Wireless Access

last person joined: 13 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Riddle me this.....

This thread has been viewed 0 times

  • 1.  Riddle me this.....

    Posted Jan 27, 2012 08:14 AM

    The aim is to allow remote users (from a remote site) to connect to RAPs which they take home so they can connect to internal resources at their remote site. These RAPs terminate in the network core (on the active master controller) and the particular site does not have a local controller.

     

    · The VLAN for a particular site is VLAN 888.
    · We have configured an AP group for this school which puts wireless clients into VLAN 888.
    · VLAN 888 is different on core switch 1 to VLAN 888 on core switch 2.  
    · Controller 1 is patched into core switch 1.
    · Controller 2 is patched into core switch 2.
    · The correct VLAN 888 that wireless clients for this particular school need to be put into is on core switch 2.

     

    The controllers as configured in a Master-Master redundancy method.
     

    · Controller 1 is the current active master.
    · Controller 2 is the current standby master.

     

    How would you recommend to proceed?



  • 2.  RE: Riddle me this.....

    EMPLOYEE
    Posted Jan 27, 2012 07:39 PM
    @jrwhitehead wrote:

    The aim is to allow remote users (from a remote site) to connect to RAPs which they take home so they can connect to internal resources at their remote site. These RAPs terminate in the network core (on the active master controller) and the particular site does not have a local controller.

     

    · The VLAN for a particular site is VLAN 888.
    · We have configured an AP group for this school which puts wireless clients into VLAN 888.
    · VLAN 888 is different on core switch 1 to VLAN 888 on core switch 2.  
    · Controller 1 is patched into core switch 1.
    · Controller 2 is patched into core switch 2.
    · The correct VLAN 888 that wireless clients for this particular school need to be put into is on core switch 2.

     

    The controllers as configured in a Master-Master redundancy method.
     

    · Controller 1 is the current active master.
    · Controller 2 is the current standby master.

     

    How would you recommend to proceed?

    To give you the full range of options, I suggest you take a look at the Virtual Branch Networking Validated Reference Guide here:  http://www.arubanetworks.com/pdf/technology/VBN_VRD.pdf

     

    It will answer your questions as well as give you appoaches you might want to take.



  • 3.  RE: Riddle me this.....

    Posted Jan 29, 2012 11:28 AM

    Think I'd need to see a diagram to comment properly. I think I get what you're saying but I'm not sure! cjoseph is right of course, but I like to tinker, and I'd be inclined (if this ISN'T a production system of course) to try knocking a GRE or IPSEC between the two controllers, and then mismatching VLANs end to end. That tends to be a little tricky in itself between a master and standby, as they have an established ipsec for syncing stuff etc (so it tends to confuse them). It probably wouldn't be so much of an issue if the other controller was a local. Can't you turn it into one, or does your design need the standby?

     

    My idea would be something like... At the end where your standby is, connect a single port into the switch 2 on the "real" vlan 888 (access mode in Cisco terms). Tell the standby controller that this cabled port is VLAN 777 (again "access" (untagged)). Then pull VLAN 777 through a GRE from the standby to the master (i.e. create a bridge). Then change your AP group on the master so the VAP ties to 777. Might work??? Of course this is a bit messy, but hey, you asked for ideas!

     

    Cheers.

     

     

     



  • 4.  RE: Riddle me this.....

    EMPLOYEE
    Posted Jan 29, 2012 11:49 AM

    the.racking.monkey,

     

    Thanks for getting me to re-read that.

     

    So if you want users to end up in one VLAN if they are on the Master and another VLAN when they are on the backup master, it is best that you use "Named" Vlans.

     

    Named VLANs will allow you to define a NAMED vlan on the master controller, and assign that to the Virtual AP.  At the local controller level, you can define the Actual VLANs that a named Vlan or Named Vlan pool will be assigned to.

     

    - Vlan numbers are local, but Vlan names are global.

     

    You can create a VLAN name, which will only take a single VLAN or create a VLAN pool, which will allow you to add multiple vlans:

     

    Single VLAN name creation:

(host) (config) #vlan-name nvlan
(host) (config) #vlan nvlan 2
 

Vlan Pool creation with Name:

(host) (config) #vlan-name nvlanpool pool
(host) (config) #vlan nvlanpool 2,4,5-10

(host) (config) #show vlan mapping

VLAN Name   Pool Status  VLAN IDs
---------   -----------  --------
nvlan       Disabled     2
nvlanpool   Enabled      2,4-10 
    Assign a VLAN pool to a Virtual AP:


(host) (config) #wlan virtual-ap test
(host) (Virtual AP profile "test") #vlan nvlanpool

     Here is how it looks on the GUI:

     

    pool.jpg

     

    For example, the Virtual AP for schools will have a named VLAN of "students".  On the master controller that Named VLAN of "student" will be 888.  On the backup master that named Vlan of "student" will be 777.  So the vlan Number that a student ends up in will be determined by what controller the AP is on.  If you add a local, for example, the vlan name student can be yet another VLAN number.

     

    Caveat#1:  Named VLANs cannot be applied to bridged or split-tunneled Virtual APs.

    Caveat#2:  You also must create the VLANs on the controller before they are assigned to a VLAN name or VLAN pool.

     

    To see any errors, use show profile-errors:

     

    (host) (config) #show profile-errors

Invalid Profiles
----------------
Profile                         Error
-------                         -----
ap wired-ap-profile "test"      Named VLAN "nvlan" does not exist.
aaa profile "test"              User derivation rule "test" is invalid
aaa server-group "test"         Named VLAN "nvlan" is removed
aaa derivation-rules user test  Named VLAN is invalid

     

     

     

    Does that make sense?

     

     



  • 5.  RE: Riddle me this.....

    Posted Jan 30, 2012 05:53 PM

    Oh yeah, good point! That's an improvement to my thought. I keep forgeting about named VLANs. I probably should use them more myself.



  • 6.  RE: Riddle me this.....

    Posted Jan 31, 2012 04:40 AM

    Thanks for the ideas guys your info is much appreciated.

     

    I'm thinking another option would be to create a new VLAN (say 999) on the master controllers and assign it to the VAP. Make the controllers to DHCP and give out the correct DNS suffix and DNS servers. Then SRC NAT VLAN (999). As long as the controller can route through to the destination VLAN this should be fine as far as I can see.

     

     



  • 7.  RE: Riddle me this.....

    EMPLOYEE
    Posted Jan 31, 2012 06:14 AM
    @jrwhitehead wrote:

    Thanks for the ideas guys your info is much appreciated.

     

    I'm thinking another option would be to create a new VLAN (say 999) on the master controllers and assign it to the VAP. Make the controllers to DHCP and give out the correct DNS suffix and DNS servers. Then SRC NAT VLAN (999). As long as the controller can route through to the destination VLAN this should be fine as far as I can see.

     

     

    If a controller is a master-back to a master, it means that controller is layer-2 connected to the first one.  Can't VLAN 999 be layer-2 connected to both controllers?  That might solve your problem...