Configuring the Virtual AP Profile

The recommended method for creating a new WLAN configuration is through the new WLAN wizard, although advanced users may also configure a WLAN manually via the ArubaOS WebUI and command-line interfaces.

Follow the procedure below to manually configure a Virtual AP profile using the WebUI or command-line interfaces.

 

For important information on changing the virtual AP forwarding mode for a WLAN serving active wired or wireless clients, see Changing a Virtual AP Forwarding Mode.

In the WebUI

1. In the Managed Network node hierarchy, navigate to Configuration > System > Profiles.
2. In the All Profiles list, expand the Wireless LAN menu, then select Virtual AP.
3. Select the virtual AP profile you want to edit, or click + to create a new profile.
The Virtual AP profile settings are divided into four sections, Broadcast/Multicast, General, RF and Advanced. The profile parameters in each section are described in Table 1.
4. Click Save.
5. Click Pending Changes.
6. In the Pending Changes window, select the check box and click Deploy Changes.

Table 1: Virtual AP Profile Parameters

Parameter

Description

BroadCast/Multicast

Dynamic Multicast Optimization (DMO)

Enable/Disable dynamic multicast optimization. This parameter is disabled by default, and cannot be enabled without the PEFNG license.

Dynamic Multicast Optimization (DMO) Threshold

Maximum number of high-throughput stations in a multicast group beyond which dynamic multicast optimization stops.

Range: 2-255 stations

Default: 6 stations.

Drop Broadcast and Multicast

Select the Drop Broadcast and Multicast check box to filter out broadcast and multicast traffic in the air.

Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to drop all broadcast traffic. When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the controller is not able to filter out that broadcast traffic.

IMPORTANT: If you enable this option, you must also enable the Convert Broadcast ARP requests to unicast parameter on the virtual AP profile to prevent ARP requests from being dropped.

Convert Broadcast ARP requests to unicast

If enabled, all broadcast ARP requests are converted to unicast and sent directly to the client. You can check the status of this option using the show ap active and the show datapath tunnel command. If enabled, the output will display the letter a in the flags column.

This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to convert ARP requests directed to the broadcast address into unicast.

When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the controller is not able to convert that broadcast traffic.

This parameter is enabled by default. Behaviors associated with these settings are enabled upon upgrade to ArubaOS 6.1.3.2. If your controller supports clients behind a wireless bridge or virtual clients on VMware devices, you must disable this setting to allow those clients to obtain an IP address. In previous releases of ArubaOS, the virtual AP profile included two unique broadcast filter parameters; the drop broadcast and multicast parameter, which filtered out all broadcast and multicast traffic in the air except DHCP response frames (these were converted to unicast frames and sent to the corresponding client) and the convert Broadcast ARP requests to unicast parameter, which converted broadcast ARP requests to unicast messages sent directly to the client.

The Convert Broadcast ARP requests to unicast  setting includes the additional functionality of broadcast-filter all parameter, where DHCP response frames are sent as unicast to the corresponding client. This can impact DHCP discover/requested packets for clients behind a wireless bridge and virtual clients on VMware devices. Disable this option to resolve this issue and allow clients behind a wireless bridge or VMware devices to receive an IP address.

Default: Enabled

General

Virtual AP enable

Select the Virtual AP enable check box to enable or disable the virtual AP.

VLAN

The VLAN(s) into which users are placed in order to obtain an IP address. Click the drop-down list to select a configured VLAN, the click the arrow button to associate that VLAN with the virtual AP profile.

NOTE: You must add an existing VLAN ID to the Virtual AP profile.

Forward mode

This parameter controls whether data is tunneled to the controller using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination (corporate traffic goes to the controller, and Internet access remains local). All forwarding modes support band steering, TSPEC/TCLAS enforcement, 802.11k and station blacklisting.

Click the drop-down list to select one of the following forward modes:

Tunnel: The AP handles all 802.11 association requests and responses, but sends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the controller for processing. The controller removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual. Both remote and campus APs can be configured in tunnel mode.

Bridge: 802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus AP is in bridge mode, the AP (and not the controller) handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed.

