FAQ's
Listed below are some frequently asked questions, under various topics related to ArubaOS 8.x.0.0.
Does CPPM perform error check in advanced mode?
In the Advanced mode, ClearPass Policy Manager does not perform any error checking to confirm accuracy of the role definition. Therefore, it is recommended that you review the role defined in ClearPass Policy Manager prior to enabling this feature.
What are the supported authentication methods?
ClearPass Policy Manager supports roles obtained by the following authentication methods:
802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. (WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and wired users)
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication
Can attributes have the same name?
In ClearPass Policy Manager two or more attributes (as listed above) should not have the same name. The following example is considered invalid, as both the attributes use test as the profile or net destination name:
qos-profile test
netdestination test
What is payload content?
Payload content is the list of the classified devices that is sent to the endpoints. ArubaOS supports Aruba Beacon Data, Aruba asset tag data, Eddystone, EnOcean Sensor, EnOcean Switch, other iBeacons, and ZF tag data payload profiles.
Are third party servers supported?
Starting from ArubaOS 8.4.0.0, ArubaOS enables integration of built-in IoT Internet of Things. IoT refers to the internetworking of devices that are embedded with electronics, software, sensors, and network connectivity features allowing data exchange over the Internet. BLE Bluetooth Low Energy. The BLE functionality is offered by Bluetooth® to enable devices to run for long durations with low power consumption. messages with third party servers. This integration provides a flexible interface for users to build their own endpoint and service without Meridian support.
Can IoT Internet of Things. IoT refers to the internetworking of devices that are embedded with electronics, software, sensors, and network connectivity features allowing data exchange over the Internet. be configured using the WebUI?
IoT Internet of Things. IoT refers to the internetworking of devices that are embedded with electronics, software, sensors, and network connectivity features allowing data exchange over the Internet. can be configured only using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..
What are the end points supported by ArubaOS?
Starting from ArubaOS 8.4.0.0, Aruba telemetry-HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., Aruba telemetry-websocket, authentication URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet., Meridian beacon management, Meridian asset tracking, UID-namespace filter for Eddystone beacon protocol, URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. filter for Eddystone beacon protocol, and ZF tag endpoints are added.
Does ArubaOS allow SES-imagotag cloud TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. authentication?
ArubaOS allows an AP with ESL USB Universal Serial Bus. USB is a connection standard that offers a common interface for communication between the external devices and a computer. USB is the most common port used in the client devices. dongle to connect to the SES cloud by using TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. authentication. This allows you to configure and update the ESL through the SES cloud. Configure either an IP address or domain name in the SES profile in the managed device.
Is device data split based on the radio type?
Device data is not split based on radio type (2.4 GHz Gigahertz. or 5 GHz Gigahertz.).
What are the license requirements for VIA?
Managed Devices running ArubaOS 8.x require one of two available license types to support VIA users, the PEFV Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license, or the VIA license.
Does VIA support EAP-GTC EAP – Generic Token Card. (non-tunneled). authentication?
Starting from ArubaOS 8.5.0.0, the VIA connection profile includes EAP-GTC EAP – Generic Token Card. (non-tunneled). authentication option. This option ensures that the VIA client establishes IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. tunnel with the managed device.
Does VIA use the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of a client as the calling station id?
Starting ArubaOS 8.4.0.0, VIA uses the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of a client as the calling station id when sending an authentication request to a ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method.. In earlier versions, the IP address of the client was used as the calling station id.
Are VIA client users separately displayed in the WebUI for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client visibility?
You can view the client users in the Dashboard > Clients > Remote Clients page in the WebUI.
IAirPlay, AirPrint, Allowall, Amazon TV, DIAL, DLNA Digital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices. Media, DLNA Digital Living Network Alliance. DLNA is a set of interoperability guidelines for sharing digital media among multimedia devices. Print, GoogleCast, iTune, RemoteMgmt, Sharing.
Supported modes in AirGroup
Centralized Mode: In centralized mode, AirGroup service runs on the Mobility Conductor.
