wlan virtual-ap

wlan virtual-ap <profile-name>

aaa-profile <profile-name>

allowed-5g-radio {all|first-5g-radio-only|second-5g-radio-only}

allowed-band <band>

allowed-band-6ghz

allow-band-6ghz-supplement

anyspot-profile <profile>

auth-failure-blacklist-time / auth-failure-denylist-time <seconds>

band-steering

blacklist/denylist

blacklist-time / denylist-time <seconds>

broadcast-filter all|arp

cellular-handoff-assist

clone <profile-name>

deny-inter-user-traffic

deny-time-range <range>

disable-on-6ghz-mesh

dos-prevention

dot11k-profile

dynamic-mcast-optimization

dynamic-mcast-optimization-threshold

fdb-update-on-assoc

forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel}

ftm-responder-enable

ha-disc-onassoc

hs2-profile

mbssid-group

mobile-ip

no ...

openflow-enable

preserve-vlan

rap-operation {always|backup|persistent|standard}

ssid-profile <profile-name>

steering-mode band-balancing|force-5ghz|prefer-5ghz

strict-compliance

vap-enable

vlan <vlan>...

vlan-mobility

wan-operation

wmm-traffic-management-profile

Description

This command configures a virtual AP profile.

The WMM traffic management feature is not supported on AP-203H, AP-203R, AP-203RP, AP-207, AP-228, AP-277, 200 Series, 210 Series, 220 Series, 340 Series, 500 Series, 510 Series access points.

WLAN profiles configure WLANs in the form of virtual AP profiles. A virtual AP profile contains an SSID profile which defines the WLAN and an AAA profile which defines the authentication for the WLAN. You can configure and apply multiple instances of virtual AP profiles to an AP group or to an individual AP.

A named VLAN can be deleted although it is configured in a virtual AP profile. If this occurs the virtual AP profiles becomes invalid. If the named VLAN is added back later the virtual AP becomes valid again.

The broadcast-filter arp parameter is enabled by default. If your Mobility Conductor supports clients behind a wireless bridge or virtual clients on VMware devices, you must disable the broadcast-filter arp setting to allow those clients to obtain an IP address. In previous releases of ArubaOS, the virtual AP profile included two unique broadcast filter parameters; the broadcast-filter all parameter, which filtered out all broadcast and multicast traffic in the air except DHCP response frames (these were converted to unicast frames and sent to the corresponding client) and the broadcast-filter arp parameter, which converted broadcast ARP requests to unicast messages sent directly to the client.

The broadcast-filter arp setting includes the additional functionality of broadcast-filter all parameter, where DHCP response frames are sent as unicast to the corresponding client. This can impact DHCP discover or requested packets for clients behind a wireless bridge and virtual clients on VMware devices. Disable the broadcast-filter arp setting using the wlan virtual-ap <profile> no broadcast-filter arp command to resolve this issue and allow clients behind a wireless bridge or VMware devices to receive an IP address.

If there is only one VLAN defined, then the Mobility Conductor will send IPv6 RAs as usual. If, however, there are multiple VLANs, then the Mobility Conductor will automatically convert 802.11 multicast frames to unicast. This conversion prevents RA frames from being sent with a multicast key to all clients on the BSSID, which could lead to clients having multiple IPv6 addresses.

Parameter

Description

<profile-name>

Name of this profile.

Range: 1-63 characters

Default: default

aaa-profile

Name of the AAA profile that applies to this virtual AP.

Default: default

allowed-5g-radio

The 5 GHz radio(s) on which to configure the virtual AP:

all—dual 5 GHz band only

first-5g-radio-only—first 5 GHz band only

second-5g-radio-only—second 5 GHz band only

Default: all

NOTE: This parameter is ignored if the AP has only one 5 GHz radio.

allowed-band

The band(s) on which to use the virtual AP:

a—5 GHz band only (802.11a)

g—2.4 GHz band only (802.11b/802.11g)

all—both 2.4 GHz and 5 GHz bands (802.11a and 802.11b/802.11g)

none—disable both 2.4 GHz and 5 GHz bands

Default: all

NOTE: The none option is supported from ArubaOS 8.9.0.0 or later versions.

allowed-band-6ghz

(ArubaOS 8.9.0.0 or later versions)

Enable 6 GHz band to use the virtual AP.

