Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

VLAN Assignment reset

This thread has been viewed 0 times

  • 1.  VLAN Assignment reset

    Posted Dec 12, 2014 06:42 AM

    Hi

     

    We have 2 Named Vlan Pools each with 3 vlans assigned to them. We have preserve client vlan enabled on the VAPs.

    Upon implimentation we noticed that clients weren't being balanced across the vlans that well. Clients would join the vlans randomly and in no presice order or ballanced (this was when we had aproximately 60 clients) - when we reached our peak of around 900+ clients, 2 of the DHCP scopes (2 vlans) in the one named pool was full - in the other pool the one DHCP scope filled up.

    The scopes that werent full in both the pools were utilised only 50%.

     

    Looking at a clients vlan history - it shows that the client has had 3 different vlans (if I am reading it correctly) -- does this mean the presrve isn't working or how do I change the frequency of the VLAN resets seen below.

     

    (master) #show aaa debug vlan user mac d0:22:be:84:2e:d4

    VLAN types present for this User
    ================================

    Default VLAN : 269
    Dot1x Aruba VSA : 269

    VLAN Derivation History
    =======================

    VLAN Derivation History Index : 4
    1. VLAN 0 for Reset Role Based VLANs
    2. VLAN 266 for Dot1x Aruba VSA
    3. VLAN 0 for Reset Role Based VLANs
    4. VLAN 266 for Current VLAN updated
    5. VLAN 0 for Reset Dot1x VLANs
    6. VLAN 265 for Dot1x Aruba VSA
    7. VLAN 0 for Reset Role Based VLANs
    8. VLAN 265 for Current VLAN updated
    9. VLAN 265 for VLAN exported
    10. VLAN 0 for Reset VLANs for Station up
    11. VLAN 265 for Default VLAN
    12. VLAN 265 for Current VLAN updated
    13. VLAN 0 for Reset Role Based VLANs
    14. VLAN 265 for Dot1x Aruba VSA
    15. VLAN 0 for Reset Role Based VLANs
    16. VLAN 265 for Current VLAN updated
    17. VLAN 0 for Reset Dot1x VLANs
    18. VLAN 269 for Dot1x Aruba VSA
    19. VLAN 0 for Reset Role Based VLANs
    20. VLAN 269 for Current VLAN updated
    21. VLAN 269 for VLAN exported
    22. VLAN 0 for Reset VLANs for Station up
    23. VLAN 269 for Default VLAN
    24. VLAN 269 for Current VLAN updated
    25. VLAN 0 for Reset Role Based VLANs
    26. VLAN 269 for Dot1x Aruba VSA
    27. VLAN 0 for Reset Role Based VLANs
    28. VLAN 269 for Current VLAN updated
    29. VLAN 0 for Reset Dot1x VLANs
    30. VLAN 269 for Dot1x Aruba VSA
    31. VLAN 0 for Reset Role Based VLANs
    32. VLAN 269 for Current VLAN updated

    DHCP Discover/Request processing for options done

    Current VLAN : 269 (Dot1x Aruba VSA)

     



  • 2.  RE: VLAN Assignment reset

    EMPLOYEE
    Posted Dec 12, 2014 06:47 AM

    Hendrik,

     

    Why are you using two VLAN pools instead of one?  Are the two VLAN pools for separate SSIDs or the same one?  Is your VLAN pool set to even?  Is this spread out over more than one controller?

     



  • 3.  RE: VLAN Assignment reset

    Posted Dec 12, 2014 07:05 AM

    Hi Colin

     

    We are using Clear Pass for device Categorization - one category being SmartDevice (Wich is the one vlan pool) and the other is Computers (with a vlan Pool for them) -- if all works well the ultimate goal will be to redirect all the smardevices over a new proxy being installed - hence we are trying to split the devices into different vlans for routing and so forth.

     

    So yes it is for one SSID. Both the Pools are set to Even Assignment. We are running a Master/Standby setup for failover - so in sence just one controller (we are aware that if failover occurs that the other won't know of the previous assignments and are prepared to deal with that). 

     

     



  • 4.  RE: VLAN Assignment reset

    EMPLOYEE
    Posted Dec 12, 2014 07:46 AM

    Hendrik,

     

    You should type "show vlan status" to get a sense of how many clients are in each VLAN.  I am not sure if "preserve VLAN" has a material effect on what happens.

     

    Ultimately, if clients attach, but only clients that are in a specific vlan leave, things will be unbalanced, so there is room for things to NOT work perfectly.  You probably would need TAC to go over your configuration in detail and ensure that you are not doing anything specifically that is keeping you from reaching your goal.

     

    Sending back the name of an even VLAN pool in a radius VSA should be all that is necessary in general to do what you are doing.  Unfortunately, if ClearPass has never even seen the DHCP fingerprint of a device it will not know what kind of device it is upon authentication and put it in the wrong pool, so there are weaknesses with your approach if you are using 802.1x.  Your approach assumes that we have already profiled the devices that are connecting so that we know where to place them.

     



  • 5.  RE: VLAN Assignment reset

    Posted Jan 06, 2015 08:20 AM

    Hi Collin

    All the best to you in the new year.

    Thanks for the reply and sorry for the slow response.

     

    Maybe a bit more background would be good - I understand fully that a client will have to be seen by ClearPass before it gets the fingerprint for the device. So we did give it time to identify the devices (we also understand that as new devices come in, which hasn't been seen will first have to go through the fingerprinting).

     

    Why I was asking about the vlan reset is that we suspected that some clients were identified, but utilising more than 1 adress on the DHCP server in different vlans.

     

    BUT in the time that has passed we have done some other testing - I am suspecting that the even vlan pool balancing isn't working correctly.

    We took one night with only a few clients connected stopped all the ssids from broadcasting cleared out all DHCP entries - and changed from Hash balancing to Even and switched the SSIDS on again (we did this several times going from even balancing to hash and back again).

     

    As clients were connecting we were monitoring the DHCP scopes to see how users came in and got IPs assigned (this also confirmed that users werent going into more than one vlan - only 1 IP entry for each client) we could see the first vlan only getting one cleint for every 3 to 4 being assigned to the remaining two vlans. Using Hash and Even balancing appeared to have the same affect.

     

    Perhaps the testing methodology is flawed but I am suspecting the VLAN pool balancing to be the culprit.

    Out of interest we are running the "Early Realease" of 6.4.2.2  (haven't had chance to upgrade to GA 6.4.2.3 yet)



  • 6.  RE: VLAN Assignment reset

    EMPLOYEE
    Posted Jan 06, 2015 08:26 AM
    Hendrik,

    I hope you have a support case open. There are quite a few ways that this could go wrong, or you could be experiencing a bug. A TAC vase is the best way to sort through what you are trying to accomplish.


  • 7.  RE: VLAN Assignment reset

    Posted Jan 06, 2015 08:36 AM

    Hi Collin

     

    When we impliment the rules again I will have a TAC case open -  but I think it best if we just do the upgrade to the GA 6.4.2.3 before going further -- there are a few funnies on 6.4.2.2 (like client counts on GUI) so I won't frown at anything.