Higher Education

We currently have (24) /22 vlans in a vlan pool for our 802.1X network. In the past two weeks we went from (21) /22s to (24)/22s, adding them on separate occasions. During peak times pool utilization ranges from 81% to 97%. On one day the busiest vlan in the pool briefly ran out of addresses but other vlans happily had in the mid 80% range,

 

I don't recall the pool ever being so out of balance in the past. Is there a way to have the controllers "redraw" the vlan assignment algorithm? As a typical University, We have a heavy use of Apple products over any other vendor. The UG states that "VLAN assignment is based on the station MAC address" but doesn't really go into which octect. Not sure if this is an issue but if it's based on OUI we're not going to fair well.

 

We're using HASH method and use L2 (not L3) mobility. We have 11 active controllers, 10 M3's and one 7220. Running 6.3.1.8. We're trying hard to use every last drop of IPv4 addresses we have. Having more even distribution would stave off the NAT gorilla, at least for this semester.

 

Mike

#7220

Hey Mike,

 

We have had the same problem for a long time.  We've changed between even vlan pooling and hash algorithms, worked with Aruba, and no one could ever help us.  We ended up making vlan pools on our infoblox DHCP boxes and letting infoblox do the pooling which has worked better.

 

It'd be nice for the OS to know what subents are in a vlan pool and what the state of DHCP is so it can better assign to vlans... Hope someone else has better insight into this issue.

Are your SSIDs open? If so that could be problem because of how IOS devices and some android devices assicioate.

If not open how are you authenticating?  Also how are your roles setup and what is your controller enviroment like.  

Interesting..  How do you configure Aruba (and Infoblox) to let Infoblox to do the vlan pooling? Does the SSID only offer a single vlan and Infoblox does some magic?

They're shared networks in Infoblox but on the router config under the vlan they're all secondary networks - pass that to Aruba as one vlan for one ssid.  We run a few ssid's so we have about 7 or 8 /23's under each vlan per campus per ssid. (Depending on what the SSID is used for, of course).

This has been an ongoing battle for us for years. To answer some questions, hashing is based on the mac address but not a specific octet. All values are taken into account and arithmetic is run against it to determine vlan placement. The number of vlans in the pool are taken into account as well. What you describe (~15-20% variance between most and least utilized vlans within a pool) is precisely what we see. Take a look:

Here?s a snapshot of one of our many pools on north campus. Heaviest used is 95%; least is 78%. That?s a lot of wasted address space. :-(

[figure1]

I?m tip-toeing into moving to ?even? from ?hash? for vlan pools. In my ?first release? controller stack which consists of only 4 /24s, I made the change and can visually see improvements. Here are two screen shots showing before and after the change for an 8a-5p period on our peak day of the week.


[figure 2]

I?ll be moving to ?even? on other pools in the next few weeks, and hopefully, we?ll see some address saving.



The one vlan mapped to multiple subnets sounds interesting. mleja2. What are the sacrifices with this approach? How is mobility affected? When users re-IP, do they get the same subnet? How does this impact multicast? Any complications with other items, such as mDNS service advertisements? How does the controller perform in this model? How large have you scaled with this approach?

- Ryan -

Ryan -

 

While I was at Drexel, we ran one vlan for their 802.1x ssid. There were 4 subnets on the VLAN. It consisted of a bunch of /20, /21, and /22. I don't remember the specifics. As much as Aruba hated that we ran the network this way, there weren't any problems as long as we kept broadcast/multicast disabled.

 

Mobility seemed to be fine, as you could roam any where there was an access point and maintain the same L2 connection. With regards to subneting, you were never guaranteed to be in the same subnet. We didn't run multicast, so I can't speak to that.

 

With regards to the mDNS stuff, we didn't support that either. But, if two devices are in different L3 networks but on the same L2 network, then I don't see any problems. The recieving device (laptop) would be able to resolve the service device (AppleTV), and then be able to send traffic to it via the router.

My understanding is that you cannot do EVEN algorith if you are using L2 mobility only. We do not have L3 mobility enabled. Or was I misinformed?

In a controller stack (masters and its locals), we trunk all the client vlans to all the controllers. So, each controller has the same bridge table. We have L3 IP Mobility disabled. We have L2 VLAN Mobility disabled.

With ?even? algorithm, you have to also have ?Preserve Client VLAN? enabled in the virtual-ap. This will consult the bridge table BEFORE assigning a vlan to a client. If the client already is in the bridge table, then they?ll be placed into whatever vlan they were last assigned. This facilitates mobility across our controllers.

I know we all do things differently, but I hope this helps as a reference point.