Distributed Mode: In distributed mode, the AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. service runs on managed devices where an AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. profile is configured.
Does AirGroup support IPv6?
AirGroup supports IPv6 enabled users (for example, iPad) and servers (Apple TV, AirPrint printers). All the AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. features are available for both IPv4 and IPv6 clients.
AirGroup supports only mDNS Multicast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763.-based device discovery and does not support Bluetooth-based device discovery mechanism.
What is the scalability limit of AirGroup feature?
AirGroup can scale to support up to 100,000 devices in which up to 17,000 servers can exist.
What are the pre-requisites to enable AirGroup?
Configure Open flow
Enable OpenFlow OpenFlow is an open communications interface between control plane and the forwarding layers of a network. in user role and virtual AP
Configure Management Server Profile
Enable deep packet inspection and firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. visibility.
Is Auto-Association feature enabled by default?
Auto-association is disabled on all AirGroup servers. An administrator can enable auto-association for each AirGroup server separately and configure AP-name, AP-group, or AP-FQLN Fully Qualified Location Name. FQLN is a device location identifier in the format: APname.Floor.Building.Campus. for auto-association.
In addition to adding serial console to the Mobility Conductor VM Virtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer., check if you have also enabled setting under the host's firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. config to allow serial over network.
|
VM Virtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer. serial access option is available in ESXi evaluation license or an ESXi Enterprise+ license. Assuming you have the evaluation license, and serial port option is available for you to add to the VM Virtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer.. |
When a device node is created it does not create the corresponding managed device to establish the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. connection to the Mobility Conductor, which has to be added as well. It is necessary for branch office controllers that have dynamic addressing on uplinks or that have multiple uplinks. In that case the IP address the branch office controller uses to contact the Mobility Conductor could change. Also, for ZTP Zero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention. it is not known ahead of time what IP address a branch office controller will use to contact the Mobility Conductor.
' or entry to allow the.
Check your Mobility Conductor.
on the(mm) [mynode] #show license-pool-profile-root
License root(/) pool profile
----------------------------
Parameter Value Set
--------- ----- ---
enable PEFNG feature Enabled
enable RFP feature Enabled
enable XSEC feature Disabled
enable ACR feature Disabled
enable WebCC feature Enabled
Ensure PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel., RFP, WebCC are enabled. If not, go to the and enable the following:
(mm) [mynode] (config) #license-pool-profile-root
(mm) [mynode] (License root(/) pool profile) #
acr-license-enable enable ACR feature
no Delete Command
pefng-licenses-enable enable PEFNG feature
rfp-license-enable enable RFP feature
webcc-license-enable enable WebCC feature
xsc-license-enable enable XSEC feature
(mm) [mynode] (License root(/) pool profile) #pefng-licenses-enable <cr>
(mm) [mynode] (License root(/) pool profile) #pefng-licenses-enable
(mm) [mynode] (License root(/) pool profile) #rfp-license-enable
(mm) [mynode] (License root(/) pool profile) #webcc-license-enable
Only the configuration and hierarchy can be backed up using Mobility Conductor.
command and the backup can be restored using on the(mm) [mynode] #backup config
Please wait while we take the config backup.......
File configbackup.tar.gz created successfully on flash.
Please copy it out of the controller and delete it when done.
After setting up the Mobility Conductor instance again, copy the file onto the Mobility Conductors flash. Then proceed to the following
(mm) [mynode] #
(mm) [mynode] #restore config
Please wait while we restore the config backup........
Config restored successfully.
Please reload (reboot) the controller for the new config to take effect.
?
