Wireless Access

Hello, We currently have surpassed the 128 AP limit on our 3600 controller. We have 145 APs and have purchased a 2nd controller to adccomodate the extra APs. I have added an IP address to the controller, set the firmware elvel the same as the 1st controller, and added 128 AP licences to the controller.

 

I need some assistance no how to configure the 2nd controller from here. Do I configure this as a Local controller and set up the IP sec key with the Master controller? If this is the case, how do I then point at APs that are flagged IL to the new controller?

 

Thanks!

#3600

You should make the new controller a local controller to the original master. That way, all of the SSID, WLAN, VAP and other global configuration will be pushed to it. You will still need to create any DHCP scopes, VLANs and custom captive portals on the new controller (and possibly other local config, but I can't think of any right off the top of my head). You will also need to add the new controller to your RADIUS server(s) if you use them for authentication. To split the load, create two separate AP system profiles and assign the primary LMS IP of the existing controller to one of them and the IP address of the new controller as the LMS IP on the other. Then, create a new AP group, assign the AP system profile that points to the new controller to it and add all of the VAPs. When you provision the new APs, put them in the AP group that uses the AP system profile that points to the new controller. Make sense?

Please, see the campus VRD at http://www.arubanetworks.com/pdf/technology/VRD_Campus_Networks.pdf for deatils on adding a controller as locol and how to create sepearte AP groups with different AP systme profiles to terminate APs on different controllers. As Olin said once you have setup the controller as local, create a clone of the current AP group and change the AP system profile on the new AP group with an AP system profile which points the LMS IP to the local controller.

 

Regards,

Sathya

Thank you for the assistance. I am working on configuring this controller remotely so I want to tread lightly here since the controller is located a few states away from me. So my understanding is, I need to create a new ap system profile and set the lms IP to the secondary controller, then create a new ap group pointin to the new ap system profile.

 

Here is the current config

 

------current config----------------------------- 

ap system-profile "apsys_prof-zzo23"

 

ap-group "JJJ"
   virtual-ap "JJJPublic-vap_prof"
   virtual-ap "JJJNetwork-vap_prof"
   virtual-ap "LanTest-vap_prof"
   ap-system-profile "apsys_prof-zzo23"
   dot11a-traffic-mgmt-profile "QOS"
   dot11g-traffic-mgmt-profile "QOS"
   ids-profile "ids-disabled"

 

-----end current config-------------------------

 

 

so is it correct to assume I need to add the following

 

----------------------------------------------------------

 

ap system-profile "apsys_prof-secondary"

   lms-ip 10.8.200.110

 

ap-group "JJJSecondary"
   virtual-ap "JJJPublic-vap_prof"
   virtual-ap "JJJNetwork-vap_prof"
   virtual-ap "LanTest-vap_prof"
   ap-system-profile "apsys_prof-secondary"
   dot11a-traffic-mgmt-profile "QOS"
   dot11g-traffic-mgmt-profile "QOS"
   ids-profile "ids-disabled"

 

-------------------------------------------------------------

 

 

and then finally provision my selected aps in the new secondary ap group...

 

thanks

Thats it.  You should consider some type of redundancy, though.  Maybe have a 3rd controller and put its IP address in each of the AP system profiles as the backup LMS IP.

 

Also, make sure you have the same set of VLANs on both controllers or use a VLAN pool name in the VAP that is the same on both controllers. 

Thanks olino.

 

Yes, I do have the VLANs added to the seond controller and I can ping the wireless VLAN IPs form the LAN.

 

One question, I noticed the original ap sysem group does not have a LMS ip specified. Does this defaul to the MAster controller in this situation?

 

Thanks again for the assistance!

I moved a few access points to the new AP group.

 

If I look at the master controller everything looks fine (no flags) but if I sign in to the secondary controller The APs I moved are coming up with a flag of  "I" - inactive. Any idea as to what could be causing this issue?

Here is a little more information from the log

 

Feb 9 11:01:40

 stm[1458]: <305004> <ERRS> |stm| AP d8:c7:c8:c1:b1:59: wlan virtual-ap "JJJNetwork-vap_prof" is invalid.

 

Feb 9 11:01:41

 stm[1458]: <305004> <ERRS> |stm| AP d8:c7:c8:c1:b1:59: wlan virtual-ap "JJJPublic-vap_prof" is invalid.

 

 

 

Did you create the VLANs on that second controller.

 

Yes I created the VLANs and I am able to ping the IP addresses I assigned to those vlans from the LAN. Thanks!

I think I may have found the issue. The VLAN Pools were automatically created on the secondary controller but there are no VLAN IDs in those pools.

 

I added the VLAN IDs to the pools and the inactive flags went away.

 

Thanks again for the help!

Everything is working fine with the exception of RADIUS authentication. The individual who set up the 1st controller and radius server no longer works with the organization and I do not know the RADIUS shared key.

 

Would it be possilbe for me to quickly change the shared key on both 3600 controllers and the RADIUS server and not have the users experience any downtime?

 

I'm a little nervous about doing this remotely and want to make sure I'm not going to break something.

 

Thanks again! I'm getting really close here.

SSH into the controller and get into enable mode.

 

 

You can go on the commandline and type "encrypt disable".

 

Then you can type "show aaa authentication-server radius"

 

When you see the list of radius servers, you can type "show aaa authentication-server radius <name of radius server>" to see the key.

 

Yes, the primary group will default to the controller IP if it is not specified in the AP system profile.  I would go ahead and put the IP address in anyway, just so things are very predictable.