Wireless Access

Hi all,

Due to increasing demand we recently added additional /23 vlans to the vlan pool for our .1x SSID (VAP). There are now thirty two (32) /23 subnets in that vlan pool. My understanding is that 32 vlans is the limit per VAP. Has anyone hit this limit? How did you resolve it? I've enumerated a few thoughts below but all have potential pitfalls.

1. Switch from /23 to /22 subnet masks -- Anyone doing this? Will there be broadcast headaches?

2. Break up our campus-wide .1x SSID (VAP) into two or more VAPs using the same SSID for each VAP  -- Is this advised? Would it work? How badly will clients be affected by breaking L2 roaming?

3. Introduce a third campus-wide SSID (e.g. FAC/STAFF and STUDENT) -- Will take a lot of work from backend auth to PR.

4. Shorten external DHCP lease times, (currently 40 minutes) to 30 minutes or less - Seems like this will buy us some time up front but will not scale..is anyone running shorter lease times successfully?

5. (More of a question)  What happens if I add more than 32 vlans to the VAP? Will they be ignored? Will things break?

We have one master and nine locals. All M3ks. About 3750 APs. We use publicly routed IP addresses. We're running 6.1.3.2 and do not currently have L3 roaming enabled.

Thanks in advance for you suggestions and thoughts. We anticipate many more users coming online when we add additional res halls next semester.

Divide the APs among different (AP groups) and then you can have different VAP in each (AP group), however, the difference is not the SSID name, it will be the VLAN IDs (in other words subnets) and make two different  30 vlan pool in each group. and so on.

As you know aruba recommends /24 networks with around 200 user.

---

@Abi wrote:

Divide the APs among different (AP groups) and then you can have different VAP in each (AP group), however, the difference is not the SSID name, it will be the VLAN IDs (in other words subnets) and make two different  30 vlan pool in each group. and so on.

 

As you know aruba recommends /24 networks with around 200 user.

---

I'm having the same issue as the OP and wondering if you could discuss your suggestion a little more in terms of roaming.  What if a user goes from one building to another (meaning a different VLAN pool is assigned)?  If you don't have L3-mobility turned on, will this cause the user to obtain a completely new IP?  What if the two buildings in question are on two different controllers?

Thanks in advance!

---

emsmith@cmu.edu wrote:

---

@Abi wrote:

Divide the APs among different (AP groups) and then you can have different VAP in each (AP group), however, the difference is not the SSID name, it will be the VLAN IDs (in other words subnets) and make two different  30 vlan pool in each group. and so on.

 

As you know aruba recommends /24 networks with around 200 user.

---

I'm having the same issue as the OP and wondering if you could discuss your suggestion a little more in terms of roaming.  What if a user goes from one building to another (meaning a different VLAN pool is assigned)? 

- If the user ends up in the same l2 vlan, it should be seamless.  If both access points are in the same ap-group and both buildings fall under the same Virtual AP, it should be seamless.  If both access points are in a different ap-group and the user ends up in a different VLAN, the user will stay connected but would not be able to pass traffic, because the devices assumes it is on the same layer 2 Vlan.  Enabling Preserve Client VLAN will allow a device that roams from one VAP to another on the same controller to keep the same VLAN: "http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/VirtualAPs/Configuring_a_Virtual_AP.htm

If you don't have L3-mobility turned on, will this cause the user to obtain a completely new IP?  What if the two buildings in question are on two different controllers?  Layer 3 Mobility is important when the device roams from one AP on one controller to another AP on a different controller.  If it is not turned on, the device will roam to the next AP and assume it is on the same L2 VLAN and not be able to pass traffic until it attempts to ARP for its default gateway once again.  It could take a minute...it could take 5 minutes depending on the client.  If Layer 3 mobility is turned on, the foreign or destination controller will build a tunnel back to the home or source controller so that the client can be on a different controller but stay on the initial VLAN.  This unfortunately creates some complexity with troubleshooting.  

 

Thanks in advance!

---

Mdickson, please see <Inline>

@mldickson wrote:

Hi all,

Due to increasing demand we recently added additional /23 vlans to the vlan pool for our .1x SSID (VAP). There are now thirty two (32) /23 subnets in that vlan pool. My understanding is that 32 vlans is the limit per VAP. Has anyone hit this limit? How did you resolve it? I've enumerated a few thoughts below but all have potential pitfalls.

1. Switch from /23 to /22 subnet masks -- Anyone doing this? Will there be broadcast headaches?

<Yes.  As long as you are suppressing broadcasts this is a viable option.  You could expose more clients broadcasts using VLAN pooling, believe it or not, because clients that would not normally have to pause for broadcasts would have to.>

2. Break up our campus-wide .1x SSID (VAP) into two or more VAPs using the same SSID for each VAP  -- Is this advised? Would it work? How badly will clients be affected by breaking L2 roaming?