Issuing the managed device to communicate with the Mobility Conductor. Also ensure that the configuration sent to the managed device has the correct configuration for LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes.. On the Mobility Conductor issue command. When you turn disaster-recovery off using the off command, the managed device will contact the Mobility Conductor again and sync its configuration. If the managed device goes back into the same state, the config sent to the managed device may be incorrect or you are hitting a Bug. If you can't login initially, there is an account available called "branchsupport". The password is the mac address of the managed device, in lowercase, with : delimiters. That account is only available when there is no configured admin account and when the managed device is not in contact with the Mobility Conductor.
command will allow you to enable the config mode edit the config in the config-node. From there you can correct the configuration to enable the
Delete and add the device again. If you wish to maintain the previous config for that managed device, which gives you a chance to make changes one-by-one after that, you can delete and add the managed device to the new node, Example:
1. Device 11:22:22:22:22:33 is present under .
2. Create a new node .
3. Issue the command to create a node and move the above device to this new node.
(mm) [mynode] (config) #configuration node /md/tme-test clone-from /md/selab
<cr>
To maintain the configuration that the device was previously using, under its new planned config node path.
1. Issue the following command to delete the device from the old node
(mm) [mynode] (config) #no configuration device 11:22:22:22:22:33
<cr>
Warning: Device 11:22:22:22:22:33 will be reloaded, if present
2. Issue the following command to add the device back into the new node:
(mm) [mynode] (config) #configuration device 11:22:22:22:22:33 device-model A7005 /md/tme-test
Issue the managed devices, standby Mobility Conductor and so on.
command to see the list of(mm) [mynode] #show switches
All Switches
------------
IP Address IPv6 Address Name Location Type Model Version Status Configuration State Config Sync Time (sec) Config ID
---------- ------------ ---- -------- ---- ----- ------- ------ ------------------- ---------------------- ---------
10.20.102.11 None Alpha_Master Building1.floor1 master ArubaMM-VA 8.4.0.0_67127 up UPDATE SUCCESSFUL 0 739
10.20.102.12 None Alpha_Standby Building1.floor1 standby ArubaMM-VA 8.4.0.0_67127 up UPDATE SUCCESSFUL 0 739
10.20.101.5 None Alpha_7240_5 Building1.floor1 MD Aruba7240 8.4.0.0_67127 up UPDATE SUCCESSFUL 0 739
10.20.101.20 None Alpha_7205_20 Building1.floor1 MD Aruba7205 8.4.0.0_67127 up UPDATE SUCCESSFUL 0 739
10.20.101.12 None Alpha_7205_12 Building1.floor1 MD Aruba7205 8.4.0.0_67127 up UPDATE SUCCESSFUL 9 739
1.6.2.221 None A7220-ALPHA-RAP-14 Building1.floor1 MD Aruba7220 8.4.0.0_67127 up UPDATE SUCCESSFUL 0 739
220.227.73.90 None A7220-ALPHA-RAP-44 Building1.floor1 MD Aruba7220 8.4.0.0_67127 up UPDATE SUCCESSFUL 0 739
10.20.101.7 None Aruba7280 Building1.floor1 MD Aruba7280 8.4.0.0_67127 up UPDATE SUCCESSFUL 0 739
Total Switches:8
Issue the
command to see their nodepaths and crash information.(mm) [mynode] #show switches debug
All Switches
------------
IP Address MAC Name Nodepath Type Model Version Status Uptime CrashInfo Config Sync Time (sec)
---------- --- ---- -------- ---- ----- ------- ------ ------ --------- ----------------------
10.20.102.11 00:0c:29:b7:eb:97 Alpha_Master /mm/mynode master ArubaMM-VA 8.4.0.0_67127 up 5d 19h 26m no 0
10.20.102.12 00:0c:29:31:30:6d Alpha_Standby /mm standby ArubaMM-VA 8.4.0.0_67127 up 5d 19h 26m no 0
10.20.101.5 00:1a:1e:00:31:68 Alpha_7240_5 /md/ALPHA-NODES MD Aruba7240 8.4.0.0_67127 up 0d 18h 30m no 0
10.20.101.20 00:0b:86:b7:1f:6f Alpha_7205_20 /md/ALPHA-NODES MD Aruba7205 8.4.0.0_67127 up 0d 21h 26m no 0
10.20.101.12 00:0b:86:b7:73:4f Alpha_7205_12 /md/ALPHA-NODES MD Aruba7205 8.4.0.0_67127 up 0d 18h 30m no 9
1.6.2.221 00:1a:1e:02:a9:d0 A7220-ALPHA-RAP-14 /md/ALPHA-INDIA-RAP MD Aruba7220 8.4.0.0_67127 up 4d 17h 49m no 0
220.227.73.90 00:1a:1e:02:f7:48 A7220-ALPHA-RAP-44 /md/ALPHA-INDIA-RAP MD Aruba7220 8.4.0.0_67127 up 4d 17h 4m no 0
10.20.101.7 20:4c:03:02:14:40 Aruba7280 /md/ALPHA-NODES MD Aruba7280 8.4.0.0_67127 up 0d 21h 12m no 0
Total Switches:8
Type in
, to display list of nodes available. Start typing the node path and for auto-complete.
