Wireless Access

Hello,

 

I have 2 x WLC 7205 and 62 AP's to implement, and I am starting with Aruba technology.

I read many topics about that, but I still have a doubt ...

Would it be better to have :

- VLAN X for the WLC's management, VLAN Y for the AP's and VLAN Z for clients

or 

- VLAN X for WLC's management and the AP's, VLAN Y for clients ?

 

Thank you,

AL

I would go with this option :
"VLAN X for the WLC's management, VLAN Y for the AP's and VLAN Z for clients"

Get Outlook for iOS

Thank you very much. I'll go for this solution then.

 

On the switch part,

- Access ports for the AP's, with only the VLAN Y?

- Trunk port for the WLC, with the 3 VLANs, right ?

 

Thank you,

AL

Access ports for the AP's, with only the VLAN Y?
Yes if that's the only wired devices you are expecting to connect to the swiychports

- Trunk port for the WLC, with the 3 VLANs, right ?
Only WLC and clients VLAN , do you have an external dhcp sever for the APs?

Get Outlook for iOS

Alright, yes the AP's will have their dedicated VLAN, then they will be the only devices for this VLAN.

 

We did not decide yet if we go for an external DHCP server or internally to the WLC, does it make any change on the trunkport configuration ?

 

AL

If the controller is the dhcp server then you need to add the AP VLAN to the trunk

Get Outlook for iOS

Ok perfect, I think we will use the WLC as DHCP server then.

Thank you for all these informations !

Please familiarise yourself with the limitations for DHCP on the controller. Aruba recommend an external DHCP server.

Well right now I have :

 

- VLAN 100 for management - 172.16.100.0

- VLAN 101 for AP's - 172.16.101.0

- VLAN 102 for corporate clients - 172.16.102.0

- VLAN 103 for guest clients - 172.16.103.0

 

The WLC is connected to a cisco switch, in the moment I am trying to make it very simple.

Here is the config of my trunk on the WLC :

 

interface gigabitethernet 0/0/0
description "***Uplink-to-Switch***"
trusted
trusted vlan 100-103
switchport mode trunk
switchport trunk allowed vlan 100-103

 

I also have these interfaces configured :

 

interface vlan 100
ip address 172.16.100.1 255.255.255.0
!
interface vlan 101
ip address 172.16.101.1 255.255.255.0
!
interface vlan 102
ip address 172.16.102.1 255.255.255.0
!
interface vlan 103
ip address 172.16.103.1 255.255.255.0

 

Here is the config on the trunk port on the switch :

 

interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk

switchport trunk allowed vlan 100,101,102,103 

 

DHCP scopes are configured on the switch.

 

Does it look ok.. ? 

 

I have 3 problems...

- when I directly plugg an AP on a switchport (in access vlan 101) It gets an IP on the range 172.16.101.0 but it never joins the WLC... I don't get it... I tried to configure option 43 on the DHCP scope but It didn't help.

 

- If I plugg my laptop on a switchport (in access vlan 101), I get an IP in the range 172.16.101.0 and I can access the WLC on his Interface vlsn 101. But the goal is to only allow the management subnet 172.16.100.0 to access the WLC, is there a way to block the access from the VLANs 101, 102 and 103 ?

 

- Do I need to configure a native VLAN on the trunks ?

 

AL

You need to configure native VLAN 100

Get Outlook for iOS

Ok thanks. I'll configure that. Then i don't need this option DHCP 43 anymore ?

And what about the access to the WLC, is that normal that I can access it from the VLAN 101, 102 and 103 ? I really would like to avoid this...

 

AL

Native vlan 100 didn't help ...

The AP in VLAN 101 needs to communicate with which interface, the interface VLAN 100 or interace VLAN 101 ?

 

I'm new in Aruba networks, I don't really know if this is working like Cisco...

 

Thank you,

AL

What is your default gateway for each VLAN? What default gateway is your DHCP server giving out?  Is that Cisco switch a layer 3 switch?