NOTE: This field is applicable to Wi-Fi 6E APs only.

allow-band-6hz-supplement

This option enables the allocation of more than 4 6GHz VAPs.

anyspot-profile

Anyspot Profile associated with this Virtual AP Profile. The anyspot client probe suppression feature decreases network traffic by suppressing probe requests from clients attempting to locate and connect to other known networks.

auth-failure-blacklist-time / auth-failure-denylist-time

Time, in seconds, a client is blocked if it fails repeated authentication. A value of 0 blocks a client iindefinitely.

Range: 0-2,147,483,647 seconds

Default: 0

band-steering

ARM’s band steering feature can encourage or require dual-band capable clients to stay on the 5 GHz band on dual-band APs. This frees up resources on the 2.4 GHz band for single band clients like VoIP phones.

Band steering reduces co-channel interference and increases available bandwidth for dual-band clients, because there are more channels on the 5 GHz band than on the 2.4 GHz band. Dual-band 802.11n-capable clients may see even greater bandwidth improvements, because the band steering feature will automatically select between 40MHz or 20 MHz channels in 802.11n networks. This feature is disabled by default, and must be enabled in a Virtual AP profile.

The band steering feature supports three steering modes, which can be configured via the steering-mode parameter:

Band steering can be configured on both campus APs and remote APs that have a virtual AP profile set to tunnel, decrypt-tunnel, split-tunnel or bridge forwarding mode. Note, however, that if a campus or remote APs has virtual AP profiles configured in bridge or split-tunnel forwarding mode but no virtual AP in tunnel mode, those APs will gather information about 5G-capable clients independently and will not exchange this information with other APs that also have bridge or split-tunnel virtual APs only.

Default: disabled

blacklist/denylist

Enables detection of DoS attacks, such as ping or SYN floods, that are not spoofed deauth attacks.

Default: enabled

blacklist-time/denylist-time

Number of seconds that a client is quarantined from the network after being blocked.

Range: 0-2,147,483,647 seconds

Default: 3600 seconds (1 hour)

broadcast-filter

Filter out broadcast and multicast traffic in the air.

all

NOTE: Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the managed device, so the managed device is able to drop all broadcast traffic. When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the managed device is not able to filter out that broadcast traffic.

IMPORTANT: If you enable this option, you must also enable the Broadcast-Filter ARP parameter in the stateful firewall configuration to prevent ARP requests from being dropped. Note also that although a virtual AP profile can be replicated from a Mobility Conductor to managed device, stateful firewall settings do not. If you select the broadcast-filter all option for a Virtual AP Profile on a Mobility Conductor, you must enable the broadcast-filter arp setting on each individual managed device.

arp

If enabled, all broadcast ARP requests are converted to unicast and sent directly to the client. You can check the status of this option using the show ap active and the show datapath tunnel command. If enabled, the output will display the letter a in the flags column.

Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the managed device, so the managed device is able to convert ARP requests directed to the broadcast address into unicast. When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the managed device is not able to convert that broadcast traffic.

Range: all, arp

Default: For the option all, the default value is disabled.

Default: For the option arp, the default value is enabled.

cellular-handoff-assist

When both the client match and cellular handoff assist features are enabled, the cellular handoff assist feature can help a dual-mode, 3G or 4G-capable Wi-Fi device such as an iPhone, iPad, or Android client at the edge of Wi-Fi network coverage switch from Wi-Fi to an alternate 3G or 4G radio that provides better network access. This feature is disabled by default, and is recommended only for Wi-Fi hotspot deployments.

Default: disabled

clone

Name of an existing traffic management profile from which parameter values are copied.

deny-inter-user-traffic

Select this check box to deny traffic between the clients using this virtual AP profile.

The firewall command includes an option to deny all inter-user traffic, regardless of the Virtual AP profile used by those clients.

If the global setting to deny inter-user traffic is enabled, all inter-user traffic between clients will be denied, regardless of the settings configured in the virtual AP profiles. If the setting to deny inter-user traffic is disabled globally but enabled on an individual virtual ap, only the traffic between un-trusted users and the clients on that particular virtual AP will be blocked.

deny-time-range

Specify the name of the time range for which the AP will deny access. Time ranges can be defined using the CLI command time-range.

disable-on-6ghz-mesh

(ArubaOS 8.9.0.0 or later versions)

If enabled, virtual AP is disabled on 6 GHz band only when AP is provisioned as mesh.