To view the complete path, issue the
command from the node you are in.(host) [mynode] (config) #pwd
/mm/mynode
Issue the
command. For example if you are under node path and would like to fall to issue the command. Similarly, to fall back two node paths, use the UNIX equivalent
That is expected behavior. Issuing show commands (like in ArubaOS 6.x) to view list of profiles within a config node will not show profiles applicable to that config nodepath. Show commands will display the config for the Mobility Conductor. In order to view config specific to a node path, use commands under the node path.
In the
configuration nodepath, issue the following commands:show configuration datastore object ap_group
show configuration datastore object aaa_prof
show configuration datastore object virtual_ap
show configuration datastore object ssid_prof
|
These commands are a quick way to list the profiles of interest that are effective at a config node path, during debugging or initial config stages. The object names do not follow the standard CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. naming convention and engineering mostly does not plan to change those object names to make them consistent with CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. nomenclature. As such these commands are quick way to list profiles in CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. |
The '^' at the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. prompt means there is configuration that is not committed yet. This uncommited or pending configuration could be under any config node path. To identify the node which has the pending or uncommitted command issue the . Go to that node and issue the write memory command to remove ^.
(mm) ^ [11:22:22:22:22:33] (config) #show configuration unsaved nodes
List of unsaved configuration nodes
-------------------------------------------------
Nodename
---------------
/md/selab/
(mm) ^ [11:22:22:22:22:33] (config)
The '*' at the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. prompt means there is crash dump on the controller. Issue the command, and if you don't need the crash file after that issue the tar clean crash command to remove *.
(mc2-7210) *#
(mc2-7210) *#tar crash
(mc2-7210) *#tar clean crash
To add a server in a server group, follow the steps below:
Navigate to
> > > .Click "
" in . Add a server in the option provided.
The WebUI communicates to the Mobility Conductor over json, and is not the same as sending actual CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands from WebUI to the Mobility Conductor.
There are two methods to see a snapshot of the pending changes. The first method is preferred as the second method involves looking at json constructs under a browsers developer tools.
a. Make all the changes from the WebUI but do not apply .
b. Log into CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. of the Mobility Conductor.
c. Navigate to the configuration node path where you made all the changes and issue the show configuration pending command. That displays all the changes that were added.
You can review the changes before committing the change. You can either revert changes one by one from the WebUI or CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. or use the command to remove the all pending changes from the Mobility Conductor configuration.
You can also view the configuration sent to the Mobility Conductor from the WebUI in json by opening the in the browser and navigating to tab.
One management sever IP can be mapped to only one kind of mgmt-server profile. The management server could be the Mobility Conductor itself or in addition to Mobility Conductor, an user may add an AirWave server as well.
Just configuring the Mobility Conductor as the management server primary-server and using profile will suffice to start sending stats and other information from the managed device to the Mobility Conductor, such as the managed device details, client info, APs and so on.