The default gateway for each VLAN is located on a cisco switch indeed.

Later it will be an Aruba switch, but I am using a Cisco swich to prepare all the AP's.

 

AL

Okay.  On the port that connects the Cisco layer 3 switch to the Aruba controller, your native VLAN must be 100.  On the port that connects the Aruba Controller to the Cisco layer 3 switch, the native VLAN must also be 100.  

 

Your DHCP server must be giving out the ip address on your Cisco layer 3 switch on each VLAN as the default gateway.

Are you using an external DHCP server ? or the controller is acting as your DHCP server ?

The cisco switch is the DHCP server.

VLAN100 is the management Vlan, and VLAN101 is dedicated to the AP's.

 

Here is my scenario :

 

WLC-Aruba --SW-Cisco--AP Aruba

 

On the switch I have : 

 

interface FastEthernet0/1
description *** To WLC-Aruba-Gi0/0/0 ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 100,101,102,103
switchport mode trunk

 

ip dhcp pool APs
network 172.16.101.0 255.255.255.0
default-router 172.16.101.254
lease 7

!

interface Vlan100
ip address 172.16.100.254 255.255.255.0
ip helper-address 172.16.100.1
!
interface Vlan101
ip address 172.16.101.254 255.255.255.0

 

On Aruba WLC I have : 

 

interface gigabitethernet 0/0/0
description "***Uplink-to-Cisco-SW***"
trusted
trusted vlan 100-103
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,101,102-103

!
vlan 100 172.16.100.1 / 255.255.255.0 
vlan 101 172.16.101.1 / 255.255.255.0

 

My AP is connected on a switchport in acc vlan 101.

 

I am wondering if the AP's in the VLAN 101 need to communicate with the WLC's interface vlan 100 or 101 ?

 

AL

What is your switch ip / vlan on the Aruba Controller?  (type "show switch ip").  You need to make it vlan 100.

config t

controller-ip vlan 100

 

I confirm it's in the vlan 100 :

 

(Aruba-WLC) #show switch ip

Switch IP Address: 172.16.100.1

Switch IP is configured to be Vlan Interface: 100

In that case you will need to configure option 43 on that pool to point the APs to discover the master controller

If you don't want to that then you can use an external dhcp server and allow the aps to discover the controller via dns using the aruba-master

Another option would be to use the controller as your dhcp and configure the option 43 there or keep the dhcp on the Cisco switch but put all the APs on the same subnet as the controller and the APs will discover controller via ADP (multicast)

Get Outlook for iOS

This is working when I put the option 43 pointing to 172.16.100.1

But what is the utility of the IP 172.16.101.1 then ?

 

I read on documentations that it's advised to use external DHCP server for AP's and clients, isn't it ?

 

AL

You need the layer 3 connectivity for vlan 101 to allow the APs to reach the controller .

It's best practice to use an external server.

Get Outlook for iOS

Alright it looks fine then.

 

And to avoid someone in the vlan 101 to reach the WLC on the IP 172.16.101.1, is there something we can do for that except using an ACL ?

 

AL

You can create an ACL to block management access and only allow it from certain subnets to the controller and apply it to the controller interface
http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/How-to-Allow-or-Block-Management-of-the-Aruba-Controller-only/ta-p/27494

Get Outlook for iOS

Alright thanks , I will try that.

I have a new issue with the AP that just joined the WLC.

 

I created an new AP group, and tried to change the AP Group, the AP is then rebooting and when it comes back, it stills belongs to the default AP Group.

 

I tried to do it over console through the command ap-rename, and I got this message : "NOTE: For cert RAP ap-name (if specified) in RAP whitelist will take precedence."

and then it rebooted and it's not coming back...

 

Did I miss something ?

 

AL

 

Did you define the controller IP address under AP> AP System profile > LMS IP

Get Outlook for iOS

Yes I did, but it didn't help.

I think the AP is in kind of rommon mode, I ordered a console cable to verify what's wrong with it.

 

AL