Configuring the Virtual AP Profile
The recommended method for creating a new configuration is through the new wizard, although advanced users may also configure a manually.
Manually Configuring the Virtual AP Profile
The following procedure describes how to configure Virtual AP profile.
1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
2. From the All Profiles list, select Wireless LAN >Virtual AP.
3. To edit an existing Virtual AP profile, select the Virtual AP profile you want to edit. To create a new Virtual AP profile, click + and enter a name for the new Virtual AP profile in the Profile name field.
The Virtual AP profile settings are divided into four sections, General, RF, Advanced, and Broadcast/Multicast.
4. Configure your Virtual AP settings, the profile parameters in each section are described in Virtual AP Profile Parameters.
5. Click Submit.
6. Click Pending Changes.
7. In the Pending Changes window, select the check box and click Deploy Changes.
Table 1: Virtual AP Profile Parameters
Parameter
|
Description
|
General
|
Virtual AP enable
|
Select the Virtual AP enable check box to enable or disable the virtual AP.
|
VLAN
|
The (s) into which users are placed in order to obtain an IP address.
NOTE: You must add an existing ID to the Virtual AP profile.
|
Forward mode
|
This parameter controls whether data is tunneled to the managed device using , bridged into the local (for ), or a combination thereof depending on the destination (corporate traffic goes to the managed device, and Internet access remains local). All forwarding modes support steering, /TCLAS enforcement, and station blacklisting.
Click the drop-down list to select one of the following forward modes:
Tunnel: The AP handles all association requests and responses, but sends all data packets, action frames and EAPOL frames over a tunnel to the managed device for processing. The managed device removes or adds the headers, decrypts or encrypts frames and applies rules to the user traffic as usual. Both remote and can be configured in tunnel mode.
Bridge: frames are bridged into the local . When a or is in bridge mode, the AP (and not the managed device) handles all association requests and responses, encryption/decryption processes, and enforcement. The and action frames are also processed by the AP, which then sends out responses as needed.
An AP in bridge mode does not support authentication. Both remote and can be configured in bridge mode. Note that you must enable the control plane security feature on the managed device before you configure in bridge mode.
NOTE: In a bridge mode, the wired or wireless clients which have the same IP address as the 's local server cannot communicate with other devices even if the AP is deployed as a . If you want to use the default 's IP address as the client IP address, you need to change the 's server IP address to a different IP address. To change 's server IP address, see Enabling Remote AP Advanced Configuration Options.
Split-Tunnel: frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the managed device, and Internet access remains local).
A in split-tunnel forwarding mode handles all association requests and responses, encryption/decryption, and enforcement. the and action frames are also processed by the , which then sends out responses as needed.
Decrypt-Tunnel: Both remote and can be configured in decrypt-tunnel mode. When an AP uses decrypt-tunnel forwarding mode, that AP decrypts and decapsulates all frames from a client and sends the 802.3 frames through the tunnel to the managed device, which then applies policies to the user traffic.
When the managed device sends traffic to a client, the managed device sends 802.3 traffic through the tunnel to the AP, which then converts it to encrypted and forwards to the client. This forwarding mode allows a network to utilize the encryption/decryption capacity of the AP while reducing the demand for processing resources on the managed device.
APs in decrypt-tunnel forwarding mode also manage all association requests and responses, and process all and action frames. APs using decrypt-tunnel mode do have some limitations that are not present for APs in regular tunnel forwarding mode.
You must enable the control plane security feature on the managed device before you configure in decrypt-tunnel forward mode.
NOTE: Virtual APs in bridge or split-tunnel mode using static should use key slots 2-4 on the managed device. Key slot 1 should only be used with Virtual APs in tunnel mode.
|
RF
|
Allowed band
|
The (s) on which to use the virtual AP:
g—/g only (2.4 Ghz).
a— only (5 Ghz).
all—both and /g (5 and 2.4 ). This is the default setting.
|
Band Steering
|
’s steering feature encourages dual-band capable clients to stay on the 5 on dual-band APs. This frees up resources on the 2.4 Ghz for single clients like phones.
steering reduces co-channel interference and increases available bandwidth for dual-band clients, because there are more channels on the 5 Ghz than on the 2.4 Ghz . Dual-band -capable clients may see even greater bandwidth improvements, because the steering feature will automatically select between 40MHz or 20 Mhz channels in networks. This feature is disabled by default, and must be enabled in a Virtual AP profile.
