Wired Intelligent Edge

last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

VLAN pools on 2930F's

This thread has been viewed 1 times

  • 1.  VLAN pools on 2930F's

    Posted May 01, 2018 05:36 AM

    Hello all,

     

    I'm currently working on a deployment of 2930F access switches with ClearPass wired policy enforcement. I've followed the PDF version 2018-1 and may have bumped into a limitation of the current 16.05 firmware.

     

    To ensure scalability, all client subnets are sized upto 254 clients. Because some client types are above these limits we're adding more VLAN's and subnets to hold them. Hence I'm trying to dynamically enforce VLAN distribution in either a round robin or mac hash based fashion, similar to how ArubaOS works with VLAN pools. Since VLAN pools are not supported by the switches running 16.05 I feel I have two choices:

     

    1. Increase subnet mask by a bit to account for extra clients in the same VLAN

    2. Introduce a new user-role with a different VLAN-ID in the switch and let ClearPass load balance based on radius input

    3. Wait for VLAN pooling to be introduced in the firmware? ;-)

     

    Anybody had any experience on the matter and if so, how did you solve it for your use case?

     

    I'm also curious which input I could use to balance VLAN's, while keeping the ClearPass config clean and easy to read. I'd prefer to balance based on client info, so it keeps getting appointed to the same subnet when reconnecting. Client mac-address seems like a sensible attribute to base this on.



  • 2.  RE: VLAN pools on 2930F's

    Posted May 01, 2018 06:14 AM

    I recently resolved a similair problem by applying NAMED-VLAN-A for switch members 1 and 2 and NAMED-VLAN-B for switch members 3 and 4. You can configure this with a connection "starts with" filter in clearpass.

     

    Same solution you can apply for individual switches or device groups. Just make some logical groups and apply a different vlan to that groups from clearpass. This way you never exceed /24 subnets.



  • 3.  RE: VLAN pools on 2930F's

    Posted May 01, 2018 07:16 AM

    Hello Fabian,

     

    Thank you for your input, this sounds like a reasonable solution!

     

    After some port counting I've concluded that a VSF stack of 4 members with each 48 access ports can hold a max of 192 clients, unless a bridge/switch is used. This is probably a reason for VLAN pools to not be introduced yet on the switching side of things.

     

    I will use a seperate VLAN-ID instead per stack, attached to the same user-role that is being sent from ClearPass.