Enterprise Mesh Network with Mesh APs

The Aruba secure mesh solution is an effective way to expand and configure network coverage for outdoor and indoor enterprise environments in a wireless environment. Using mesh, you can bridge multiple Ethernet Ethernet is a network protocol for data transmission over LAN. LANs or extend your wireless coverage. The mesh network automatically reconfigures broken or blocked paths when traffic traverses across mesh AP. This self-healing feature provides increased reliability and redundancy by allowing the network to continue operating even when an AP is non-functional or if the device fails to connect to the network.

Mesh APs detect the environment when they boot up, and they locate and associate with their nearest neighbor to determine the best path to the mesh portal. The mesh functionality is supported only in dual-radio APs. On dual-radio APs, the 2.4 GHz Gigahertz. radio is always used for client traffic, while both 2.4 GHz and 5 GHz radios are used for both mesh-backhaul and client traffic.

The mesh network must be provisioned for the first time by plugging into the wired network. After that, the mesh service works on APs like it does on any other regulatory domain.

Mesh Cluster Profile

Mesh clusters are grouped and defined by a mesh cluster profile, which provides the framework of the mesh network. The mesh cluster contains the MSSID Mesh Service Set Identifier. MSSID is the SSID used by the client to access a wireless mesh network., authentication methods, security credentials, and cluster priority required for mesh nodes to associate with their neighbors and join the cluster. You can also configure and apply multiple mesh clusters to an individual AP or an AP group. If you configure multiple cluster profiles with different cluster priorities, the mesh portal uses the profile with the highest priority to bring up the mesh network. The mesh portal stores and advertises that profile to neighboring mesh points to build the mesh network. This profile is known as the primary cluster profile.

Mesh points, in contrast, go through the list of configured mesh cluster profiles in order of priority to decide which profile to use to associate themselves with the network. The mesh cluster priority determines the order by which the mesh cluster profiles are used. Once the primary profile is identified, the other profiles are considered backup cluster profiles.

Since the mesh cluster profile provides the framework of the mesh network, you must define and configure the mesh cluster profile before configuring an AP to operate as a mesh node. You can use either the default cluster profile or create your own. If you find it necessary to define more than one mesh cluster profile, you must assign priorities to each profile to allow the mesh AP group to identify the primary and backup mesh cluster profiles. The primary mesh cluster profile and each backup mesh cluster profile must be configured to use the same RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. channel.

The following CLI commands configure multiple mesh cluster profiles on an AP:

The following CLI commands display the mesh cluster with the highest priority:

To configure mesh cluster profiles, complete the following steps:

1. In the Aruba Central app, set the filter to a group that contains at least one AP.
   
   The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points.
3. Click the Config icon.
   
   The tabs to configure APs is displayed.
4. Click Show Advanced.
5. Click System.
   
   The System details page is displayed.
6. Expand the Mesh accordion.
7. Click + on the Mesh table.

   The Mesh window is displayed.

8. In the Mesh window, configure the following parameters:

   • Name—Specify a name for the mesh node. The value must be between 8 to 32 characters.

   • Key—Specify a key for the mesh node, which is unique to each node. The value must be between 8 to 64 characters.

   • Priority—Specify a priority for the mesh node. The priority values range from 1-16, 1 being the highest and 16 being the lowest.

   • Opmode—Specify the operation mode for the mesh node. Select WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. or WPA3 SAE from the drop-down list.

9. Click Ok.
10. Click Save Settings.
11. Reboot the AP for the configuration to take effect.

Mesh Nodes

Aruba provides centralized configuration and management for APs in a mesh environment where local mesh APs provide encryption and traffic forwarding for mesh links.

Mesh APs are either configured as mesh portals or mesh points based on the uplink type. Any mesh-configured AP that has a valid uplink (wired or 3G) functions as a mesh portal, and the AP without an Ethernet link functions as a mesh point. Mesh portals and mesh points are also known as mesh nodes, a generic term used to describe APs configured for mesh.

Redundancy is observed in the mesh network when two mesh portals have valid uplink connections and APs are connected to the first mesh portal. In case of uplink failure in the first mesh portal, all the mesh points failover to the second mesh portal. However, depending on the actual deployment and RF environment, some mesh points may mesh through other intermediate mesh points.

Mesh Portals

A mesh portal is a gateway between the wireless mesh network and the enterprise wired LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server.. The mesh roles are automatically assigned based on the AP configuration. You can deploy multiple mesh portals to support redundant mesh paths (mesh links between neighboring mesh points that establish the best path to the mesh portal) from the wireless mesh network to the wired LAN.

The mesh portal broadcasts an MSSID or mesh cluster name to advertise the mesh network service to available mesh points in the network. Neighboring mesh points that have been provisioned with the same MSSID authenticate to the portal and establish a secure mesh link over which traffic is forwarded. The authentication process requires secure key negotiation, common to all APs, and the mesh link is established and secured using AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. encryption.