An AP in bridge mode does not support captive portal authentication. Both remote and campus APs can be configured in bridge mode. Note that you must enable the control plane security feature on the controller before you configure campus APs in bridge mode.

Split-Tunnel: 802.11 frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the controller, and Internet access remains local).

A remote AP in split-tunnel forwarding mode handles all 802.11 association requests and responses, encryption/decryption, and firewall enforcement. the 802.11e and 802.11k action frames are also processed by the remote AP, which then sends out responses as needed.

Decrypt-Tunnel: Both remote and campus APs can be configured in decrypt-tunnel mode. When an AP uses decrypt-tunnel forwarding mode, that AP decrypts and decapsulates all 802.11 frames from a client and sends the 802.3 frames through the GRE tunnel to the controller, which then applies firewall policies to the user traffic.

When the controller sends traffic to a client, the controller sends 802.3 traffic through the GRE tunnel to the AP, which then converts it to encrypted 802.11 and forwards to the client. This forwarding mode allows a network to utilize the encryption/decryption capacity of the AP while reducing the demand for processing resources on the controller.

APs in decrypt-tunnel forwarding mode also manage all 802.11 association requests and responses, and process all 802.11e and 802.11k action frames. APs using decrypt-tunnel mode do have some limitations that not present for APs in regular tunnel forwarding mode.

You must enable the control plane security feature on the controller before you configure campus APs in decrypt-tunnel forward mode.

NOTE: Virtual APs in bridge or split-tunnel mode using static WEP should use key slots 2-4 on the controller. Key slot 1 should only be used with Virtual APs in tunnel mode.

RF

Allowed band

The band(s) on which to use the virtual AP:

a—802.11a band only (5 GHz).

g—802.11b/g band only (2.4 GHz).

all—both 802.11a and 802.11b/g bands (5 GHz and 2.4 GHz). This is the default setting.

Band Steering

ARM’s band steering feature encourages dual-band capable clients to stay on the 5GHz band on dual-band APs. This frees up resources on the 2.4GHz band for single band clients like VoIP phones.

Band steering reduces co-channel interference and increases available bandwidth for dual-band clients, because there are more channels on the 5GHz band than on the 2.4GHz band. Dual-band 802.11n-capable clients may see even greater bandwidth improvements, because the band steering feature will automatically select between 40MHz or 20MHz channels in 802.11n networks. This feature is disabled by default, and must be enabled in a Virtual AP profile.

The band steering feature supports both campus APs and remote APs that have a virtual AP profile set to tunnel, split-tunnel or bridge forwarding mode. Note, however, that if a campus or remote APs has virtual AP profiles configured in bridge or split-tunnel forwarding mode but no virtual AP in tunnel mode, those APs will gather information about 5G-capable clients independently and will not exchange this information with other APs that also have bridge or split-tunnel virtual APs only.

Steering Mode

Band steering supports the following three different band steering modes.

Force-5GHz: When the AP is configured in force-5GHz band steering mode, the AP will try to force 5Ghz-capable APs to use that radio band.

Prefer-5GHz (Default): If you configure the AP to use prefer-5GHz band steering mode, the AP will try to steer the client to 5G band (if the client is 5G capable) but will let the client connect on the 2.4G band if the client persists in 2.4 G association attempts.

Balance-bands: In this band steering mode, the AP tries to balance the clients across the two radios in order to best utilize the available 2.4G bandwidth. This feature takes into account the fact that the 5Ghz band has more channels than the 2.4 Ghz band, and that the 5 Ghz channels operate in 40MHz while the 2.5 Ghz band operates in 20 MHz.

Advanced

Cellular Handoff Assist

When both the client match and the cellular handoff assist features are enabled, the cellular handoff assist feature can help a dual-mode, 3G or 4G-capable Wi-Fi device such as an iPhone, iPad or Android client at the end of a Wi-Fi network switch from Wi-Fi to an alternate 3G or 4G radio that provides better network access. This feature is supported by iOS and Android devices only.

Authentication Failure Blacklist Time

Time, in seconds, a client is blocked if it fails repeated authentication. The default setting is 3600 seconds (1 hour). A value of 0 blocks the client indefinitely.