Its recommended to use managed devices to the Mobility Conductor. The reason being, if you decide to point your managed device to AirWave (AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network.) as well, then you would add another line of configuration for managed devices to point to the AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network.'s IP and use profile as the management-server profile. This helps in quickly identifying that the line using in it, is pointing managed devices to the Mobility Conductor and the other is pointing managed devices to AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network..
profile when pointing
Starting with ArubaOS 8.2.0.0, both Layer-2 and Layer-3 Mobility Conductor redundancy is supported. See the ArubaOS 8.3.0.0 User Guide for more understanding of the operational behavior of each use case.
Yes this capability is still used.
(host) [mynode] (config) #wlan ssid-profile "iPod_OL_VoIP_ssidprf"
(host) [mynode] (SSID Profile "iPod_OL_VoIP_ssidprf") # wmm-override-dscp-mapping
In ArubaOS 8.0.0.0, AppRF integration with UCC Unified Communications and Collaboration. UCC is a term used to describe the integration of various communications methods with collaboration tools such as virtual whiteboards, real-time audio and video conferencing, and enhanced call control capabilities. enables admin to apply policies based on the application requirement which would override the in the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. This feature replaces on the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. A set of new application IDs have been added for UCC Unified Communications and Collaboration. UCC is a term used to describe the integration of various communications methods with collaboration tools such as virtual whiteboards, real-time audio and video conferencing, and enhanced call control capabilities. applications (ex: alg-skype4b-audio). The UCM process identifies the application type corresponding to a media session and programs the datapath with the application ID. An ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be used to apply ToS Type of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service. or any other policy to this application and this would override the on the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile or the priority configured in UCC Unified Communications and Collaboration. UCC is a term used to describe the integration of various communications methods with collaboration tools such as virtual whiteboards, real-time audio and video conferencing, and enhanced call control capabilities. ALG Application Layer Gateway. ALG is a security component that manages application layer protocols such as SIP, FTP and so on. configuration. The following example adds an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. to permit and set ToS Type of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service. for the Lync/Skype for Business audio and video traffic which should be referenced to the user-role:
(host) [mynode] (config) #ip access-list session apprf-skype4b-sacl
(host) [mynode] (config-submode)#any any app alg-skype4b-audio permit tos 56
(host) [mynode] (config-submode)#any any app alg-skype4b-video permit tos 40
Other ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules like bandwidth contract, deny, 802.1p priority can be used along with the ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. application IDs. The below CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. lists all the applications:
show dpi application category unified-communications
AirWave no longer configures ArubaOS 8.0.0.0 controllers. However, the AirWave folder monitoring is separate and can be used as it currently is today.
L3 is all that is needed between the managed devices and Mobility Conductors. L2 is still currently required between Mobility Conductor and backup-Mobility Conductor.
Master-controller, Master-local, and Standalone are getting ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. . Mobility Conductor will get AirMatch.
RFProtect is still controller-wide, so all APs on a controller still need all licenses relevant to their configuration.
Yes.
APs will not come up.
For deployments larger than 10k, multiple Mobility Conductors are required. We hope to increase that scalability in the near future, but for now this is our ceiling.
Mobility Conductor can be configured to manage multi-tenant deployments, but is not configured to allow multi-tenancy admin logins. Right now, admin sees everything in the Mobility Conductor.
Licenses should be migrated from the LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. to transfer the controller licenses to the Mobility Conductor. Additionally, new licenses can be purchased and activated on the Mobility Conductor, but the Mobility Conductor will not automatically inherit the controller licenses.
No, the Mobility Conductor is not terminating any APs and is not part of the datapath. IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. will have to be terminated on managed devices.
The commands remain the same but the way these commands are executed will be different.
Currently there is no management model from AirWave in ArubaOS 8.0.0.0. If/when that capability is addressed, there will be an update (but the assumption is that yes, AirWave would run all controller commands via the Mobility Conductor).
Not currently but excludes are expected to be coming.
?
Not in ArubaOS 8.0.0.0.
ZTP Zero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention. will be supported both with Activate and DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. .
You can have up to 8 nodes.
For now, managed devices and Mobility Conductors would have to be upgraded.
