Wireless Access

Hi,

I have a situation Master/local. 2 Master and some sites with 1 or 2 local controllers. all the APs are in the local controllers.

The APs has a VLAN in the local site, not extended to the central (Master controller).

when we deploy new APs I have a lot of problems to configure them, so I have some questions:

- I need to route the local AP_VLAN to have access to the master controller. the APs need to add to the master controller and later I asign an AP_Group.

- it posible do this with a tunnel GRE?

-Wich is the best or usual configuration to do this deployment?

Normally Is use IAP, and need to convert them first...

Thanks in advance!

Samuel

Hi Samuel,

I normally use DNS or DHCP to point the AP's to the correct controller.

with DNS, I would configure an entry for "Aruba-master" which would point to the management IP of the controller, in your case local controller.

If you did not want to use DHCP or DNS then you can use Aruba discovery protocol (ADP). Aruba APs send out periodic multicast and broadcast queries to locate the master controller however this is a layer 2 protocol and in your case wouldn't work but you could put the AP's on the same L2 network and then move them once they have been provisioned on the controller.

My prefered way of doing this however is using DHCP option 43 and 60 as below:

DHCP Option 43 =  <IP of Controller>

DHCP Option 60 = ArubaAP

With the newer AP's, if they are factory default they discover the controller in the following order:

statically assigned IP / DHCP / ADP / DNS

Thanks,

Hi Ben,

thanks for your answer!!!

the DHCP for the local APs are in the local controller, so I can configure the option 43 and 60. but...:

I use the option 43 with local o master IP address?

Because the local AP_VLAN are not routed to the master controller.

I don't know if the local controller redirects the traffic to the master controller, or I need to route it or create a tunnel GRE L3....

If is an IAP, can I convert it to AP using the IP of the local controller?

the problem to put the AP in the same L2 of the master controller first, is that this controllers are in the DMZ in other location with a firewall L3 between.

Thanks,

Samuel

Hello,

You can indeed add the DHCP options on the local controllers and yes you can convert using the IP of the local controller. (assuming the AP's are meant to terminate on the local controllers)

Should the AP's terminate on the local controller you do not need to tunnel them back to the master controller as everything is handled locally except the controller configuration which you do on the master controller which in turn pushes it to the local controller to deploy on the AP's. Provisioning you can do on the local controller.

I did suspect you wouldn't be able to put the AP's in the same L2 as the controllers however felt like I should put the option in as it is valid in some scenario

Here is a link to a response I made last year regarding the AP boot process. This may help in addition to the other responses (which are good).

https://community.arubanetworks.com/t5/Wireless-Access/What-is-the-correct-way-to-add-new-Aruba-AP-345/m-p/537350/highlight/true#M91661

I hope this helps,

thank you Ben and Wescott.

the APs are in L2 with the local controller, but this VLAN_AP is not routed to the master controller. When the AP is in the AP-Group all is working fine, but when the AP is new first of all the AP needs to associate to the master controller, in this moment I have problems.

So the question is:

is necesary that the local VLAN_AP are routed to the master controller?

Or the AP detects the local controller and is this controller who redirect the traffic to the master controller?

I will try to do some test in the network and update later :)

thanks!!!

Samuel

Forgive me for going through this again, but I want to make sure we are discussing and understanding each of the key pieces. So let's walk through this step-by-step to try to decipher your problem. 

When an AP boots, it needs 6 pieces of information:

IP Address

Subnet Mask

Default Gateway

AP Name

AP Group

IP address of the controller the AP will initial communicate with

IP address/subnet mask/default gateway are typically received from DHCP (let's make sure the AP is getting all three pieces). The name of a new AP will be the MAC of the Eth 0 port on the AP, the group will be 'default'.

Once those 5 pieces are obtained or set, the initial controller is obtained in the following order

statically configured

DHCP option 43/60

Aruba Discovery Protocol (ADP) multicast and broadcast

DNS

The initial controller does not have to be the Master controller. It can be any controller. This variable dates back to ArubaOS 2.x when it did have to be the Master, now it is just the value of the controller where the AP will initially communicate with to download it's LMS-IP address. If you set this value manually on the AP, the command is "setenv master x.x.x.x" , (x.x.x.x = IP address of a controller) but even though the variable name is master, it can point to a local controller. If "setenv master" is not set, then the other methods are used. DHCP option 43/60. DHCP option 60 should be set to "ArubaAP". If DHCP option 60 is not specified then the AP will send multicast requests (IP 239.0.82.11) and broadcasts to find a controller , on the VLAN the the AP has an IP address on.

You can console into an AP and intercept and stop the boot, go into the apboot> prompt and type "dchp" to trigger a DHCP and see what I address the AP gets. Also from a console, if the AP is at the ~# prompt, you can type "ipconfig" to see what address the AP has received after it has gone through the boot process. At the ~# prompt you can also use ping to see if the AP can ping devices on the VLAN, including the local controller. 

After the AP boots and gets all of this information, the initial controller, the one that it discovers or is pointed to, is used to provide the AP with the LMS-IP address, the LMS-IP is the address of the controller where the AP will download it's config from and then terminate it's GRE tunnel to. So the AP communicates to the LMS-IP controller, downloads it's config, and terminates it's GRE.

Here is a good link that explains some of this.

https://www.flomain.de/2018/02/unified-aruba-controller-discovery/

I hope this helps,

Hi David,

yes, this hope me a lot!!!

know I confirm the situation and the configuration is Ok.

I will deploy a new site and I understand perfecly all that you explain.

I had some problems in some other site, but may be was another issue not the configuration.

thanks a lot! I will confirm in few days that all is working fine!

Samuel 

Hi,

finally I found "my" solution.

I have configured the AP VLAN in the local contorller without routing to the Master controller. so when I try to deploy a new APs I can't. 

So or I route the local AP Vlan to the master (not easy in all the infraestructures) or... I use a NAT in the WLC VLAN AP. and with this, the APS can access to the master controller.

So I convert the IAP and register the new aps without any issue.

But, take care with the NAT because I only use it to deploy new APs, later disable it because if not... the AP connectivity has conection to all the routing networks, and if someone remove an AP and connect in this network point a PC... has access to all.

thanks!!!

Samuel