Blacklist Time

Number of seconds that a client is quarantined from the network after being blacklisted. Default: 3600 seconds (1 hour)

Deny inter user traffic

Select this check box to deny traffic between the clients using this virtual AP profile.

The global firewall shown the Configuration>Advanced Services > Stateful Firewall > Global window also includes an option to deny all inter-user traffic, regardless of the Virtual AP profile used by those clients.

If the global setting to deny inter-user traffic is enabled, all inter-user traffic between clients will be denied, regardless of the settings configured in the virtual AP profiles. If the setting to deny inter-user traffic is disabled globally but enabled on an individual virtual ap, only the traffic between un-trusted users and the clients on that particular virtual AP will be blocked.

Deny time range

Click the drop-down list and select a configured time range for which the AP will deny access. If you have not yet configured a time range, navigate to Configuration > Security > Access Control > Time Ranges to define a time range before configuring this setting in the Virtual AP profile.

DoS Prevention

If enabled, APs ignore deauthentication frames from clients. This prevents a successful deauthorization attack from being carried out against the AP. This does not affect third-party APs. Default: Disabled

HA Discovery
on-association

If enabled, home agent discovery is triggered on client association instead of home agent discovery based on traffic from client. Mobility on association can speed up roaming and improve connectivity for clients that do not send many uplink packets to trigger mobility (VoIP clients). Best practices is to disable this parameter as it increases IP mobility control traffic between managed devices in the same mobility domain. Enable this parameter only when voice issues are observed in VoIP clients.

Default: Disabled

NOTE: ha-disc-onassoc parameter works only when IP mobility is enabled and configured on the managed device. For more information about this parameter, see HA Discovery on Association

Mobile IP

Enables or disables IP mobility for this virtual AP.

Default: Enabled

Preserve Client VLAN

If you select this check box, clients retain their previous VLAN assignment if the client disassociates from an AP and then immediately re-associates either with same AP or another AP on the same managed device.

Remote-AP Operation

Configures when the virtual AP operates on a remote AP:

always—Permanently enables the virtual AP (Bridge Mode only). This option can be used for non-802.1X bridge VAPs.

backup—Enables the virtual AP if the remote AP cannot connect to the managed device (Bridge Mode only). This option can be used for non-802.1X bridge VAPs.

persistent—Permanently enables the virtual AP after the remote AP initially connects to the managed device (Bridge Mode only). This option can be used for any (Open/PSK/802.1X) bridge VAPs.

standard—Enables the virtual AP when the remote AP connects to the managed device. This option can be used for any (bridge/split-tunnel/tunnel/d-tunnel) VAPs.

Station Blacklisting

Select the Station Blacklisting check box to enable detection of denial of service (DoS) attacks, such as ping or SYN floods, that are not spoofed deauthorization attacks.

Default: Enabled

Strict Compliance

If enabled, the AP denies client association requests if the AP and client station have no common rates defined. Some legacy client stations which are not fully 802.11-compliant may not include their configured rates in their association requests. Such non-compliant stations may have difficulty associating with APs unless strict compliance is disabled. This parameter is disabled by default.

VLAN Mobility

Enable or disable VLAN (Layer-2) mobility.

Default: Disabled

WAN operation mode

This feature works in conjunction with the WAN Health Check Manager and Uplink Manager. When all uplinks are be down, the uplink manager makes the needed changes based on configuration and pushes these changes to APs.

If the operation mode is set to primary, the VAP will be disabled.

If the operation mode is set to backup, the VAP will be enabled.

If the operation mode is set to Always, the VAP will not change.

FDB Update on Assoc

This parameter enables seamless failover for silent clients, allowing them to re-associate. If you select this option, the controller will generate a Layer 2 update on behalf of client to update forwarding tables in bridge devices.

Default: Disabled

A Virtual AP profile directly references one of each of the following profiles types.

