wlan virtual-ap <profile-name>
This command configures a virtual AP profile.
Name of this profile. The name must be 1-63 characters.
Name of the profile that applies to this virtual AP.
The (s) on which to use the virtual AP:
only (5 )
/g only (2.4 )
(5 and 2.4 )
a, g, all
Anyspot Profile associated with this Virtual AP Profile. The anyspot client probe suppression feature decreases network traffic by suppressing probe requests from clients attempting to locate and connect to other known networks.
Time, in seconds, a client is blocked if it fails repeated authentication.
A value of 0 blocks a client iindefinitely.
’s steering feature can encourage or require dual- capable clients to stay on the 5 on dual- APs. This frees up resources on the 2.4 for single clients like phones.
steering reduces co-channel interference and increases available bandwidth for dual- clients, because there are more channels on the 5 than on the 2.4 . Dual- -capable clients may see even greater bandwidth improvements, because the steering feature will automatically select between 40MHz or 20 channels in networks. This feature is disabled by default, and must be enabled in a Virtual AP profile.
The steering feature supports three steering modes, which can be configured via the
steering can be configured on both and that have a virtual AP profile set to tunnel, decrypt-tunnel, split-tunnel or bridge forwarding mode. Note, however, that if a campus or has virtual AP profiles configured in bridge or split-tunnel forwarding mode but no virtual AP in tunnel mode, those APs will gather information about 5G-capable clients independently and will not exchange this information with other APs that also have bridge or split-tunnel virtual APs only.
Enables detection of attacks, such as ping or SYN floods, that are not spoofed deauth attacks.
Number of seconds that a client is quarantined from the network after being blacklisted.
Filter out broadcast and multicast traffic in the air.
Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the managed device, so the managed device is able to drop all broadcast traffic. When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the managed device is not able to filter out that broadcast traffic.
IMPORTANT: If you enable this option, you must also enable the Broadcast-Filter ARP parameter in the stateful configuration to prevent requests from being dropped. Note also that although a virtual AP profile can be replicated from a Mobility Master to managed device, stateful settings do not. If you select the broadcast-filter all option for a Virtual AP Profile on a Mobility Master, you must enable the broadcast-filter arp setting on each individual managed device.
If enabled, all broadcast requests are converted to unicast and sent directly to the client. You can check the status of this option using the
show ap active and the show datapath tunnel command. If enabled, the output will display the letter a in the flags column.
Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the
managed device, so the managed device is able to convert requests directed to the broadcast address into unicast. When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the managed device is not able to convert that broadcast traffic.
For the option
, the default value is disabled.
For the option
, the default value is enabled.
When both the client match and cellular handoff assist features are enabled, the cellular handoff assist feature can help a dual-mode, or -capable device such as an iPhone, iPad, or Android client at the edge of network coverage switch from to an alternate or radio that provides better network access. This feature is disabled by default, and is recommended only for deployments.
Name of an existing traffic management profile from which parameter values are copied.
Select this check box to deny traffic between the clients using this virtual AP profile.
command includes an option to deny all inter-user traffic, regardless of the Virtual AP profile used by those clients.
If the global setting to deny inter-user traffic is enabled, all inter-user traffic between clients will be denied, regardless of the settings configured in the virtual AP profiles. If the setting to deny inter-user traffic is disabled globally but enabled on an individual virtual ap, only the traffic between un-trusted users and the clients on that particular virtual AP will be blocked.
Specify the name of the time range for which the AP will deny access. Time ranges can be defined using the command
If enabled, APs ignore deauthentication frames from clients. This prevents a successful deauth attack from being carried out against the AP. This does not affect third-party APs.
Name of an profile to be associated with this VAP.
Enable or /Disable dynamic multicast optimization. This parameter can only be enabled on a
managed device with a license.
Maximum number of high-throughput stations in a multicast group beyond which dynamic multicast optimization stops.
This parameter enables seamless failover for silent clients, allowing them to re-associate. If you select this option, the
managed device will generate a Layer 2 update on behalf of client to update forwarding tables in bridge devices.
Controls whether frames are tunneled to the
managed device using generic routing encapsulation (), bridged into the local (for ), or a combination thereof depending on the destination (corporate traffic goes to the managed device, and Internet access remains local).
Select one of the following forward modes:
Tunnel: When an AP is in tunnel forwarding mode, the AP handles all association requests and responses. The AP sends all data packets, action frames and EAPOL frames over a tunnel to the managed device for processing. The managed device removes or adds the headers, decrypts or encrypts frames and applies rules to the user traffic as usual.
Bridge: When an AP is in bridge mode, data is bridged onto the local . When in bridge mode, the AP handles all association requests and responses, encryption or decryption processes, and enforcement. and action frames are also processed by the AP, which then sends out responses as needed. An AP in bridge mode supports only the authentication type.
Split-Tunnel: Data frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the managed device, and Internet access remains local). The AP handles all association requests and responses, encryption or decryption, and enforcement. and action frames are also processed by the AP, which then sends out responses as needed. An AP in split-tunnel mode supports only the authentication type.
Decrypt-Tunnel: An AP in decrypt-tunnel forwarding mode decrypts and decapsulates all frames from a station and sends the 802.3 frames through the tunnel to the managed device, which then applies policies to the user traffic. This mode allows a network to utilize the encryption or decryption capacity the AP while reducing the demand for processing resources on the managed device. APs in decrypt-tunnel forwarding mode also manage all association requests and responses, and process all and action frames.