<It is advised and we can turn on Mobility if necessary to allow users to roam across controllers and retain their ip address.  This would need to be planned out carefully to minimize mobility events.>

3. Introduce a third campus-wide SSID (e.g. FAC/STAFF and STUDENT) -- Will take a lot of work from backend auth to PR.
<Avoid this, if you can>

4. Shorten external DHCP lease times, (currently 40 minutes) to 30 minutes or less - Seems like this will buy us some time up front but will not scale..is anyone running shorter lease times successfully?
<Many users are running shortened lease times, especially on Open SSIDs with "drive-by" traffic.  Push as many users to 802.1x where only authenticated users actually consume ip addresses.  If necessary, obtain an evaluation version of Quickconnect which will automate 802.1x configuration for WLAN clients.>

5. (More of a question)  What happens if I add more than 32 vlans to the VAP? Will they be ignored? Will things break?

<Not sure, but that is the advertised limit, which means "not tested beyond-and-don't-call-support-if-you-deploy-like-this">

 

We have one master and nine locals. All M3ks. About 3750 APs. We use publicly routed IP addresses. We're running 6.1.3.2 and do not currently have L3 roaming enabled.

<It would be interesting to hear what others are doing and the recommendations they have.  These are just general suggestions and the advice you take should depend on quite a few factors that are not apparent here>

Thanks in advance for you suggestions and thoughts. We anticipate many more users coming online when we add additional res halls next semester.

---

Collin i got a question for you

Does i need to have BYOD to use just BYOD Quick connect?

Is there  a way i could just use BYOD Quick connect with a normal EAP PEAP or EAP TLS enviroment  just to distribute in a easy way access  with 802.1x for non microsoft devices(in which you cannot use group policy?) for example  IPADS androids and stuff like that ?

I mean without bying all the BYOD thing...

Hello for the part of

(More of a question)  What happens if I add more than 32 vlans to the VAP? Will they be ignored? Will things break?

<Not sure, but that is the advertised limit, which means "not tested beyond-and-don't-call-support-if-you-deploy-like-this">

Well if you got a vlan pooling and you using 32 vlans in there is not recommended

On the VRD HD it says

Do not have more than 10 VLANs within a pool so that broadcast or multicast traffic does not
consume too much air time access.

Collin do you know how this consume more airtime?

---

@NightShade1 wrote:

Hello for the part of

(More of a question)  What happens if I add more than 32 vlans to the VAP? Will they be ignored? Will things break?

<Not sure, but that is the advertised limit, which means "not tested beyond-and-don't-call-support-if-you-deploy-like-this">

 

Well if you got a vlan pooling and you using 32 vlans in there is not recommended

On the VRD HD it says

 

Do not have more than 10 VLANs within a pool so that broadcast or multicast traffic does not
consume too much air time access.

 

Collin do you know how this consume more airtime?

---

If you have just one VLAN and a user sends out a broadcast and you have "Drop Broadcast and Multicast" turned on, the user will send a broadcast to the controller.  All the users on the SAME access point will have to wait until that user sends that packet, which is not bad, at all.  If you use VLAN pooling is ON and users on more than one VLAN are on that access point, all the users in the OTHER VLANS will have to wait until that user sends that packet.  On a very small level, this is not significant.  If you are talking about pooling 10 VLANs, it could be significant based on your traffic pattern.

There is no single way to do it, but if you use a large VLAN and use Broadcast Suppression (Drop Broadcast and Multicast), you can *possibly* get more throughput.  If Running out of ip addresses is a bigger problem, use a bigger VLAN so that you only have to manage less of them.  Network design is about looking at all of the factors in detail and coming up with a solution.  With that being said, there is no one way to do everything....  Just try to do it both ways and see how things work each way.  There is nothing stopping anyone from using a /21 due to broadcast suppression controls...

Okay Collin

Thank you for your explanation and time now its more clear!

---

@cjoseph wrote:

---

[...]

---

If you have just one VLAN and a user sends out a broadcast and you have "Drop Broadcast and Multicast" turned on, the user will send a broadcast to the controller.  All the users on the SAME access point will have to wait until that user sends that packet, which is not bad, at all.  If you use VLAN pooling is ON and users on more than one VLAN are on that access point, all the users in the OTHER VLANS will have to wait until that user sends that packet.  On a very small level, this is not significant.  If you are talking about pooling 10 VLANs, it could be significant based on your traffic pattern.

 

[...]

 

---

OK - needed to edit - lost my comments...

If broadcast and multicasts are dropped how does this change?

for a given AP with 10 clients on an ssid:

single vlan:

client send a bcast - 9 other clients on ssid (and same vlan) need to wait

vlan pooling:

client sends a bcast - 9 other client on ssid (regardless of vlan) need to wait

Is the 10 number specifically recommended if bcast and mcast are not being dropped?

or is 10 a sweet spot for the hashing algorithim... ie in steadof 32 vlans of /24's - I should go for 10 vlans of /22's?

ie size the subnets so that 10 of them will meet needed ip space?

Thank everyone for the excellent suggestions. At the end of last semester we switched from 40 minute to 30 minute lease times for each of our 32 vlans (/23 subnets) in the pool. This has had a dramatic effect and so far this semester, even with slightly more devices, we have seen roughly a 30% reduction in utilized leases.

We'll hold the line for now. If and when we grow out of our current pools we'll probably move up to /22s.

Best,

Mike

Mike,

Please keep us posted on your progress!