The steering feature supports both and that have a virtual AP profile set to tunnel, split-tunnel or bridge forwarding mode. Note, however, that if a campus or has virtual AP profiles configured in bridge or split-tunnel forwarding mode but no virtual AP in tunnel mode, those APs will gather information about 5G-capable clients independently and will not exchange this information with other APs that also have bridge or split-tunnel virtual APs only.
|
Steering Mode
|
steering supports the following three different steering modes.
Balance-bands: In this steering mode, the AP tries to balance the clients across the two radios in order to best utilize the available 2. bandwidth. This feature takes into account the fact that the 5 Ghz has more channels than the 2.4 Ghz , and that the 5 Ghz channels operate in 40 Mhz while the 2.5 Ghz operates in 20 .
Prefer-5GHz (default): If you configure the AP to use prefer-5GHz steering mode, the AP will try to steer the client to 5G (if the client is 5G capable) but will let the client connect on the 2. if the client persists in 2.4 G association attempts.
Force-5GHz: When the AP is configured in force-5GHz steering mode, the AP will try to force 5Ghz-capable APs to use that radio .
|
Advanced
|
Cellular handoff assist
|
When both the ClientMatch and the cellular handoff assist features are enabled, the cellular handoff assist feature can help a dual-mode, or -capable device such as an iPhone, iPad or Android client at the end of a network switch from to an alternate or radio that provides better network access. This feature is supported by iOS and Android devices only.
|
Authentication Failure Blacklist Time
|
Time, in seconds, a client is blocked if it fails repeated authentication. The default setting is 3600 seconds (1 hour). A value of 0 blocks the client indefinitely.
|
Blacklist Time
|
Number of seconds that a client is quarantined from the network after being blacklisted.
Default: 3600 seconds (1 hour)
|
Deny inter user traffic
|
Select this check box to deny traffic between the clients using this virtual AP profile.
The global shown in the Configuration>Advanced Services > Stateful Firewall > Global window also includes an option to deny all inter-user traffic, regardless of the Virtual AP profile used by those clients.
If the global setting to deny inter-user traffic is enabled, all inter-user traffic between clients will be denied, regardless of the settings configured in the virtual AP profiles. If the setting to deny inter-user traffic is disabled globally but enabled on an individual virtual AP, only the traffic between un-trusted users and the clients on that particular virtual AP will be blocked.
NOTE: This field is not applicable across controllers even when they are in the same cluster.
|
Deny time range
|
Click the drop-down list and select a configured time range for which the AP will deny access. If you have not yet configured a time range, navigate to Configuration > Security > Access Control > Time Ranges to define a time range before configuring this setting in the Virtual AP profile.
|
DoS Prevention
|
If enabled, APs ignore de-authentication frames from clients. This prevents a successful de-authorization attack from being carried out against the AP. This does not affect third-party APs.
Default: Disabled
|
HA Discovery on-association
|
If enabled, home agent discovery is triggered on client association instead of home agent discovery based on traffic from client. Mobility on association can speed up roaming and improve connectivity for clients that do not send many uplink packets to trigger mobility ( clients). Best practices is to disable this parameter as it increases IP mobility control traffic between managed devices in the same mobility domain. Enable this parameter only when voice issues are observed in clients.
Default: Disabled
NOTE: ha-disc-onassoc parameter works only when IP mobility is enabled and configured on the managed device. For more information about this parameter, see Home Agent Discovery on Association
|
Mobile IP
|
Enables or disables IP mobility for this virtual AP.