Virtual APs in bridge or split-tunnel mode using static should use key slots 2-4 on the managed device. Key slot 1 should only be used with Virtual APs in tunnel mode.
If enabled, home agent discovery is triggered on client association instead of home agent discovery based on traffic from client. Mobility on association can speed up roaming and improve connectivity for clients that do not send many uplink packets to trigger mobility ( clients). Best practices is to leave this parameter disabled, as it increases IP mobility control traffic between
managed devices in the same mobility domain. Enable this parameter only when voice issues are observed in clients.
ha-disc-onassoc parameter works only when IP mobility is enabled and configured on the managed device. For more information about this parameter, refer Home Agent Discovery on Association
Enables or disables a profile. This is enabled by default.
Enables or disables IP mobility on a virtual AP. This is enabled by default. L3 mobility service is active on a VAP only if
is also enabled on the
Negates any configured parameter.
Enables on AP forwarding path.
This parameter allows clients to retain their previous assignment if the client disassociates from an AP and then immediately re-associates either with same AP or another AP on same
Configures when the virtual AP operates on a :
always—Permanently enables the virtual AP (Bridge Mode only). This option can be used for non- bridge VAPs.
backup—Enables the virtual AP if the cannot connect to the managed device (Bridge Mode only). This option can be used for non- bridge VAPs.
persistent—Permanently enables the virtual AP after the initially connects to the managed device (Bridge Mode only). This option can be used for any (Open or or ) bridge VAPs.
standard—Enables the virtual AP when the connects to the managed device. This option can be used for any (bridge or split-tunnel or tunnel or d-tunnel) VAPs.
backup or persistent or standard
Name of the profile that applies to this virtual AP.
steering supports three different steering modes.
Force-5GHz: When the AP is configured in force-5GHz steering mode, the AP will try to force 5 -capable APs to use that radio .
Prefer-5GHz (Default): If you configure the AP to use prefer-5GHz steering mode, the AP will try to steer the client to 5G (if the client is 5G capable) but will let the client connect on the 2. if the client persists in 2. association attempts.
Balance-bands: In this steering mode, the AP tries to balance the clients across the two radios in order to best utilize the available 2. bandwidth. This feature takes into account the fact that the 5 has more channels than the 2.4 , and that the 5 channels operate in 40 while the 2.5 operates in 20 .
Steering modes do not take effect until the steering feature has been enabled. The steering feature in ArubaOS versions 3.3.2-5.0 does not support multiple -steering modes. The -steering feature in these versions of ArubaOS functions the same way as the default prefer-5GHz steering mode available in ArubaOS 6.0 and later.
If enabled, the AP denies client association requests if the AP and client station have no common rates defined. Some legacy client stations which are not fully -compliant may not include their configured rates in their association requests. Such non-compliant stations may have difficulty associating with APs unless strict compliance is disabled.
Enable or disable the virtual AP.
The (s) into which users are placed in order to obtain an IP address. Enter as a comma-separated list of existing IDs
or names. A mixture of names and numeric IDs are not allowed.
You must add an existing ID to the Virtual AP profile.
mobility retains the client on roaming irrespective of the VAP , provided the user are extended.
mobility and mobile IP are mutually exclusive.
mobility does not re-use user sessions on roaming as the sessions will have to be recreated locally on the roamed
Specify the wan-operation to enable Virtual AP depending on the state of the link.
Specify the Traffic Management Profile to be associated with this Virtual AP Profile.
profiles configure in the form of virtual AP profiles. A virtual AP profile contains an profile which defines the and an profile which defines the authentication for the . You can configure and apply multiple instances of virtual AP profiles to an AP group or to an individual AP.
A named can be deleted although it is configured in a virtual AP profile. If this occurs the virtual AP profiles becomes invalid. If the named is added back later the virtual AP becomes valid again.
Mobility Master supports clients behind a wireless bridge or virtual clients on VMware devices, you must disable the broadcast-filter arp setting to allow those clients to obtain an IP address. In previous releases of ArubaOS, the virtual AP profile included two unique broadcast filter parameters; the parameter, which filtered out all broadcast and multicast traffic in the air except response frames (these were converted to unicast frames and sent to the corresponding client) and the parameter, which converted broadcast requests to unicast messages sent directly to the client.
parameter is enabled by default. If your
The response frames are sent as unicast to the corresponding client. This can impact discover or requested packets for clients behind a wireless bridge and virtual clients on VMware devices. Disable the broadcast-filter arp setting using the command to resolve this issue and allow clients behind a wireless bridge or VMware devices to receive an IP address.
setting includes the additional functionality of broadcast-filter all parameter, where
If there is only one defined, then the
Mobility Master will send IPv6 RAs as usual. If, however, there are multiple , then the Mobility Master will automatically convert multicast frames to unicast. This conversion prevents frames from being sent with a multicast key to all clients on the , which could lead to clients having multiple IPv6 addresses. Example
The following command configures a virtual AP:
(host) [md] (config) #wlan virtual-ap corpnet
(host) [md] (Virtual AP profile "corpnet") #vlan 1
(host) [md] (Virtual AP profile "corpnet") #aaa-profile corpnet
Base operating system.
Config mode on
Was this information helpful?
Great! Thanks for the feedback
Sorry about that! How can we improve it? Send your comments and suggestions!