Hi All,
This thread is for those who are attending webinar on " Aruba Architecture and Boot process" conducted by TAC for Customers and Partners of different regions.
Since the number of registered participants is high, we were not able to answer your questions during the session. here are the answeres for all your questions.
Please feel free to post your questions on any Aruba product and any feature at any time, we will comeback shortly with the answeres.
Answers for today's questions :
1. Hi is instant Access point boot process same?
No. it is completely different. It don’t need to discover any controller to get provisioned. It will try to discover an other IAP in the same VLAN, if it finds any, it will form a cluster and start working.
2. How does the controller know DHCP's ip adress?
We have to configure “ip-helper address” on the user VLAN interface so that controller will relays the DHCP request to the Server.
3. How about PAPi , is it secure?
No. hence Aruba came out with CP-Sec to protect the PAPI traffic. Once CP-sec is configured properly, PAPI traffic will go through IPSec tunnel.
4. What if user with notebook will move to the other level, will he use the same IP or recive a new one?
If the same SSID is available at that level, client will retain the same address and continue, if not client will get a new IP address based on the VLAN mapped to that SSID.
5. If there is a master and local on the same subnet, will only the master reply to ADP messages?
Not necessarily. We can not predict it. Any of those controllers can respond, hence Aruba recommends to disable the ADP in multi controller deployment model. ADP is suitable for single controller model deployment.
6. Can you please explain how DHCP differentiate between AP and client IP addresses? Does DHCP server assign IP address to AP too?
Yes, AP will get IP address from the VLAN of its uplinked port like a wired client, where as a Client will be mapped to a different VLAN, VLAN depends VAP VLAN or User Role or SDR return attribute. If nothing is configured, client also gets an IP from the AP VLAN.
7. Do we have any option to influence a MTU size on an controll traffic (PAPI) like on a Data traffic(GRE)?
not possible.
8. One last question: is it possible to drop out the traffic local at the switch port where the AP is connected?
No. but if you block GRE on that port it may be possible :)
9. With control plane security the client traffic encapsulation is IPSEC? What about the control traffic then?
When we enable CP-Sec, there will be a IPSec tunnel between AP and the controller. Both Control and Data traffic will go through the IPsec tunnel. Please make a note, data traffic still GRE encapsulated.
10. Hi, regarding number of GRE tunnels, are you sure that it is just like you said? What about if SSID is in Bridge mode or in split-tunnel mode?
Good question. There will not be any GRE for a bridge mode SSID. GRE will tunnel will be created for a Tunnel mode and Split tunnel mode SSIDs.
11. How advisable is it for customer to have controller tunnel over WAN links back to a controller. Should we be advising them against this in favor of Local controllers.
Yes it is not recommended hence we terminate all APs on their local controllers so that traffic is processed locally.
12. Would you be discussing the split-tunnel and bridge mode scenarios? As many a times thats the requirement for remote office and bridge mode for the VLAN config....
We will cover this in my future sessions.
13. I recently did a WLAN rollout on a customer site. The APs had Layer 2 connectivity to the controller. I noticed a kind of reboot cycle on the APs for at least an hour. I was a kind of suprised that the APs suddenly worked after doing some other work. What happend in this time on the APs?
I’m not sure, but you can get some idea if you go through AP-debug logs
14. 150-200 users per VLAN, what do I do when I have a large conference with 1000 Users?
Simple. You have deploy multiple APs as per the requirement. Please refer to the dense deployment guide to understand this more clearly.
15. can we have HA deployment with 2 controllers.?
Why not ? we can configure HA with 2 controllers.
16. Can you roam from 802.11ac AP to 802.11n AP? Will this work without interruption?
Good question, it depends on the channel and MCS index etc..
17. does Aruba have a preference / advise on using control plane security or not? on airheads i often see people say as first step disable control plane security, but why would you in general.
Aruba always recommend to enable CP-sec, while debugging the issues we disable so that we can see the unencrypted traffic between AP and the Controller, once the issue is diagnosed, you have to enable the CP-sec again.
18. What is the method of checking AP boot when AP does not have console port.
Only way is through “show datapath session’ and “show ap-debug”
19. this is only for controller based ?
Yes what ever we have discussed is applicable to a controller based AP.
You have the DIP = 14.7 , but isn't the Controller called 14.6 ?
Question not clear.
20. With a local - master deployment the APs will contact the master first. Which ports should be allowed/forwarded on the firewalls?
We have to allow, UDP-8211, TCP-21/22, UDP-69, UDP-4500
21. I think that if AP is terminated on master or not is not question of default settings. It is question of DHCP reply option 43. AP could be previously pushed with not existing AP-Group but still will be able to terminate PAPI on master controller.
No. AP can not be prestagged on Master until and unless Master push the requested AP-group to the AP hence with factory default AP can request for only default AP-group so it cannot prestaged with out default AP-Group.
22. Not having 2 master and 2 local controllers
We can have 2 masters but one will active and other will be passive and we can have any number of Local controllers
23. what about Instant IAP
Boot process of an IAP is completely different, we will cover this in our future sessions.