Default: Enabled
|
Preserve Client VLAN
|
If you select this check box, clients retain their previous assignment if the client disassociates from an AP and then immediately re-associates either with same AP or another AP on the same managed device.
|
Remote-AP Operation
|
Configures when the virtual AP operates on a :
standard (default)—Enables the virtual AP when the connects to the managed device. This option can be used for any (bridge/split-tunnel/tunnel/d-tunnel) virtual APs.
persistent—Permanently enables the virtual AP after the initially connects to the managed device (Bridge Mode only). This option can be used for any (Open//) bridge VAPs.
backup—Enables the virtual AP if the cannot connect to the managed device (Bridge Mode only). This option can be used for non- bridge VAPs.
always—Permanently enables the virtual AP (Bridge Mode only). This option can be used for non- bridge VAPs.
|
Station Blacklisting
|
Select this check box to enable detection of attacks, such as ping or SYN floods, that are not spoofed deauthorization attacks.
Default: Enabled
|
Strict Compliance
|
If enabled, the AP denies client association requests if the AP and client station have no common rates defined. Some legacy client stations which are not fully -compliant may not include their configured rates in their association requests. Such non-compliant stations may have difficulty associating with APs unless strict compliance is disabled.
Default: Disabled
|
VLAN Mobility
|
Enable or disable (Layer-2) mobility.
Default: Disabled
|
WAN operation mode
|
This feature works in conjunction with the Health Check Manager and Uplink Manager. When all uplinks are down, the uplink manager makes the needed changes based on configuration and pushes these changes to APs.
If the operation mode is set to primary, the VAP will be disabled.
If the operation mode is set to backup, the VAP will be enabled.
If the operation mode is set to always, the VAP will not change.
|
FDB Update on Assoc
|
This parameter enables seamless failover for silent clients, allowing them to re-associate. If you select this option, the controller will generate a Layer 2 update on behalf of client to update forwarding tables in bridge devices.
Default: Disabled
|
Broadcast/Multicast
|
Dynamic Multicast Optimization (DMO)
|
Enable/Disable dynamic multicast optimization. This parameter is disabled by default, and cannot be enabled without the license.
|
Dynamic Multicast Optimization (DMO) Threshold
|
Maximum number of high-throughput stations in a multicast group beyond which dynamic multicast optimization stops.
Range: 2-255 stations
Default: 6 stations.
|
Drop Broadcast and Multicast
|
Select the Drop Broadcast and Multicast check box to filter out broadcast and multicast traffic in the air.
Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to drop all broadcast traffic. When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the controller is not able to filter out that broadcast traffic.
IMPORTANT: If you enable this option, you must also enable the Convert Broadcast ARP requests to unicast parameter on the virtual AP profile to prevent requests from being dropped.
|
Convert Broadcast ARP requests to unicast
|
If enabled, all broadcast requests are converted to unicast and sent directly to the client. You can check the status of this option using the show ap active and the show datapath tunnel command. If enabled, the output will display the letter a in the flags column.
This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to convert requests directed to the broadcast address into unicast.
When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the controller is not able to convert that broadcast traffic.
This parameter is enabled by default. Behaviors associated with these settings are enabled upon upgrade to ArubaOS 6.1.3.2. If your controller supports clients behind a wireless bridge or virtual clients on VMware devices, you must disable this setting to allow those clients to obtain an IP address. In previous releases of ArubaOS, the virtual AP profile included two unique broadcast filter parameters; the drop broadcast and multicast parameter, which filtered out all broadcast and multicast traffic in the air except response frames (these were converted to unicast frames and sent to the corresponding client) and the convert Broadcast ARP requests to unicast parameter, which converted broadcast requests to unicast messages sent directly to the client.
The Convert Broadcast ARP requests to unicast setting includes the additional functionality of broadcast-filter all parameter, where response frames are sent as unicast to the corresponding client. This can impact discover/requested packets for clients behind a wireless bridge and virtual clients on VMware devices. Disable this option to resolve this issue and allow clients behind a wireless bridge or VMware devices to receive an IP address.
Default: Enabled
|
A Virtual AP profile directly references one of each of the following profiles types.
AnySpot
2.0
WWM Traffic Management
The following procedure describes how to change the profiles associated to a Virtual AP profile.