NOTE: This field is applicable to Wi-Fi 6E APs only.

dos-prevention

If enabled, APs ignore deauthentication frames from clients. This prevents a successful deauth attack from being carried out against the AP. This does not affect third-party APs.

Default: disabled

dot11k-profile

Name of an 802.11k profile to be associated with this VAP.

Default: default

dynamic-mcast-optimization

Enable or /Disable dynamic multicast optimization. This parameter can only be enabled on a managed device with a PEFNG license.

Default: disabled

dynamic-mcast- optimization-threshold

Maximum number of high-throughput stations in a multicast group beyond which dynamic multicast optimization stops.

Range: 2-255 stations

Default: 6 stations

fdb-update-on-assoc

This parameter enables seamless failover for silent clients, allowing them to re-associate. If you select this option, the managed device will generate a Layer 2 update on behalf of client to update forwarding tables in bridge devices.

Default: disabled

forward-mode

Controls whether 802.11 frames are tunneled to the managed device using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination (corporate traffic goes to the managed device, and Internet access remains local).

Select one of the following forward modes:

Tunnel: When an AP is in tunnel forwarding mode, the AP handles all 802.11 association requests and responses. The AP sends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the managed device for processing. The managed device removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual.

Bridge: When an AP is in bridge mode, data is bridged onto the local Ethernet LAN. When in bridge mode, the AP handles all 802.11 association requests and responses, encryption or decryption processes, and firewall enforcement. 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed. An AP in bridge mode supports only the 802.1X authentication type.

Split-Tunnel: Data frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the managed device, and Internet access remains local). The AP handles all 802.11 association requests and responses, encryption or decryption, and firewall enforcement. 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed. An AP in split-tunnel mode supports only the 802.1X authentication type.

Decrypt-Tunnel: An AP in decrypt-tunnel forwarding mode decrypts and decapsulates all 802.11 frames from a station and sends the 802.3 frames through the GRE tunnel to the managed device, which then applies firewall policies to the user traffic. This mode allows a network to utilize the encryption or decryption capacity the AP while reducing the demand for processing resources on the managed device. APs in decrypt-tunnel forwarding mode also manage all 802.11 association requests and responses, and process all 802.11e and 802.11k action frames.

NOTE: Virtual APs in bridge or split-tunnel mode using static WEP should use key slots 2-4 on the managed device. Key slot 1 should only be used with Virtual APs in tunnel mode.

Range: tunnel, bridge. split-tunnel decrypt-tunnel

Default: tunnel

ftm-responder-enable

Enables 802.11mc Fine Timing Measurement (FTM) on radio (responder mode only).

This feature is supported on 500 Series, 500H Series, 510 Series, 530 Series, 550 Series, 560 Series, 570 Series, 630 Series, and 650 Series access points.

Default: disabled

ha-disc-onassoc

If enabled, home agent discovery is triggered on client association instead of home agent discovery based on traffic from client. Mobility on association can speed up roaming and improve connectivity for clients that do not send many uplink packets to trigger mobility (VoIP clients). Best practices is to leave this parameter disabled, as it increases IP mobility control traffic between managed devices in the same mobility domain. Enable this parameter only when voice issues are observed in VoIP clients.

NOTE: ha-disc-onassoc parameter works only when IP mobility is enabled and configured on the managed device.

Default: disabled

hs2-profile

Enables or disables a hotspot profile.

Default: enabled

mbssid-group

This parameter specifies the MBSSID group to which a 6GHz VAP will be assigned.

mobile-ip

Enables or disables IP mobility on a virtual AP. This is enabled by default. L3 mobility service is active on a VAP only if router mobile is also enabled on the managed device.

Default: enabled

no

Negates any configured parameter.

openflow-enable

Enables OpenFlow on AP forwarding path.

preserve-vlan

This parameter allows clients to retain their previous VLAN assignment if the client disassociates from an AP and then immediately re-associates either with same AP or another AP on same managed device.

rap-operation

Configures when the virtual AP operates on a remote AP:

always—Permanently enables the virtual AP (Bridge Mode only). This option can be used for non-802.1X bridge VAPs.

backup—Enables the virtual AP if the remote AP cannot connect to the managed device (Bridge Mode only). This option can be used for non-802.1X bridge VAPs.

persistent—Permanently enables the virtual AP after the remote AP initially connects to the managed device (Bridge Mode only). This option can be used for any (Open or PSK or 802.1X) bridge VAPs.

standard—Enables the virtual AP when the remote AP connects to the managed device. This option can be used for any (bridge or split-tunnel or tunnel or d-tunnel) VAPs.