Mobility Controllers will stay UP and APs broadcast SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., however some of the services like AirMatch, AppRF, Centralized Visibility (AMON Advanced Monitoring. AMON is used in Aruba WLAN deployments for improved network management, monitoring and diagnostic capabilities.), WebCC, UCC Unified Communications and Collaboration. UCC is a term used to describe the integration of various communications methods with collaboration tools such as virtual whiteboards, real-time audio and video conferencing, and enhanced call control capabilities., AirGroup, WMS (Rogue AP/Client), CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. and Remote AP (New AP bringing), and NBAPI will not work.
Bandwidth requirements vary depending on AP, controller, users, and services that you are using. We tested with 1Mobility Conductor, 17220 controller, 10 APs, and 1000 clients running ArubaOS 8.0.1.0 firmware and this setup required 300 Kbps Kilobits per second. for management traffic between Mobility Conductor and Mobility Controller. During this testing, 250 clients were AirGroup servers, 250 clients were AirGroup clients , and 500 WebCC clients were generating around 1.4 Mbps Megabits per second traffic. GSM, DDS, AirGroup, Web-CC, UCC Unified Communications and Collaboration. UCC is a term used to describe the integration of various communications methods with collaboration tools such as virtual whiteboards, real-time audio and video conferencing, and enhanced call control capabilities., Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. Visibility, DPI Deep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. , WMS were enabled.
Yes, you can upgrade to ArubaOS 8.0.0.0 without adding a Mobility Conductor. You get WebUI, hierarchical configuration, multi-threaded CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., auto-completion of profile names in the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. over IPv6, Custom Apps Short form for application. It generally refers to the application that is downloaded and used on mobile devices. and categories, configuration auto rollback, MultiZone, ZTP Zero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention. and so on.
Apart for all the features mentioned above for master controller mode. Mobility Conductor supports controller clustering, AirMatch, IPFIX, NBAPI, Jabber classification, optimizes services like UCC Unified Communications and Collaboration. UCC is a term used to describe the integration of various communications methods with collaboration tools such as virtual whiteboards, real-time audio and video conferencing, and enhanced call control capabilities. and AirGroup, Loadable Services Modules, Rule-based ClientMatch, Mobility Controller Virtual Appliance, centralized visibility and so on.
Yes, only AirMatch will be used to calculate an RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. solution. There is no concept of ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. in Mobility Conductor.
No special handling for holiday/weekends in AirMatch.
Deploy hour is configurable from AirMatch profile.
Even though Aruba recommends using AirMatch before trying static EIRP Effective Isotropic Radiated Power or Equivalent Isotropic Radiated Power. EIRP refers to the output power generated when a signal is concentrated into a smaller area by the Antenna./power plan, you can still use static EIRP Effective Isotropic Radiated Power or Equivalent Isotropic Radiated Power. EIRP refers to the output power generated when a signal is concentrated into a smaller area by the Antenna..
Data collected in the previous 24 hours is factored in.
In ArubaOS 8.0.1.0, there is a single AirMatch profile. From ArubaOS 8.1.0.0, deploy hour is configurable per radio profile, since the deploy hour needs to work across local timezones if the Mobility Conductor manages controllers/APs across multiple timezones.
AirMatch profile is per Mobility Conductor. However, there are knobs in radio profiles, which can be used for AirMatch.
Internally, the solution is prepared per RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. domain. Thus, small scale is automatically handled, with optimal EIRP Effective Isotropic Radiated Power or Equivalent Isotropic Radiated Power. EIRP refers to the output power generated when a signal is concentrated into a smaller area by the Antenna./channel for the small scale.
Yes ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. still scans and it is still client and application aware.
.
Clients are not being considered in AirMatch solution. AP density is always considered.
No.
No.
There is no explicit handling of DFS Dynamic Frequency Selection. DFS is a mandate for radio systems operating in the 5 GHz band to be equipped with means to identify and avoid interference with Radar systems./non-DFS Dynamic Frequency Selection. DFS is a mandate for radio systems operating in the 5 GHz band to be equipped with means to identify and avoid interference with Radar systems..
