Wireless Access

Hello,

I currently am doing a proof of concept of Aruba APs with a virtual mobility controller. The network roughly looks like this:

Obviously I don't want the Clients to be in the same network as the APs. DHCP in the City A network is being provided by Firewall 1. 

What I think I need to do is:

• Create a new VLAN and network on all switch-ports that already have VLAN 121
• Create a new DHCP pool on firewall 1 and assign the new VLAN to it

What I don't know:

1. How does the controller need to "know" this new VLAN? Since there are two firewalls between the switches where the VLAN resides, the controller will never come into contact with it
2. Is there any documentation about this scenario?

Hope I am making sense here. Thanks in advance!

Running AP-controller connections over WAN/VPN is not supported.

The client VLAN and AP(management) VLAN should always be separated/different.

If you have a tunneled SSID, the AP should be able to build the tunnel to the controller. There is no need to be in the same VLAN, but you can route the traffic (L3 connected). This tunnel should run over LAN, or at least jumbo frames enabled, low latency, high bandwidth, and preferred no interfering devices like firewalls/security appliances.
The tunneled clients should be placed in a VLAN that's on the controller (not on the APs, not needed on intermediate devices that only carry the tunnel traffic). And in that VLAN you would need DHCP and a L3 (default gateway). In this unsupported scenario, that would be in City B, and probably a VLAN on the firewall 2.

This is standard (Aruba controller) architecture knowledge, and it may be good to work with your HPE Aruba Networking partner to get to an optimal design.

Hello,

I currently am doing a proof of concept of Aruba APs with a virtual mobility controller. The network roughly looks like this:

Obviously I don't want the Clients to be in the same network as the APs. DHCP in the City A network is being provided by Firewall 1. 

What I think I need to do is:

• Create a new VLAN and network on all switch-ports that already have VLAN 121
• Create a new DHCP pool on firewall 1 and assign the new VLAN to it

What I don't know:

1. How does the controller need to "know" this new VLAN? Since there are two firewalls between the switches where the VLAN resides, the controller will never come into contact with it
2. Is there any documentation about this scenario?

Hope I am making sense here. Thanks in advance!

Hello Herman,

thank you for your reply. We are currently in the process of deciding which vendor to go which is why we have limited professional support.

We were also having a long debate if the controller should be placed in City B (which contains our main data center and is the star in our star-formed network) or City A (which contains 90% of our wireless users) but so far I heard that it should be "ok" this way.

The main reason we decided for this architecture as the proof of concept is that we do have much smaller remote offices that should also be managed in a centralized fashion and with those, we cannot put an extra controller because they are so small.

Would you then say, that if possible, the controller should be where the APs are?

Running AP-controller connections over WAN/VPN is not supported.

The client VLAN and AP(management) VLAN should always be separated/different.

If you have a tunneled SSID, the AP should be able to build the tunnel to the controller. There is no need to be in the same VLAN, but you can route the traffic (L3 connected). This tunnel should run over LAN, or at least jumbo frames enabled, low latency, high bandwidth, and preferred no interfering devices like firewalls/security appliances.
The tunneled clients should be placed in a VLAN that's on the controller (not on the APs, not needed on intermediate devices that only carry the tunnel traffic). And in that VLAN you would need DHCP and a L3 (default gateway). In this unsupported scenario, that would be in City B, and probably a VLAN on the firewall 2.

This is standard (Aruba controller) architecture knowledge, and it may be good to work with your HPE Aruba Networking partner to get to an optimal design.

Hello,

I currently am doing a proof of concept of Aruba APs with a virtual mobility controller. The network roughly looks like this:

Obviously I don't want the Clients to be in the same network as the APs. DHCP in the City A network is being provided by Firewall 1. 

What I think I need to do is:

• Create a new VLAN and network on all switch-ports that already have VLAN 121
• Create a new DHCP pool on firewall 1 and assign the new VLAN to it

What I don't know:

1. How does the controller need to "know" this new VLAN? Since there are two firewalls between the switches where the VLAN resides, the controller will never come into contact with it
2. Is there any documentation about this scenario?

Hope I am making sense here. Thanks in advance!

Controllers should indeed be local, and are designed for campus deployment; connected with high-bandwidth, low latency, large MTU connections (let's call it: LAN to make things simple).

