Wireless Access

Currently we are using a single vlan pool with default roles. We are not using clearpass. We want to phase in AirGroup so we can monitor the traffic and usage, but with a single vlan pool it seems that we would have to turn it on for all vlans for it to work correctly. Am I missing something in the AP or AP group settings?

Airgroup is used to selectively allow advertisements to users, or groups of users.  Airgroup built into  the controller allows you to determine who sees what based on VLAN or User Group.  Using ClearPass Policy Manager, you can get as granular as ap-group or specific AP if you wanted.

But without ClearPass Policy Manager you cannot? Is that correct? We don't have clearpass and I've been told that I can turn it on by ap-group by our Aruba Engineer, but I don't think we can phase it in by ap-group with just the ArubaOS. 

Can we understand what you are trying to accomplish, first?

 

We want to phase in Airgroup so we can monitor MDNS traffic. It would be easy to do if we had our vlans seperated, but we are using a single vlan pool. If we were to turn on airgroup per vlan in a phased in approach we wouldn't be able to manage people in a single building being able to hit Airgroup. If we could turn it on per ap-group we could phase airgroup in by building because our ap-groups are building based. With that being said we don't have clearpass or a role management design that would be applicable in this case.

 

I have been told that I can just turn it on for all vlans and performance won't be effected, but in regards to testing traffic it is a risky approach to just turn it on all over our campus. Hence the question of turning it on by ap-group or restriciting it to certain ap-groups.

When you say monitor MDNS traffic, what do you mean?

 

Multicast traffic essentially. In relation to how this has been addressed in the previous environment it was a matter of turning on multicast between their vlans. From what I have heard described, Airgroup cuts a lot of that traffic out by identifying clients and servers so there really isn't much of an increase. Would you agree with that?

The idea of Airgroup is two things:

Proxy multicast requests so that users across subnets can see devices advertising services
Allow the administrator to turn on drop broadcast and multicast on the virtual ap and still support multicast DNS across subnets.

The problem with multicast DNS is when it is seen in the air, not necessarily on the wire. If you turn on drop broadcast and multicast on the virtual ap AND turn on air group you should be fine.

Thanks for the input. We already have drop broadcast and multicast on the virtual APs. It is just a matter of turning Airgroup on for all vlans (single vlan pool) to allow it to work in any building between client-server. I have just been using all my resources to gain insight into when we turn on Airgroup.

Well,

 

I hope I didn't just add to the confusion....

Not at all. I believe that we should be able to run Airgroup without any issue. Which I have had many Aruba sources tell me. I have just been advised to inquire about ways to phase it in before we try an all or nothing approach. Without clearpass it just looks like we have the option of turning it on by vlan. And with the single vlanpool it just backs use into a corner of doing it on all vlans or designing an alternative vlan structure. One way or another we will be turning it on! :smileyhappy:

Okay.  Upgrade to 6.3.1.6 first if you decide to do that.

 

Will do, thanks for the warning.