Wireless Access

Reply
Regular Contributor II

Re: Tunneled Node Configuration

Thanks guys!

Regular Contributor II

Re: Tunneled Node Configuration


@vkumaar wrote:

Its Best practice to reduce the bradcast domain, so having different vlan to differetn campus should be good. 

 


Hi Guys,

 

I was just thinking out loud here and I have a concern about the above statement.

 

Can we really build multiple VLANs for the Tunneled Node Users???? Isn't the Tunneled Node Configuration associated to the "aaa authentication wired" profile? And I believe you can only have one "aaa authentication wired" profile utilizing 802.1x feature. So I don't see how multiple Tunneled Node VLANs would work.

 

The more I think about this, I get so confused!  :)

 

 

Aruba

Re: Tunneled Node Configuration

Hi,

A AAA profile configures the authentication settings, not the VLANs. Therefore via Dot1x for example you could have your Radius server passback a different VLAN for different classes of customers. Alternatively, you can have the Radius server pass back a user-role name and locally on the controller, that user-role would have a vlan specified.

 

Best regards,

 

Madani

Regular Contributor II

Re: Tunneled Node Configuration


@madjali wrote:

Hi,

A AAA profile configures the authentication settings, not the VLANs. Therefore via Dot1x for example you could have your Radius server passback a different VLAN for different classes of customers. Alternatively, you can have the Radius server pass back a user-role name and locally on the controller, that user-role would have a vlan specified.

 

Best regards,

 

Madani


Hi Madani,

 

You just made my point. Imagine a University and this is for Students. So getting a Class attribute of "IT" and assigning them a VLAN. You can't create another VLAN for the same received attribute. You see my point?

 

So if this AAA Profile is tailored for only one Role, "IT", you can't have multiple VLANs assigned to the same Role unless you are building the RADIUS server configuration on MAS Switch on different Closets.

 

But with Tunneled Node, where you are performing centralized security, you don't have that option.

 

Right?

 

Aruba

Re: Tunneled Node Configuration

Sorry, I'm not following "So getting a Class attribute of "IT" and assigning them a VLAN. You can't create another VLAN for the same received attribute." If all users have the same attributes, then you're right that it isn't possible to differentiate the users. However you could use a vlan-pool with the user-role to distribute the users across different vlans to break up the broadcast domain.

 

I'm also not clear what you mean by the AAA profile is tailored for only one Role. If you are just configuring a single UDR/SDR or default authentication role then yes, you are limited to one role but otherwise there are many ways to assign different users to different roles.

 

Best regards,

 

Madani

Regular Contributor II

Re: Tunneled Node Configuration

Hi Madani,

 

I'm sorry. I keep using the wrong terminolgy for the different scenarios.

 

But we are both saying the same thing.

 

So we can assign different VLANs for the same User-Role to break up the broadcast domain. I only knew about doing that when configuring the Server Derivation Policy on each MAS Closet with it's respective Access VLAN configuration.

 

I have to look into this VLAN-Pool recommendation. Is there somewhere I can reference the VLAN-Pool configuration as it relates to User-Roles?

Aruba

Re: Tunneled Node Configuration

Here is an example I just ran a quick test against.

 

!
user-role STUDENT-ROLE
 vlan STUDENT-VPOOL
 access-list session allowall
!
vlan 100
vlan 101
!
vlan-name STUDENT-VPOOL
vlan STUDENT-VPOOL 100-101
!

Regular Contributor II

Re: Tunneled Node Configuration


@madjali wrote:

Here is an example I just ran a quick test against.

 

!
user-role STUDENT-ROLE
 vlan STUDENT-VPOOL
 access-list session allowall
!
vlan 100
vlan 101
!
vlan-name STUDENT-VPOOL
vlan STUDENT-VPOOL 100-101
!


Fantastic!!! Thx a lot.

 

The last question I have is, how does the Controller distribute the VLANs? Is there an algorithm it uses to distribute the VLANs?

 

Regular Contributor II

Re: Tunneled Node Configuration

And correct me if I'm wrong, with the VLAN-Pool, a Closet could have Users with different IP Addresses?

 

That was my reason behind asking how the VLANs are being distributed.

Aruba

Re: Tunneled Node Configuration

Under the "vlan-name <name>" command, there is an "assignment" knob and you can choose either even or hash. The hash knob means that VLAN assignment is based on the station MAC address. The "even" knob will distribute the users evenly across the vlans.

 

Best regards,

 

Madani

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: