The controller operates as a layer-2 switch that uses a VLAN as a broadcast domain. As a layer-2 switch, the controller requires an external router to route traffic between VLANs. The controller can also operate as a layer-3 switch that can route traffic between VLANs defined on the controller.
You can configure one or more physical ports on the controller to be members of a VLAN. Additionally, each wireless client association constitutes a connection to a virtual port on the controller, with membership in a specified VLAN. You can place all authenticated wireless users into a single VLAN or into different VLANs, depending upon your network. VLANs can exist only inside the controller or they can extend outside the controller through 802.1q VLAN tagging.
You can optionally configure an IP address and netmask for a VLAN on the controller. The IP address is up when at least one physical port in the VLAN is up. The VLAN IP address can be used as a gateway by external devices; packets directed to a VLAN IP address that are not destined for the controller are forwarded according to the controller’s IP routing table.
You can create and update a single VLAN or bulk VLANs.
| 1. | Navigate to the page. |
| 2. | Click to create a new VLAN. (To edit an existing VLAN click for the VLAN entry.) See Creating Bulk VLANs In the WebUI to create a range of VLANs. |
| 3. | In the field, enter a valid VLAN ID. (Valid values are from 1 to 4094, inclusive). |
| 4. | To add physical ports to the VLAN, select . To associate the VLAN with specific port-channels, select . |
| 5. | (Optional) Click the drop-down list to assign an AAA profile to a VLAN. This wired AAA profile enables role-based access for wired clients connected to an untrusted VLAN or port on the controller. |
Note that this profile will only take effect if the VLAN or port on the controller is untrusted. If you do not assign an wired AAA profile to the VLAN, the global wired AAA profile applies to traffic from untrusted wired ports.
| 6. | If you selected in step 4, select the ports you want to associate with the VLAN from the window. |
-or-
If you selected in step 4, click the drop-down list, select the specific channel number you want to associate with the VLAN, then select the ports from the window.
| 7. | Click . |
(host) (config) #vlan <id>
(host) (config) #interface fastethernet|gigabitethernet <slot>/<port>
(host) (config-if) #switchport access vlan <id>
| 1. | To add multiple VLANs at one time, click . |
| 2. | In the pop-up window, enter a range of VLANs you want to create at once. For example, to add VLAN IDs numbered 200-300 and 302-350, enter 200-300, 302-350. |
| 3. | Click . |
| 4. | To add physical ports to a VLAN, click next to the VLAN you want to configure and click the port in the section. |
| 5. | Click . |
(host) (config) #vlan
(host) (config) #vlan range 200-300,302-350
You can assign a name to a single VLAN ID whether it is part of a VLAN pool or not. A VLAN name must be between 1 and 32 characters and spaces are not allowed, thus allowing you to specify an individual VLAN by its name or ID or to the name of a VLAN pool to which a VLAN is asigned. The VLAN name cannot be modified so choose the name carefully. A VLAN name can also be assigned in a user rule, user role derivation, virtual AP profile and in a wired profile.
The following configuration assigns the name to the VLAN ID 94.
| 1. | Navigate to . |
| 2. | Select the tab to open the window. |
| 3. | Click. |
| 4. | In the field, enter a name that identifies this VLAN. |
| 5. | Make sure the field is unchecked. The is grayed out as this field applies only to VLAN pools. |
Figure 1 Named VLAN not in a Pool
| 6. | In the field, enter the VLAN ID you want to name. If you know the ID, enter the ID. Or, click the drop-down list to view the IDs then click the <-- arrow to add the ID to the pool. |
| 7. | Click. |
This example assigns a name to an existing VLAN ID.
(host) (config) #vlan-name myvlan
(host) (config) #vlan myvlan 94
This example assigns a VLAN name in a virtual AP:
(host) (config) #wlan virtual-ap default vlan mygroup
This example assigns a VLAN name in a wired profile for access VLAN:
(host) (Wired AP profile "default") #switchport access vlan mygroup
This example assigns a VLAN name in a wired profile for a trunk VLAN and an allowed VLAN.
