[Tutorial] Aruba Instant OS 8.3 Hierarchical Deployment, aka IAP as CPE
07-17-2019 05:32 PM
I’ve read about hierarchical deployment in the Aruba Instant Validated Reference Design - V2.0, this is something I’ve personally not seen in the wild.
This got me thinking on how this could apply to using the IAP as a CPE.
I could not find any recent examples; here is the older one https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-configure-and-troubleshoot-a-hierarchical-deployment/ta-p/179760
I’ve configured the Hierarchical deployment in my lab using Aruba Instant OS 220.127.116.11.
AP-203R eth 0 connected to the internet and eth1 connected to port 1 on the 2530.
The 2530 connects to other IAPs (315 on port 8) and wired clients.
I’ve kept the switch configuration basic
Log into Instant WebUI
Click on "Wired" from the Main menu in the top-right corner.
Click on "New" to create Wired Ethernet Profile:
Configure Wired Settings for downlink to the LAN switch.
Under VLAN Management, configure Port mode (Trunk). Add allowed VLANs for Eth1, in my case I used; 101 (IAP), 102 (Switch), 201 (Employee) and 202 (Guest). Note the native VLAN is not specified, we will come back to this later.
I did not set any L2 Security on this downlink port, I did not want to complicate adding other Access Points to the cluster in my test lab.
I did not set any policy, everything is allowed on the downlink port.
After finishing the wired profile, I assigned it to eth1 on the 203R
I used Local DHCP Scopes on the IAP for the VLANs setup in the Wired Ethernet Profile.
Note the VLAN IDs in the scope should match the VLAN IDs in the Wired Ethernet Profile.
IAP Private VLAN for other Instant Access Points to form the IAP Cluster
Infra for managing local site infrastructure like the switch.
Employee, I used this scope for both wired and wireless client end devices.
Last the Guest scope
At this point I went back to edit my Wired Downlink Profile, remember we had no untagged/native VLAN set on the IAP and the switch is expecting IAP Private VLAN 101 as untagged/native. This bit is not obvious, but “Client VLAN assignment” sets the untagged/native VLAN.
My LAN switch was now getting an IP address from DHCP on the 203R IAP
The 315 joined the cluster
I configured a basic employee WLAN Network
I used the same VLAN 201 for the wireless and wired devices
I set a basic PSK
I used the same open allow all access as wired
Lastly, I connected Clients.
Tinkerbell plugged into the 2530 and a wireless client on each Access Point.
I even managed to get decent speeds, my UFB is limited to 100Mbps down and 20Mbps up.
Note the uplink on the 203R is ethernet with DHCP provided, standard UFB / NBN stuff in ANZ.
Some ISPs in NZ require you to add an 802.1q VLAN tag on the uplink.
You may even want to use 4G as backup