I know there are people running APs over WAN, which if that WAN is 'darkfiber' could be considered LAN, but as TAC has seen many issues with it, it's officially unsupported. The more it looks like LAN, the better chances that it will work, but even if it works, it's not officially supported.

Hello Herman,

thank you for your reply. We are currently in the process of deciding which vendor to go which is why we have limited professional support.

We were also having a long debate if the controller should be placed in City B (which contains our main data center and is the star in our star-formed network) or City A (which contains 90% of our wireless users) but so far I heard that it should be "ok" this way.

The main reason we decided for this architecture as the proof of concept is that we do have much smaller remote offices that should also be managed in a centralized fashion and with those, we cannot put an extra controller because they are so small.

Would you then say, that if possible, the controller should be where the APs are?

Running AP-controller connections over WAN/VPN is not supported.

The client VLAN and AP(management) VLAN should always be separated/different.

If you have a tunneled SSID, the AP should be able to build the tunnel to the controller. There is no need to be in the same VLAN, but you can route the traffic (L3 connected). This tunnel should run over LAN, or at least jumbo frames enabled, low latency, high bandwidth, and preferred no interfering devices like firewalls/security appliances.
The tunneled clients should be placed in a VLAN that's on the controller (not on the APs, not needed on intermediate devices that only carry the tunnel traffic). And in that VLAN you would need DHCP and a L3 (default gateway). In this unsupported scenario, that would be in City B, and probably a VLAN on the firewall 2.

This is standard (Aruba controller) architecture knowledge, and it may be good to work with your HPE Aruba Networking partner to get to an optimal design.

Hello,

I currently am doing a proof of concept of Aruba APs with a virtual mobility controller. The network roughly looks like this:

Obviously I don't want the Clients to be in the same network as the APs. DHCP in the City A network is being provided by Firewall 1. 

What I think I need to do is:

• Create a new VLAN and network on all switch-ports that already have VLAN 121
• Create a new DHCP pool on firewall 1 and assign the new VLAN to it

What I don't know:

1. How does the controller need to "know" this new VLAN? Since there are two firewalls between the switches where the VLAN resides, the controller will never come into contact with it
2. Is there any documentation about this scenario?

Hope I am making sense here. Thanks in advance!

Hello Herman,

thank you for your replies. 

Do you know where I can find this "officially unsupported" statement? I'm not doubting you, it would just be nice to find the part in the official documentation or installation guide.

Thank you again.

Controllers should indeed be local, and are designed for campus deployment; connected with high-bandwidth, low latency, large MTU connections (let's call it: LAN to make things simple).

I know there are people running APs over WAN, which if that WAN is 'darkfiber' could be considered LAN, but as TAC has seen many issues with it, it's officially unsupported. The more it looks like LAN, the better chances that it will work, but even if it works, it's not officially supported.

Hello Herman,

thank you for your reply. We are currently in the process of deciding which vendor to go which is why we have limited professional support.

We were also having a long debate if the controller should be placed in City B (which contains our main data center and is the star in our star-formed network) or City A (which contains 90% of our wireless users) but so far I heard that it should be "ok" this way.

The main reason we decided for this architecture as the proof of concept is that we do have much smaller remote offices that should also be managed in a centralized fashion and with those, we cannot put an extra controller because they are so small.

Would you then say, that if possible, the controller should be where the APs are?

Running AP-controller connections over WAN/VPN is not supported.

The client VLAN and AP(management) VLAN should always be separated/different.

If you have a tunneled SSID, the AP should be able to build the tunnel to the controller. There is no need to be in the same VLAN, but you can route the traffic (L3 connected). This tunnel should run over LAN, or at least jumbo frames enabled, low latency, high bandwidth, and preferred no interfering devices like firewalls/security appliances.
The tunneled clients should be placed in a VLAN that's on the controller (not on the APs, not needed on intermediate devices that only carry the tunnel traffic). And in that VLAN you would need DHCP and a L3 (default gateway). In this unsupported scenario, that would be in City B, and probably a VLAN on the firewall 2.

This is standard (Aruba controller) architecture knowledge, and it may be good to work with your HPE Aruba Networking partner to get to an optimal design.

Hello,

I currently am doing a proof of concept of Aruba APs with a virtual mobility controller. The network roughly looks like this:

Obviously I don't want the Clients to be in the same network as the APs. DHCP in the City A network is being provided by Firewall 1. 

