Wireless Access

this is a pretty common scenario I believe, but I can't get my head around it fully yet.

location x where the APs and clients are located, IPs come from local DHCP server
location y where the controller is located
locations are not layer 2 connected, think MPLS or VPN or such

so how do i setup an aruba wireless network here? i got this to start with:
Controller: connected on network in location y, is reachable from whole network and can access whole network
APs: get IP from local DHCP server, via DHCP option they locate controller, build tunnel over MPLS to controller
client: connects to AP, DHCP request / reply via DHCP relay on the controller from the local DHCP server on location x (right?)

but now:
client has ip in local subnet and gateway to local subnet router, how can it reach that local subnet router, packets are tunneled to the controler right?

what is the best design in such a case?

If the requirement is that the clients should get an address from a network at the local location AND a requirement is that the control cannot, too, be local, it sounds like you'll be looking into having the ssid(s) in bridge mode, thus keeping the clients' traffic (including dhcp) local. You could be fancier and use split-tunnel mode, but that depends on what type of traffic you expect from clients.

thank you for the reply, am i correct in assuming that you don't use DHCP relay then either? just have the DHCP request / reply done on the local network? but then the APs have to be in the same local subnet as the clients for this?

Yes and no. Yes, in bridge mode, client dhcp traffic would remain local. But for APs, they do NOT need to be on the same subnet.

but how do you get the clients to recieve their IP by DHCP from another subnet then where the AP is in?

 

once the client has an IP, the traffic will be routed to where it needs to go, but the DHCP request will be bridged to the VLAN / subnet where the AP is in i assume. what can be configured to do that differently then?

If you want the clients to receive an ip address on the same subnet as the AP:

 

1.  Control Plane Security Must be on (unless you have that AP configured as a RAP)

2.  The forwarding mode of the Virtual AP must be bridged

3.  The Vlan of the Virtual AP must either be 1, OR match the Native Vlan ID in the AP system profile of that AP to bridge that client's traffic without tagging it.

 

The wireless client will get an ip address on the same subnet as the AP and the client's traffic will be routed based on the default gateway of that subnet, just like any other client that is plugged in wired.

thank you, quite clear as usual.

 

im just wondering about what ryan said, that the APs don't have to be in the same subnet as the clients with bridged mode. how would that work then? do i have to configure the vlan of the clients and make sure the AP is on a dot1q trunk with access to that vlan?

 

and DHCP relay doesnt do anything for bridged mode right?

---

@boneyard wrote:

thank you, quite clear as usual.

 

im just wondering about what ryan said, that the APs don't have to be in the same subnet as the clients with bridged mode. how would that work then? do i have to configure the vlan of the clients and make sure the AP is on a dot1q trunk with access to that vlan?

 

and DHCP relay doesnt do anything for bridged mode right?

---

Ryan is absolutely correct and yes, you would have to make sure that the AP is on a trunk.  The Virtual AP VLAN will determine what VLAN the users will appear on.

 

The DHCP relay is only significant on the VLAN that the client is bridged to.  So if you have a DHCP relay on a different subnet, that has no effect on the client.

 

thanks cjoseph and ryan, totally clear now.