(host) (Wired AP profile "default") #switchport access vlan mygroup
(host) (config) #ap wired-ap-profile default switchport trunk ?
allowed Set allowed VLAN characteristics when interface is
in trunking mode
native Set trunking native characteristics when interface
is in trunking mode
(host) (config) #ap wired-ap-profile default switchport trunk native vlan mynativevlan
(host) (config) #ap wired-ap-profile default switchport trunk allowed vlan myallowedvlan
You can create, update and delete a VLAN pool. Each VLAN pool has a name and needs to have one or more VLANs assigned to it. The following configurations create a VLAN Pool named mygroup, it has the assignment type Even, and VLAN IDs 2, 4 and 12 are to this pool.
| 1. | Navigate to |
| 2. | Select the tab to open the window. |
| 3. | Click . |
| 4. | In the field, enter a name that identifies this VLAN pool. |
| 5. | In the field, select or from the drop-down menu. See Distinguishing Between Even and Hash Assignment Types for information and condtions regarding Hash and Even assignment types |
|
|
The Even VLAN pool assignment type is only supported in tunnel and dtunnel modes. It is not supported in split or bridge modes. It is not allowed for VLAN pools that are configured directly under a virtual AP (VAP). It must only be used under named VLANs.L2 Mobility is not compatible with the existing implementation of the Even VLAN pool assignment type.
|
| 6. | Check thecheck box if you want the VLAN to be part of a pool. |
| 7. | In the field, enter the VLAN IDs you want to add to this pool. If you know the ID, enter each ID separated by a comma. Or, click the drop-down list to view the IDs then click the <-- arrow to add the ID to the pool.. |
|
|
VLAN pooling should not be used with static IP addresses. |
| 8. | You must add two or more VLAN IDs to create a pool. |
| 9. | When you finish adding all the IDs, click . |
The VLAN pool along with its assigned IDs appears on the VLAN Pool window. If the pool is valid its status is enabled.
Figure 2 Creating a VLAN Pool
| 10. | Click . |
| 11. | At the top of the window, click |
The VLAN assignment type determines how a VLAN assignment is handled by the controller.
The Hash assignment type means that the VLAN assignment is based on the station MAC address. The Even assignment type is based on an even distribution of VLAN pool assignments.
The Even VLAN Pool assignment type maintains a dynamic latest usage level of each VLAN ID in the pool. Therefore, as users age out, the number of available addresses increases. This leads to a more even distribution of addresses.
The Even type is only supported in tunnel and dtunnel modes. It is not supported in split or bridge modes and it is not allowed for VLAN pools that are configured directly under a virtual AP. It can only be used under named VLANs.
If a VLAN pool is given an Even assignment and is assigned to user roles, user rules, VSA or a server derivation rules, then while applying VLAN derivation for the client “on run time,” the Even assignment is ignored and the Hash assignment is applied with a message displaying this change.