802.11k

AAA

AnySpot

HotSpot 2.0

SSID

WWM Traffic Management

To change the profiles associated to a Virtual AP profile:

1. In the Managed Network node hierarchy, navigate to Configuration > System > Profiles.
2. In the All Profiles list, expand the Wireless LAN menu, then select Virtual AP.
3. Select the Virtual AP profile you want to edit. The All Profiles window displays the list of associated profiles for that Virtual AP.
4. Select any of the associated profiles in the list.
5. A drop-down list appears at the top of the right window pane which allows you to select another profile of that type.
6. Click Save.
7. Click Pending Changes.
8. In the Pending Changes window, select the check box and click Deploy Changes.

Figure 1  Associating Profiles to a Virtual AP

In the CLI

(host)[node](config) #wlan virtual-ap <profile>

(host)[node] (Virtual AP profile "profile")aaa-profile <profile>

(host)[node] (Virtual AP profile "profile")anyspot-profile <profile>

(host)[node] (Virtual AP profile "profile")dot11k-profile <profile>

(host)[node] (Virtual AP profile "profile")hs2-profile <profile>

(host)[node] (Virtual AP profile "profile")ssid-profile <profile>

(host)[node] (Virtual AP profile "profile")wmm-traffic-management-profile <profile>

Modifying Profiles and Parameters Associated with AP Groups

Starting from ArubaOS 8.0.1 you can modify the profiles and parameters associated with an AP group.

In the WebUI

1. In the Mobility Master node hierarchy, navigate to the Configuration > AP Groups tab.
2. Select a AP group in the AP Groups table and click Profiles tab.
3. Select a profile under Profiles for Group <AP Group>.
4. Click <NAME> profile drop-down list and select a profile.
5. Make the necessary changes to the profile and click Submit.
6. Click Pending Changes.
7. In the Pending Changes window, select the check box and click Deploy changes.

Selective Multicast Streams

The selective multicast group is based only on the packets learned through the Internet Group Management Protocol (IGMP).

When the Drop Broadcast and Multicast setting is enabled in the virtual AP profile, the managed device allows multicast packets to be forwarded only if the following conditions are met:

packets originating from the wired side have a destination address range of 225.0.0.0 - 239.255.255.255

a station has subscribed to a multicast group.

If the Dynamic Multicast Optimization (DMO) setting is enabled in the virtual AP profile , the packets are sent with 802.11 unicast header.

When IGMP snooping/proxy is disabled, the managed device is not aware of the IGMP membership and drops the multicast flow.

If AirGroup is enabled, mDNS (SSDP) packets are sent to the AirGroup application. The common address for mDNS is 224.0.0.251 and SSDP is 239.255.255.250.

Changing a Virtual AP Forwarding Mode

When you change the forwarding mode for a Virtual AP actively serving clients, the user table will NOT reflect accurate client information unless the entries for those users are manually cleared. Use the following procedure to change the forwarding mode on a Virtual AP serving wired or wireless clients.

Changing the Forwarding Mode for Wired Users

To change the forwarding mode for wired users connected to the wired port on an AP:

1. Disable the port by issuing the CLI command ap wired-port-profile <ap-wired-port-profile> shutdown. This will disconnect any wired clients using that port.
2. Issue the command aaa user delete {<ipaddr>|all|mac <macaddr>|name <username>|role <role>} to remove from the user table the wired users associated with AP wired ports using the <ap-wired-port-profile>.

3. Issue the command ap wired-ap-profile <profile> forward-mode <mode> where <mode> is the new forwarding mode for the wired port

4. Reenable the port using the command ap wired-port-profile <ap-wired-port-profile> no shutdown.

Changing the Forwarding Mode for Wirelsss Users

To change the forwarding mode for wireless users associated with an AP radio:

1. Issue the command ap-name <group> no virtual-ap <vap-profile> or ap-group <group> no virtual-ap <vap-profile> to disassociate the AP or group of APs from the virtual AP profile.

2. Issue the command aaa user delete {<ipaddr>|all|mac <macaddr>|name <username>|role <role>} to remove from the user table the users associated to the virtual-ap specified in the previous step.

3. Issue the command wlan virtual-AP <vap-profile> forward-mode <mode> where <mode> is the new forwarding mode for the virtual AP.

4. Issue the command ap-name <group> virtual-ap <vap-profile> or ap-group <group> virtual-ap <vap-profile> to reassociate the AP or group of APs with the virtual AP profile.