusters that were setup separately, on different L2 networks, etc) will not join each other's clusters via mesh. There is a hashed Mesh Cluster ID that is established upon the setup of any new VC/IAP Cluster that is then pushed to any IAPs that later join that cluster. If Business 1 sets up IAP cluster 1 and it gets mesh cluster ID 12345, then if business 1 then adds another IAP to that cluster via L2 and it shows up in the IAP VC, then it will also get that same mesh cluster ID. Then if Business 2 sets up their own IAP cluster on their own L2 network, their cluster may get ABCDE as their mesh cluster ID.

 

Both businesses would need to first disable the extended SSID to enable Mesh.

 

If Business 1 IAP loses the wire, it will search for another AP broadcasting the mesh cluster 12345. Business 2, if an IAP loses the wire, will look for ABCDE. Business 2 IAP won't join Business 1 IAP (unless they were all originally provisioned as the same VC under the same cluster, which would be rare I hope). 

<p>Hello,</p>
<p>&nbsp;</p>
<p>Regarding the limitations of Mesh in IAP, is there any maximum of Mesh Portals allowed per Mesh Cluster ID? Thank you!

There is a soft limit (not enforced but recommended limit of 128 IAPs in a cluster).

 

There is no limit to mesh portals in the cluster.

Thank you very much!