Range: always, backup, persistent, standard

Default: standard

ssid-profile

Name of the SSID profile that applies to this virtual AP.

Default: default

steering-mode

Band steering supports three different band steering modes.

Force-5GHz: When the AP is configured in force-5GHz band steering mode, the AP will try to force 5 GHz-capable APs to use that radio band.

Prefer-5GHz (Default): If you configure the AP to use prefer-5GHz band steering mode, the AP will try to steer the client to 5G band (if the client is 5G capable) but will let the client connect on the 2.4G band if the client persists in 2.4G association attempts.

Balance-bands: In this band steering mode, the AP tries to balance the clients across the two radios in order to best utilize the available 2.4G bandwidth. This feature takes into account the fact that the 5 GHz band has more channels than the 2.4 GHz band, and that the 5 GHz channels operate in 40 MHz while the 2.5 GHz band operates in 20 MHz.

NOTE: Steering modes do not take effect until the band steering feature has been enabled. The band steering feature in ArubaOS versions 3.3.2-5.0 does not support multiple band-steering modes. The band-steering feature in these versions of ArubaOS functions the same way as the default prefer-5GHz steering mode available in ArubaOS 6.0 and later.

Range: Force-5 GHz, prefer-5 GHz, balance-bands

Default: prefer-5 GHz

strict-compliance

If enabled, the AP denies client association requests if the AP and client station have no common rates defined. Some legacy client stations which are not fully 802.11-compliant may not include their configured rates in their association requests. Such non-compliant stations may have difficulty associating with APs unless strict compliance is disabled.

Default: disabled

vap-enable

Enable or disable the virtual AP.

Default: enabled

vlan

The VLAN(s) into which users are placed in order to obtain an IP address. Enter VLANs as a comma-separated list of existing VLAN IDs or VLAN names. A mixture of names and numeric IDs are not allowed.

NOTE: You must add an existing VLAN ID to the Virtual AP profile.

Default: 1

vlan-mobility

VLAN mobility retains the client VLAN on roaming irrespective of the VAP VLAN, provided the user VLANs are extended.

VLAN mobility and mobile IP are mutually exclusive.

VLAN mobility does not re-use user firewall sessions on roaming as the sessions will have to be recreated locally on the roamed managed device.

Default: disabled

wan-operation

Specify the wan-operation to enable Virtual AP depending on the state of the WAN link.

Range: always, backup, primary

Default: always

wmm-traffic- management-profile

Specify the WMM Traffic Management Profile to be associated with this Virtual AP Profile.

Example

The following example configures a virtual AP.

(host) [md] (config) #wlan virtual-ap corpnet

(host) [md] (Virtual AP profile "corpnet") #vlan 1

(host) [md] (Virtual AP profile "corpnet") #aaa-profile corpnet

(host) [md] (Virtual AP profile "corpnet") #ftm-enable

The following example configures 802.11mc FTM responder.

(host)[node](config) #wlan virtual-ap test

(host)[node] (Virtual AP profile "test") #ftm-responder-enable

(host)[node] (Virtual AP profile "test") #write mem

The following example configures the parameters for a 6 GHz band (ArubaOS 8.9.0.0 or later versions).

(host) [mynode] (config) #wlan virtual-ap <profile>

(host) [mynode] (Virtual AP profile "profile") #vap-enable

(host) [mynode] (Virtual AP profile "profile") #vlan <vlan-id>

(host) [mynode] (Virtual AP profile "profile") #allowed-band-6ghz

(host) [mynode] (Virtual AP profile "profile") #disable-on-6ghz-mesh

Command History

Version

Modification

ArubaOS 8.12.0.0

The mbssid-group, and allow-band-6ghz-supplement are introduced.

ArubaOS 8.9.0.0

The following changes were made:

The allowed-band-6ghz and disable-on-6ghz-mesh parameters were introduced.

The none option was added under allowed-band parameter.

All instances of blacklist have been replaced with denylist.

ArubaOS 8.8.0.0

The ftm-responder-enable parameter was added.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system

Config mode on Mobility Conductor.