Wireless Access

 Hi,

we are plaining to running over a hundred AP’s on an Aruba 7205Mobility Controller on our network. With OS 8.6.0.1

So I have multiple issue (it’s question I am looking for answer) while the deployment  :-

• I have 2 vlan (X,Y) , 2 SSID (A,B) , I have assign Vlan X to the 2 SSID , I want to assign Vlan To AP management (VLANs tagged as trunk on its uplink port to the core switch) , the main idea is to separate user traffic from ap management traffic , I don’t want to have user and ap on the same vlan
• I want to apply ip forwarding in one of the wan port instead of NAT (How I Can Do This)
• I have two default getaway for the controller I have assign lower cost for the main getaway and higher cost for the backup , can I apply outbound policy to get specific traffic going through the backup getaway

Thank you in advance for the answers, and happy new year for everybody

Thanks

- As long as an access point can discover the management ip address of the controller, an access point can be on any VLAN.  Discovery methods include, dns, dhcp option, multicast (https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/access-points/enab-ctrl-disc.htm?Highlight=discovery)  An access point does not have to be on a trunk port (preferably an access port), because by default, user traffic is tunneled back to the controller.  The controller can then be connected to the infrastructure as a trunk port and that is where the user traffic will enter your network.  

- With regards to the ip forwarding question, please describe your exact scenario.  There are a few way ways to provide ip forwarding, but we need to suggest the proper option based on your specific requirements.

- You should have a single ip address for a default gateway on the controller and configure redundancy at the default gateway devices instead to provide redundany (VRRP or HSRP).  Making more than a single ip address as the default gateway would make troubleshooting more difficult.  I was just at a customer who had this same scenario configured with two different default gateways on the Aruba controllers and it created additional management complexity.  It is not recommended.

First Thanks for your replay 

i have attched my sample design hopfully it can help 

1- what i am looking for is get the ap's it's dedeciated vlan adn the user on differnet vlan 

2- for the ip forwarding , i want to forward all user traffic to third party f/w whcih all filitring and monitoring act on it 

3- the two getway is look like when you configure two wan port , the user who want to internet traffic they can go from specific getway and the user who want to access internal network go from the other getway 

thanks 

it's single site

If this is a single site, the default gatway of every device should be the layer 3 switch (site router).  The layer 3 switch (site router) would then have a default route pointing to the private ip address of the 3rd party firewall for any internet that is needed.  The 3rd party firewall should be able to manage two internet uplinks and determine what path to take, as this will allow failover for the entire site, not just the wireless clients.

The access points should have their own VLAN.  WLAN user traffic is tunneled back from access points to the mobility controller over GRE tunnels for enforcement, so the access points should just be on access ports.  Access points simply need to be able to send all traffic, management as well as user traffic, back to the controller.  The controller will be on a trunk connected to the layer 3 switch.  The trunk will be allowing the controller's management VLAN, and any other user VLANs that will be broadcasted by the access points.  The controller will switch the user's tunneled traffic to the correct VLAN to the layer 3 switch.  Since the users will have a default gateway on the layer 3 switch(router), they will have a path to the internet.

Please let me know if that makes sense.

Thanks , yes it's make sense now