Wireless Access

I am connecting several buildings on a campus via an Aruba 303-series IAP cluster. Each building is riding on it's own VLAN, connected to each other with trunk ports that also carry a management VLAN.

 

My goal with the Aruba cluster is to have each building layer-2 segregated, so that when users hop between buildings, they are riding the same SSID, but are getting dropped on the appropriate VLAN for the building.

 

To solve the dynamic VLAN issue, what I have done is added some sort of description to the name of each AP in each building, suffixing the MAC address. So building 1 might be "ab:cd:ef:00:01-southeast", and building 2 is "ab:cd:ef:00:02-northwest". Then in the dynamic VLAN rules for the SSID, I have one that says "If AP-name contains 'southeast'", it drops them in VLAN X. If it's 'northwest', they get VLAN Y.

 

This allows me to stick the user on the appropriate VLAN based upon the name of the AP they are hitting (there are multiple APs per building, which is fine since the MAC addresses differ). The buildings are far enough apart that they will never overlap.

 

My question is: is there a better way to do this in a controllerless setup? From what I understand about zones, those aren't the answer, because then users can't ride the same SSID across each building (each zone has it's own SSID?). I'm curious on if there is a more industry-standard way to do this.

Are you using WPA-PSK or WPA-ENT with a Radius server for authentication?

 

A NAC solution such as ClearPass would allow you quite flexible ways of dealing with role/VLAN assignment, based on several attributes.

 

Built-in with Instant you have the vlan derivation mechanisms, like you are already using.

 

Additionally, with the Zone enhancements introduced in 8.3.0.0 you can actually build something similar with Zoning. I recently did this for a customer with the same requirement (single IAP cluster across multiple buildings but different user VLAN IDs). 8.3.0.0 introduced the capabatility of an AP to be part of multiple zones.

 

What you could see if this satisfies your requirement:

 

1. Assign a zone to each of your AP according to the buildings they are located in, let's say "Northwest" or "Southeast". This is a per-AP setting.
2. Create two separate networks, name them i.e.  "SSID-NW" and "SSID-SE" and configure the user VLAN as per your L2 setup.
3. For both networks set the same ESSID name under "Basic > Show Advanced Options", i.e. "Student-Network".
4. Associate network "SSID-NW" with Zone "Northwest" and "SSID-SE" with Zone "Southeast". This is also configured under "Basic > Show Advanced Options".
5. Configure consistent authentication methods on both networks.

APs will only broadcast the network(s) which are part of their zone, with the VLAN settings configured for this network.To the client both SSIDs will look the same.

 

There is no "industry standard" addressing your scenario. Again, in presence of a Radius server, you could play with Radius Attributes to achieve the same.

Hey, thanks for the reply.

 

This is for a small farm, so there's no radius server or anything.  Just AP's in different houses/buildings, with one central ingress/egress point.  I thought about trying to get a radius server up and running, but it would be overkill for this scenario.

 

The way I have it running works fine; it's a handy little cheat.  I just didn't know if there was a recommended way for doing this sort of thing.

I found the zone approach to work quite well in this scenario. It takes an initial setup to map all APs to a zone but is easily extendable afterwards.