There is some blacklisting of channels with frequent noise events.
Support for multiple time zones is available from ArubaOS 8.1.0.0.
With multizone, the primary zone is doing all AirMatch calculations, the data zone is not involved, so multizone is not applicable here.
Yes. It is always deployed. It is recommended to use when there are significant changes on profile configurations/radio environment.
No we don't use channel utilization for the computation.
No.
No. Hybrid CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. is supported in MultiZone.
MultiZone supports the same heartbeats as primary zone. There are no changes in an AP's heartbeats.
No. It works with master-local, stand-alone, and cluster configuration.
Yes. Primary and datazone can be of any combination.
No.
Yes. RSDB is supported on all MultiZones.
Yes.
The configuration is ignored for APs that do not support RSDB.
No. Primary zone tunnels stay intact.
Datazone Virtual AP gets terminated and the radio switches to monitor mode Virtual AP.
No. The AP does not consume any licenses in datazone.
Yes.
IPv6 is supported from ArubaOS 8.4.0.0 onwards. For previous releases, yes, the clients can still be on IPv6 network.
Yes.
Yes. Radio profiles are configured in the Primary zone, whereas Virtual APs and SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. are configured in datazone.
Yes.
No. The AP beacons only the numbers of Virtual APs that are allowed and this applies to Primary zone as well. We do not consider how many Virtual APs are configured, but only the permitted Virtual APs are allowed to beacon.
Zone specific logs are available on the managed devices. If the AP does not come up on the datazone because of image mismatch it should be seen on the datazone managed devices.
No. If the cluster profile is IPv6, it allows only IPv6 APs to terminate.
Yes, we can run a VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.-v6 instance between the cluster members and the IPv6 address of this VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.-v6 instance. It can be the AP's master IPv6 address.
Yes.
Yes.
No. This is not recommended. The Mobility Conductor or managed device IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel has to be an IPv6 address.
We have multiple retries for AP image copy, reboot, or upgrade. If this fails even after multiple attempts, we ignore that AP and proceed further. We let the failed APs upgrade further using the legacy method when the managed device reboots.
Yes. If there is a problem like server is not reachable or no space on the managed device, abort the upgrade. During the upgrade, if one of the managed devices is not able to come up with the new image or the Mobility Conductor is not reachable after the upgrade, we abort the upgrade. If the above scenario occurs with the first or the last managed device, the upgrade is successful.
No, IAPs have their own mechanism to detect failure and talk to a different managed device.
Yes.
No.
No. The VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.-ip along with the controller-ip creates an automatic VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instance starting from VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID 220.
VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. probing is done in the following scenarios:
When the peers in the cluster are moved to L3 connected state, VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. probing is triggered.
Probe is done when exclude VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. list is modified.
VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. probing is done on any VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. except for the ones that are part of exclude VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. list. If a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. goes down, it goes into L3 connected state.
The current logs are available in
. Apart from DDS logs, tar traces will have the rolled over logs of the following:cm_ap_lb.log
cm_gsm.log
cm_main.log
cm_sta_lb.log
stm.log
The file size is 20MB.
Execute the command, #
to disable traces.
All 7205 and 7000 Series controllers support USB Universal Serial Bus. USB is a connection standard that offers a common interface for communication between the external devices and a computer. USB is the most common port used in the client devices. .
Use controllers like 7210, 7220, 7240, and 7280 controllers which do not support USB Universal Serial Bus. USB is a connection standard that offers a common interface for communication between the external devices and a computer. USB is the most common port used in the client devices. connection.
folder for
No. Tracing is not enabled by default.
Yes. But, a bulk enable can be performed on the nodepath.
Execute the command #
to check the rep-key information.
Yes.
A special ether-type of 0x88b5 is used for vlan Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. probe packets.
When there is only node in the cluster, that node is the cluster leader. As more nodes are added, the cluster leader is elected based on the highest effective priority derived from configured priority, platform value, and the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the device.