|
|
L2 Mobility is not compatible with the existing implementation of the Even VLAN pool assignment type. |
| 1. | On the window, click next to the VLAN name you want to edit. |
| 2. | Modify the assighment type and the list of VLAN IDs. Note that you can not modify the VLAN name. |
| 3. | Click . |
| 4. | Click . |
| 5. | At the top of the window, click |
| 1. | On the window, click next to the VLAN name you want to delete. A prompt appears. |
| 2. | Click |
| 3. | Click . |
| 4. | At the top of the window, click . |
|
|
VLAN pooling should not be used with static IP addresses. |
This example creates a VLAN pool named that has the assignment type
(host) (config) #vlan-name mygroup pool assignment even
The following example shows how to view VLAN IDs to a VLAN pool:
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #show vlan
VLAN CONFIGURATION
------------------
VLAN Description Ports
---- ----------- -----
1 Default FE1/0-3 FE1/6 GE1/8
2 VLAN0002
4 VLAN0004
12 VLAN0012
210 VLAN0210
212 VLAN0212 FE1/5
213 VLAN0213 FE1/4
1170 VLAN1170 FE1/7
1170 VLAN1170 FE1/7
The following example shows how to add existing VLAN IDs to a VLAN pool:
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #vlan-name mygroup pool
(host) (config) #vlan mygroup 2,4,12
(host) (config) #
To confirm the VLAN pool status and mappings assignments, use the command:
(TechPubs650) (config) #show vlan mapping
Vlan Mapping Table
------------------
VLAN Name Pool Status Assignment Type VLAN IDs
--------- ----------- --------------- --------
mygroup Enabled Hash 62,94
newpoolgroup Enabled Even
vlannametest Enabled Even 62,1511
Bandwidth contracts on a VLAN can limit broadcast and multicast traffic. ArubaOS includes an internal exception list to allow broadcast and multicast traffic using the VRRP, LACP, OSPF, PVST and STP protocols. To remove per-VLAN bandwidth contract limits on an additional broadcast or multicast protocol, add the MAC address for that broadcast/multicast protocol to the VLAN Bandwidth Contracts MAC Exception List.
The command in the example below adds the MAC address for CDP (Cisco Discovery Protocol) and VTP (Virtual Trunking Protocol to the list of protocols that are not limited by VLAN bandwidth contracts.
(host) (config) #vlan-bwcontract-explist mac 01:00:0C:CC:CC:CC
To show entries in the VLAN bandwidth contracts MAC exception list, use the
show vlan-bwcontract-explist [internal]command:
(host) (config) #show vlan-bwcontract-explist internal
VLAN BW Contracts Internal MAC Exception List
---------------------------------------------
MAC address
-----------
01:80:C2:00:00:00
01:00:0C:CC:CC:CD
01:80:C2:00:00:02
01:00:5E:00:82:11
Broadcast and Multicast (BCMC) traffic from APs, remote APs, or distributions terminating on the same VLAN floods all VLAN member ports. This causes critical bandwidth wastage especially when the APs are connected to L3 cloud where the available bandwidth is limited or expensive. Suppressing the VLAN BCMC traffic to prevent flooding can result in loss of client connectivity.
To effectively prevent flooding of BCMC traffic on all VLAN member ports, use the bcmc-optimization parameter under the interface vlan command. This parameter ensures controlled flooding of BCMC traffic without compromising the client connectivity. By default this option is disabled. You must enable this parameter for the controlled flooding of BCMC traffic.
|
|
If BCMC Optimization is enabled on uplink ports, the controller-generated Layer-2 packets will be dropped. |
The parameter has the following exemptions:
| | All DHCP traffic will continue to flood VLAN member ports even if the parameter is enabled. |
| | ARP broadcasts and VRRP (multicast) traffic will still be allowed. |
You can configure BCMC optimization using the CLI or WebUI.
(host) (config) #interface vlan 1
(host) (config-subif)#bcmc-optimization
(host) (config-subif)#show interface vlan 1
VLAN1 is up line protocol is up
Hardware is CPU Interface, Interface address is 00:0B:86:61:5B:98 (bia 00:0B:86:61:5B:98)
Description: 802.1Q VLAN
Internet address is 10.17.22.1 255.255.255.0
Routing interface is enable, Forwarding mode is enable
Directed broadcast is disabled, BCMC Optimization enable
Encapsulation 802, loopback not set
MTU 1500 bytes
Last clearing of "show interface" counters 12 day 1 hr 4 min 12 sec
link status last changed 12 day 1 hr 2 min 21 sec
Proxy Arp is disabled for the Interface
| 1. | Navigate to . |
| 2. | In the tab, click the button of the VLAN for configuring BCMC optimization. |
| 3. | Select check box to enable BCMC Optimization for the selected VLAN. |
Figure 3 Enable BCMC Optimization
