Controllerless Networks

Aruba Employee

[Tutorial] Aruba Instant OS 8.3 Hierarchical Deployment, aka IAP as CPE


I’ve read about hierarchical deployment in the Aruba Instant Validated Reference Design - V2.0, this is something I’ve personally not seen in the wild.

This got me thinking on how this could apply to using the IAP as a CPE.

I could not find any recent examples; here is the older one


I’ve configured the Hierarchical deployment in my lab using Aruba Instant OS

AP-203R eth 0 connected to the internet and eth1 connected to port 1 on the 2530.

The 2530 connects to other IAPs (315 on port 8) and wired clients.

H IAP.jpg



I’ve kept the switch configuration basic


Screen Shot 2019-03-21 at 3.46.11 PM.png 

Screen Shot 2019-03-21 at 3.47.10 PM.png


Log into Instant WebUI

Click on "Wired" from the Main menu in the top-right corner.

Click on "New" to create Wired Ethernet Profile:


Screen Shot 2019-03-21 at 10.47.46 AM.png


Configure Wired Settings for downlink to the LAN switch.


Screen Shot 2019-03-21 at 10.49.38 AM.png


Under VLAN Management, configure Port mode (Trunk). Add allowed VLANs for Eth1, in my case I used; 101 (IAP), 102 (Switch), 201 (Employee) and 202 (Guest). Note the native VLAN is not specified, we will come back to this later.


Screen Shot 2019-03-21 at 10.51.37 AM.png 


I did not set any L2 Security on this downlink port, I did not want to complicate adding other Access Points to the cluster in my test lab.


Screen Shot 2019-03-21 at 10.53.18 AM.png 


I did not set any policy, everything is allowed on the downlink port.


Screen Shot 2019-03-21 at 10.53.37 AM.png


After finishing the wired profile, I assigned it to eth1 on the 203R


Screen Shot 2019-03-21 at 10.54.31 AM.png


I used Local DHCP Scopes on the IAP for the VLANs setup in the Wired Ethernet Profile.

Note the VLAN IDs in the scope should match the VLAN IDs in the Wired Ethernet Profile.


Screen Shot 2019-03-21 at 10.57.43 AM.png


IAP Private VLAN for other Instant Access Points to form the IAP Cluster


Screen Shot 2019-03-21 at 11.10.56 AM.png


Infra for managing local site infrastructure like the switch.


Screen Shot 2019-03-21 at 11.12.05 AM.png


Employee, I used this scope for both wired and wireless client end devices.


Screen Shot 2019-03-21 at 11.16.18 AM.png


Last the Guest scope

 Screen Shot 2019-03-21 at 11.17.24 AM.png


Screen Shot 2019-03-21 at 11.17.56 AM.png 


At this point I went back to edit my Wired Downlink Profile, remember we had no untagged/native VLAN set on the IAP and the switch is expecting IAP Private VLAN 101 as untagged/native. This bit is not obvious, but “Client VLAN assignment” sets the untagged/native VLAN.


Screen Shot 2019-03-21 at 3.31.52 PM.png


My LAN switch was now getting an IP address from DHCP on the 203R IAP


Screen Shot 2019-03-21 at 3.48.15 PM.png


The 315 joined the cluster

 Screen Shot 2019-03-21 at 3.30.52 PM.png


Screen Shot 2019-03-21 at 3.51.43 PM.png 


I configured a basic employee WLAN Network


Screen Shot 2019-03-21 at 12.39.55 PM.png 


I used the same VLAN 201 for the wireless and wired devices


Screen Shot 2019-03-21 at 12.40.47 PM.png 


I set a basic PSK


Screen Shot 2019-03-21 at 12.41.12 PM.png


I used the same open allow all access as wired


Screen Shot 2019-03-21 at 12.41.40 PM.png


Lastly, I connected Clients.

Tinkerbell plugged into the 2530 and a wireless client on each Access Point.


Screen Shot 2019-03-21 at 3.54.29 PM.png

 Screen Shot 2019-03-21 at 3.53.52 PM.png


Screen Shot 2019-03-21 at 4.26.09 PM.png


I even managed to get decent speeds, my UFB is limited to 100Mbps down and 20Mbps up.




Note the uplink on the 203R is ethernet with DHCP provided, standard UFB / NBN stuff in ANZ.

Some ISPs in NZ require you to add an 802.1q VLAN tag on the uplink.




You may even want to use 4G as backup

Search Airheads
Showing results for 
Search instead for 
Did you mean: