Build-up a redundant aruba wireless infrastructure

Currently I’m evaluating the aruba controller and access-points as a new product in my company. My goal was a high available system with two wireless controller and two access-points. I created a visio graphic for this, it also contains the ip addresses of our laboratory:

I’m using two aruba 7008 RW (Rest of the World) mobility controller and two aruba IAP-205H desktop access-points. My laboratory environment is 10.192.226.0 /23. The DHCP service is provided by the router (Sophos UTM):

At the first step I configured the mobility controller via CLI (if you misconfigure something, you can reset the controller with “write erase all”). This are the CLI commands for “arubaWLC2”:

Auto-provisioning is in progress. Choose one of the following options to override or debug…
‘enable-debug’ : Enable auto-provisioning debug logs
‘disable-debug’ : Disable auto-provisioning debug logs
‘mini-setup’ : Stop auto-provisioning and start mini setup dialog for branch role
‘full-setup’ : Stop auto-provisioning and start full setup dialog for any role

Enter Option (partial string is acceptable): full-setup

Are you sure that you want to stop auto-provisioning and start full setup dialog? (yes/no): yes
Reading configuration from factory-default.cfg

***************** Welcome to the Aruba7008 setup dialog *****************
This dialog will help you to set the basic configuration for the switch.
These settings, except for the Country Code, can later be changed from the
Command Line Interface or Graphical User Interface.
Commands: <Enter> Submit input or use [default value], <ctrl-I> Help
<ctrl-B> Back, <ctrl-F> Forward, <ctrl-A> Line begin, <ctrl-E> Line end
<ctrl-D> Delete, <BackSpace> Delete back, <ctrl-K> Delete to end of line
<ctrl-P> Previous question <ctrl-X> Restart beginning
Enter System name [Aruba7008]: arubaWLC2
Enter Switch Role (master|local|standalone|branch) [master]: master
Enter VLAN 1 interface IP address [172.16.0.254]: 10.192.226.62
Enter VLAN 1 interface subnet mask [255.255.255.0]: 255.255.254.0
Enter IP Default gateway [none]: 10.192.226.1
Do you wish to configure IPV6 address on vlan 1 (yes|no) [yes]: no
Enter Country code (ISO-3166), <ctrl-I> for supported list: DE
You have chosen Country code DE for Germany (yes|no)?: yes
Enter Time Zone [PST-8:0]: PS2:0
Enter Time in UTC [14:52:46]:
Enter Date (MM/DD/YYYY) [1/11/2017]:
Enter Password for admin login (up to 32 chars): *******
Re-type Password for admin login: *******
Enter Password for enable mode (up to 15 chars): *******
Re-type Password for enable mode: *******
Do you wish to shutdown all the ports (yes|no)? [no]:

Current choices are:

System name: arubaWLC2
Switch Role: master
VLAN 1 interface IP address: 10.192.226.62
VLAN 1 interface subnet mask: 255.255.254.0
IP Default gateway: 10.192.226.1
Option to configure VLAN 1 interface IPV6 address: no
Country code: DE
Time Zone: PS2:0
Ports shutdown: no

If you accept the changes the switch will restart!
Type <ctrl-P> to go back and change answer for any question
Do you wish to accept the changes (yes|no)yes
Creating configuration… Done.

System will now restart!

after the restart you can access the webinterface with your browser. Both controllers are in “master” state. I built a connection between “master-active” 10.192.226.61 and “master-standby” 10.192.226.62 and provide the cluster IP address 10.192.226.63 with virtual router redundancy protocol (VRRP). Redundancy Web-configuration of arubaWLC1:

VRRP config:

Redundancy web-configuration arubaWLC2:

VRRP config:

Note: If you want to change the ip address of a running mobility controller, deactivate/delete the redundancy settings, change the ip address and reboot the system!

You can check the synchronization in the web GUI. Click on sync and wait some seconds, refresh the page and look at the second line, it should be “succeeded”:

The installed licenses are also automatically “redundant” by this option:

To auto-allow factory-default APs I needed to enable “Auto Cert Provisioning”:

To configure a standard SSID with WPA2 and pre-shared-key, I used the wizard under “Configuration/Wizards/Campus WLAN”:

in the next steps I let everything by default. The summarized commands are:

wlan virtual-ap “arubaTest-vap_prof”
wlan ssid-profile “arubaTest-ssid_prof”
aaa profile “arubaTest-aaa_prof”
wlan ht-ssid-profile “arubaTest-htssid_prof”
wlan ssid-profile “arubaTest-ssid_prof” ht-ssid-profile “arubaTest-htssid_prof”
wlan virtual-ap “arubaTest-vap_prof” ssid-profile “arubaTest-ssid_prof”
wlan virtual-ap “arubaTest-vap_prof” aaa-profile “arubaTest-aaa_prof”
aaa authentication dot1x “dot1x_prof-utb59”
wlan virtual-ap “arubaTest-vap_prof” allowed-band all
wlan ssid-profile “arubaTest-ssid_prof” a-basic-rates 12 24
wlan ssid-profile “arubaTest-ssid_prof” g-basic-rates 12 24
wlan ssid-profile “arubaTest-ssid_prof” g-tx-rates 12 24 36 48 54
wlan ssid-profile “arubaTest-ssid_prof” a-tx-rates 12 24 36 48 54
wlan ssid-profile “arubaTest-ssid_prof” a-beacon-rate 12
wlan ssid-profile “arubaTest-ssid_prof” g-beacon-rate 12
wlan virtual-ap “arubaTest-vap_prof” forward-mode “decrypt-tunnel”
aaa authentication dot1x “dot1x_prof-utb59”
aaa profile “arubaTest-aaa_prof” authentication-dot1x “dot1x_prof-utb59”
wlan ssid-profile “arubaTest-ssid_prof” wpa-passphrase “Geheim123!”
wlan ssid-profile “arubaTest-ssid_prof” opmode wpa2-psk-aes
wlan ssid-profile “arubaTest-ssid_prof” no weptxkey
wlan ssid-profile “arubaTest-ssid_prof” no wepkey1
wlan ssid-profile “arubaTest-ssid_prof” no wepkey2
wlan ssid-profile “arubaTest-ssid_prof” no wepkey3
wlan ssid-profile “arubaTest-ssid_prof” no wepkey4
aaa profile “arubaTest-aaa_prof” no initial-role
aaa profile “arubaTest-aaa_prof” initial-role “authenticated”
ap-group “default” virtual-ap “arubaTest-vap_prof”

IAP (Instant Access Points) can create their own virtual controller. In most environment it’s sufficent but you need VLAN-capable switches everywhere you place an access point (+ configuration of vlan trunks). With a controller you have many additional features, one feature is the traffic-tunneling from the access points to the controller, so every traffic is switched at the controller. Official documents say that you can use 120 IAPs in one virtual controller but I think 50-60 APs should be ok. To convert IAP to controller-access-points you can connect your APs to your dhcp-network and open the webgui, login with admin/admin credentials:

in the top-menu you can click on Maintenance or German “Wartung” to migrate the access point to a mobility controller:

after about five minutes, you can see your access point under configuration/wireless/ap installation. You can also create a new ap-group, to move your APs to the new group, go to “Configuration/Wireless/AP Installation” and click on “Provision”:

I connected a client to the SSID “arubaTest” and could access the internet/network. My client was also visible at the controller dashboard:

 

This is only a basic configuration but I think a good start for all of you. There are also deployment-methods like redundant master mobility controller with several redundant local controller or branch controller. Feel free to ask questions in the comment-section!

2 thoughts on “Build-up a redundant aruba wireless infrastructure”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.