Wireless Access

I've a question regarding the conversion from IAP aruba instant AP to be managed by a mobility controller ,

I've 10 IAP-207 APs running on aruba-os 6.5.2.0 , i can manage them from a webpage through the ip of the master AP , automatically elected

.

The 10 APs are connected to Aruba/HP 2920 switch , each port of the switch which is connected to an AP is tagged in vlan 5 , 10 , these vlans are also created on the APs each vlan is for specific SSID wireless network .

And on the switch  each vlan has an uplink port "untagged" to the firewall lan ports .

Now i will deploy the "aruba controller 7010" to manage these APs , the question here is how the physical connection between the APs , the controller and  the switch be like ?

, also is there a software required for the controller or it will be managed through a webpage , and how i can

 create 2 wireless networks on the controller each with a separate  uplink to the firewall as each port of the 2 firewall lan ports is the DHCP server for each vlan,

 Also can i use the lan ports on the controller as uplinks to the firewall to avoid using the standard uplinks 1000base-x ports ?

When you convert IAPs to campus APs, by default they tunnel all of their  user traffic to the controller.  The controller will then send the user traffic out one of its interfaces on the VLAN that they need to be in.

For example:

With IAP, you need to trunk all of the user VLANs needed to all of the APs.  

With a controller, you just trunk the controller itself to a layer 3 switch and tag any of the user VLANs you need.  All of the Campus APs tunnel all user traffic to the controller and the controller will place the

user VLAN onto the correct VLAN.  The access points would only need to be on an access port, and obtain an ip address that can route/forward the traffic to the controller.  The controller will then send the user traffic out on whatever VLAN is needed for that WLAN...

I hope this helps..

in my situation , the APs ports are tagged in vlan 5 , 10 , and untagged in vlan 15 to get a DHCP ip for management , you mean during the conversion i have to make these switch port only untagged in vlan 15 and make the switch port connected to the controller also untagged in vlan 15 to be in the same subnet and reachable by the AP and tagged in vlan 5 , 15  ? also i will create the WLAN networks again from the controller after the conversion or these networks will automatically appear on the controller's dashbaord , 

Attachment(s)

hpswconfig.txt   849 B 1 version

Hi , 

while converting the IAP to AP "managed by mobility controller " , which ip of the controller should i write in the field of "ip or host name fo the mobility controller"  , is it the management ip of the controller which has a defualt value of 172.16.0.254 or it can be any ip reachable by the IAP 
ie an ip of the same subnet and VLAN ID as the IAP management IP ?

An ip address that is routable to the IAP.  If 172.16.0.x is not routable, you need an address that is routable.

Ok thank you very much ,

and after the conversion to campus AP , the APs will appear in the controller dashboard and i have to go to AP installation and provision them by assigning them to a AP group and then create the wireless SSID . ? also i had to enter the license before the above steps ?
also should i put the access points in a whitelist ?

is there any other steps should i do to complete the conversion process?

You will need to add the licenses to the controller before trying to convert.  If you are using CPSec then you will need to add the devices to the whitelist before converting.  Once the APs are converted they will come up in the default group.  You will need to provision the access points to the appropriate AP group.

Also i need to configure 2 ssid on vlan 5 and vlan 10 respectively , in this case i will create 2 virtual AP for each ssid  ? also the controller will be connected to a switch using trunk port , the switch is then connecrted to a firewall ,should i configure a gateway/ ip helper address for each vlan on the controller or it is enough on the switch ?

the instant access points get dhcp ip from the firewall , after conversion they can also take dhcp ip from firewall or it's mandatory that the controller become their dhcp server ? 

It is not mandatory for the controller to be the DHCP server.  

now i configured the controller with vlan 5 and 10 trunk for SSID creation 
and vlan 15 access for AP reachability , i can ping all the IPs of the controller from the firewall and vice-verca, also the AP can ping the controller's IP in vlan 15 . 
i made the ip of the controller in vlan 15 static ip to be the switch ip of the controller to be reached by the AP 
also i made the ip in vlan 5 and 10 DHCP from the firewall and they successfully took IPs from the firewall . but i can't ping the internet (8.8.8.8) from any interface from the controller . is this normal ? or should i configure static routes for each trunk vlan (5 ,10 ) ? or what is the solution? 
note : everything is allowed from the firewall 

now the controller sees the internet . after adding the firewall lan ip as a default gateway . but only one vlan from the controller can see the internet. the one which has the default gateway of the lowest cost.

could you please tell me what to do in order both vlans 5 and 10 can reach the internet at the same time ?

i tried to convert to campus ap but the conversion failed because the os of ap is higher version than on the controller . 
os version of AP : 6.5.2.0

os version of controller : 6.4.3.4

please send me os version to be installed on the AP and be compatible with os on the controller 

What model IAP is it?

According to the AP-207 datasheet here:  http://www.arubanetworks.com/assets/ds/DS_AP207Series.pdf it requires 6.5.1.0 to be running on the controller.

but in this case it will be a higher version of the controller 
could you be please send me this image in mail

Controller-based images require a support login.  If you have one, please download it from here:  https://support.arubanetworks.com/DownloadSoftware/tabid/75/DMXModule/510/Default.aspx?EntryId=22049

Thank you very much , after upgrading the controller to 6.5.3.1 , the conversion process completed successfully , but still have the same problem that only one vlan interface from the controller can ping the internet , the vlan which have default gateway with lowest cost . i need both vlans to reach the internet because i created 2 ssids , one on each vlan . what is the configuration that should be done to solve this issue 

Why do you have two default gateways?

fisrtly i didn't set any default gateway , as there is a ip helper address on the switch for each vlan 
on the switch vlan 5 has the ip 192.168.5.2 and the helper address  for this vlan is an interface of the fortigate firewall with ip 192.168.5.1
vlan 10 on the switch has ip 192.168.10.2 and helper address 192.168.10.1 the controller has these 2 vlans and has an ip in each vlan and trucked to the switch . there was no internet until i set a default gateway and pinged from the vlan interface of the controller .the ping success from a vlan interface only if a only one  gateway is configured for this vlan or multiple gateways but it must be with the least cost to be able to reach the internet . 

Please start another thread about this.  This thread is labeled "Converting IAP into controller managed AP".

waiting for your reply as the conversion process will be tomorrow