What I think I need to do is:

• Create a new VLAN and network on all switch-ports that already have VLAN 121
• Create a new DHCP pool on firewall 1 and assign the new VLAN to it

What I don't know:

1. How does the controller need to "know" this new VLAN? Since there are two firewalls between the switches where the VLAN resides, the controller will never come into contact with it
2. Is there any documentation about this scenario?

Hope I am making sense here. Thanks in advance!

Hello Herman,

thank you for your reply. We are currently in the process of deciding which vendor to go which is why we have limited professional support.

We were also having a long debate if the controller should be placed in City B (which contains our main data center and is the star in our star-formed network) or City A (which contains 90% of our wireless users) but so far I heard that it should be "ok" this way.

The main reason we decided for this architecture as the proof of concept is that we do have much smaller remote offices that should also be managed in a centralized fashion and with those, we cannot put an extra controller because they are so small.

Would you then say, that if possible, the controller should be where the APs are?

Running AP-controller connections over WAN/VPN is not supported.

The client VLAN and AP(management) VLAN should always be separated/different.

If you have a tunneled SSID, the AP should be able to build the tunnel to the controller. There is no need to be in the same VLAN, but you can route the traffic (L3 connected). This tunnel should run over LAN, or at least jumbo frames enabled, low latency, high bandwidth, and preferred no interfering devices like firewalls/security appliances.
The tunneled clients should be placed in a VLAN that's on the controller (not on the APs, not needed on intermediate devices that only carry the tunnel traffic). And in that VLAN you would need DHCP and a L3 (default gateway). In this unsupported scenario, that would be in City B, and probably a VLAN on the firewall 2.

This is standard (Aruba controller) architecture knowledge, and it may be good to work with your HPE Aruba Networking partner to get to an optimal design.

Hello,

I currently am doing a proof of concept of Aruba APs with a virtual mobility controller. The network roughly looks like this:

Obviously I don't want the Clients to be in the same network as the APs. DHCP in the City A network is being provided by Firewall 1. 

What I think I need to do is:

• Create a new VLAN and network on all switch-ports that already have VLAN 121
• Create a new DHCP pool on firewall 1 and assign the new VLAN to it

What I don't know:

1. How does the controller need to "know" this new VLAN? Since there are two firewalls between the switches where the VLAN resides, the controller will never come into contact with it
2. Is there any documentation about this scenario?

Hope I am making sense here. Thanks in advance!

Is there a particular reason you're looking at AOS 8 rather than AOS 10?

Hello Herman,

thank you for your reply. We are currently in the process of deciding which vendor to go which is why we have limited professional support.

We were also having a long debate if the controller should be placed in City B (which contains our main data center and is the star in our star-formed network) or City A (which contains 90% of our wireless users) but so far I heard that it should be "ok" this way.

The main reason we decided for this architecture as the proof of concept is that we do have much smaller remote offices that should also be managed in a centralized fashion and with those, we cannot put an extra controller because they are so small.

Would you then say, that if possible, the controller should be where the APs are?

Running AP-controller connections over WAN/VPN is not supported.

The client VLAN and AP(management) VLAN should always be separated/different.

If you have a tunneled SSID, the AP should be able to build the tunnel to the controller. There is no need to be in the same VLAN, but you can route the traffic (L3 connected). This tunnel should run over LAN, or at least jumbo frames enabled, low latency, high bandwidth, and preferred no interfering devices like firewalls/security appliances.
The tunneled clients should be placed in a VLAN that's on the controller (not on the APs, not needed on intermediate devices that only carry the tunnel traffic). And in that VLAN you would need DHCP and a L3 (default gateway). In this unsupported scenario, that would be in City B, and probably a VLAN on the firewall 2.

This is standard (Aruba controller) architecture knowledge, and it may be good to work with your HPE Aruba Networking partner to get to an optimal design.

Hello,

I currently am doing a proof of concept of Aruba APs with a virtual mobility controller. The network roughly looks like this:

Obviously I don't want the Clients to be in the same network as the APs. DHCP in the City A network is being provided by Firewall 1. 

What I think I need to do is:

• Create a new VLAN and network on all switch-ports that already have VLAN 121
• Create a new DHCP pool on firewall 1 and assign the new VLAN to it

What I don't know:

1. How does the controller need to "know" this new VLAN? Since there are two firewalls between the switches where the VLAN resides, the controller will never come into contact with it
2. Is there any documentation about this scenario?

Hope I am making sense here. Thanks in advance!