1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
2. From the All Profiles list, select Wireless LAN >Virtual AP.
3. Select the Virtual AP profile you want to edit. The All Profiles window displays the list of associated profiles for that Virtual AP.
4. Select any of the associated profiles in the list.
5. A drop-down list appears at the top of the right window pane which allows you to select another profile for that type.
6. Click Submit.
7. Click Pending Changes.
8. In the Pending Changes window, select the check box and click Deploy Changes.
Figure 1 Associating Profiles to a Virtual AP
The following commands configure a Virtual AP profile.
(host)[node](config) #wlan virtual-ap <profile>
(host)[node] (Virtual AP profile "profile")aaa-profile <profile>
(host)[node] (Virtual AP profile "profile")anyspot-profile <profile>
(host)[node] (Virtual AP profile "profile")dot11k-profile <profile>
(host)[node] (Virtual AP profile "profile")hs2-profile <profile>
(host)[node] (Virtual AP profile "profile")ssid-profile <profile>
(host)[node] (Virtual AP profile "profile")wmm-traffic-management-profile <profile>
Modifying Profiles and Parameters Associated with AP Groups
The following procedure describes how to modify profiles and parameters associated with AP groups:.
1. In the Managed Network node hierarchy, navigate to the Configuration > AP Groups page.
2. Select an AP group in the AP Groups table and click on the Profiles tab.
3. Select a profile under Profiles for Group <AP Group>.
4. Click <NAME> profile drop-down list and select a profile.
5. Make the necessary changes to the profile and click Submit.
6. Click Pending Changes.
7. In the Pending Changes window, select the check box and click Deploy changes.
Selective Multicast Streams
The selective multicast group is based only on the packets learned through the Internet Group Management Protocol ().
When the Drop Broadcast and Multicast setting is enabled in the virtual AP profile, the managed device allows multicast packets to be forwarded only if the following conditions are met:
packets originating from the wired side have a destination address range of 225.0.0.0 - 239.255.255.255
a station has subscribed to a multicast group.
If the DMO setting is enabled in the virtual AP profile , the packets are sent with unicast header.
When IGMP snooping/proxy is disabled, the managed device is not aware of the membership and drops the multicast flow.
If AirGroup is enabled, (SSDP) packets are sent to the application. The common address for is 224.0.0.251 and SSDP is 239.255.255.250.
Changing a Virtual AP Forwarding Mode
When you change the forwarding mode for a Virtual AP actively serving clients, the user table will NOT reflect accurate client information unless the entries for those users are manually cleared. Use the following procedure to change the forwarding mode on a Virtual AP serving wired or wireless clients.
Changing the Forwarding Mode for Wired Users
To change the forwarding mode for wired users connected to the wired port on an AP:
1. Disable the port by issuing the command ap wired-port-profile <ap-wired-port-profile> shutdown. This will disconnect any wired clients using that port.
2. Issue the command aaa user delete {<ipaddr>|all|mac <macaddr>|name <username>|role <role>} to remove from the user table the wired users associated with AP wired ports using the <ap-wired-port-profile>.
3. Issue the command ap wired-ap-profile <profile> forward-mode <mode> where <mode> is the new forwarding mode for the wired port
4. Re-enable the port using the command ap wired-port-profile <ap-wired-port-profile> no shutdown.
Changing the Forwarding Mode for Wireless Users
To change the forwarding mode for wireless users associated with an AP radio:
1. Issue the command ap-name <group> no virtual-ap <vap-profile> or ap-group <group> no virtual-ap <vap-profile> to disassociate the AP or group of APs from the virtual AP profile.
2. Issue the command aaa user delete {<ipaddr>|all|mac <macaddr>|name <username>|role <role>} to remove from the user table the users associated to the virtual-ap specified in the previous step.
3. Issue the command wlan virtual-AP <vap-profile> forward-mode <mode> where <mode> is the new forwarding mode for the virtual AP.
4. Issue the command ap-name <group> virtual-ap <vap-profile> or ap-group <group> virtual-ap <vap-profile> to reassociate the AP or group of APs with the virtual AP profile.