Mesh Points

The mesh point is an Aruba AP configured for mesh and assigned the mesh point role. Depending on the AP model, configuration parameters, and how it was provisioned, the mesh point can perform multiple tasks. The mesh point establishes an all-wireless path to the mesh portal and provides traditional WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. services such as client connectivity, IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. capabilities, user role association, and QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. for LAN-to-mesh communication to the clients, and performs mesh backhaul or network connectivity. The mesh points authenticate to the mesh portal and establish a secured link using AES encryption.

Mesh points use one of their wireless interfaces to carry traffic and reach the wired LAN. Mesh points are also aware of potential neighbors, and can form new mesh links if the current mesh link is no longer preferred or available.

There can be a maximum of eight mesh points per mesh portal in a mesh network. When mesh APs boot up, they detect the environment to locate and associate with their nearest neighbor. The mesh APs determine the best path to the mesh portal ensuring a reliable network connectivity.

ArubaOS 10 provides support to configure a prioritized list of mesh portals that a mesh point should use. The mesh point then chooses the available mesh portal to connect to from that prioritized list.

Setting up Mesh Network

To configure APs as mesh nodes, complete the following steps:

1. Connect the APs to a wired switch.
2. Ensure that Aruba Central is synchronized and the country code is configured.
3. Configure the mesh parameters in Aruba Central and ensure that the AP synchronizes with the mesh configuration.
4. Disconnect the APs that you want to deploy as mesh points from the switch, and place the APs at a remote location. The APs come up without any wired uplink connection and function as mesh points. The APs with valid uplink connections function as mesh portals.

Mesh Recovery

The mesh recovery is based on a PSK, and mesh nodes use the recovery mechanism to establish a link to the managed device if the mesh link is broken and no other mesh clusters are available. The mesh recovery is automatically generated based on the customer ID.

Automatic Mesh Role Assignment

ArubaOS 10 supports enhanced role detection during AP boot-up and AP running time. When a mesh point discovers that the Ethernet 0 port link is up, it sends loop detection packets to check the availability of Ethernet 0 link. If the Ethernet 0 link is available, the mesh point reboots as a mesh portal. Else, the mesh point does not reboot. This function is effective only when the mesh-role is configured as mesh-auto.

Mesh Role Detection during System Boot-Up

If the Ethernet link is down during AP boot-up, the AP acts as a mesh point. If the Ethernet link is up, the AP continues to detect if the network is reachable in the following scenarios:

• In a static IP address scenario, the AP acts as a mesh portal if it successfully pings the gateway. Otherwise, it acts as a mesh point.
• In case of DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. , the AP acts as a mesh portal when it obtains the IP address successfully. Otherwise, it acts as a mesh point.
• In case of IPv6, APs do not support the static IP address but only support DHCP for detection of network reachability.

Mesh Role Detection during System Running Time

When a mesh point detects whether its Ethernet link is up, it continues to use Loop Protection (based on the Loop Protection for Secure Jack Port feature), to check if the loop has been detected. If the loop is detected, the AP reboots. Otherwise, the AP does not reboot and the mesh role continues to act as a mesh point.

Configuring APs as Mesh Nodes

To configure APs as mesh notes to bridge multiple Ethernet LANs or extend wireless coverage, complete the following steps:

1. In the Aruba Central app, set the filter to a group that contains at least one AP.
   
   The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points.
3. Click the Config icon.
   
   The tabs to configure APs is displayed.
4. Click Show Advanced.
5. Click System.
   
   The System details page is displayed.
6. Expand the Mesh accordion.
7. Select one of the following from the Mesh Role drop-down list:
   • none—an AP with an unassigned mesh role.
   • auto—an AP that automatically detects the mesh role and configures mesh portal or mesh point.
   • portal—an AP that uses its wired interface to reach the enterprise wired LAN.
   • point—an AP that establishes a path to the wired LAN using the mesh portal.
8. Select one of the following from the Mesh Metric Mode drop-down list:
   • Central—Enables centralized mesh service to be managed by Aruba Central.
   • Local—Enables centralized mesh service to be managed locally by an AP.

   The Mesh Metric Mode option is unavailable when you select none from the Mesh Role drop-down list.

9. Select one of the following from the Mesh Band drop-down list:
   • 2.4 GHz
   • 5 GHz
   • 6 GHz
   • All
10. Click Save Settings.
11. Reboot the AP for the configuration to take effect.

Mesh Support for AP-615 Access Points

Aruba Central now extends mesh support for AP-615. The mesh link and Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. uplink features continue to operate on the band Band refers to a specified range of frequencies of electromagnetic radiation. configured in the AP system profile. When the radio modes are changed, the mesh and Wi-Fi uplink modules will restart and resume on the radio defined in the existing configuration.

Important Points to Note

• The mesh AP reboots when the flex-dual band assignment is changed.
• The mesh AP will find a common band available in both mesh band and flex-dual band.
• If the assigned flex-dual band is out of range with the mesh band, then the mesh AP will automatically change to ALL mode.
• The 6 GHz band supports only the wpa3-sae-aes encryption method. If wpa2-psk-aes encryption is configured, then the encryption mode is automatically converted to wpa3-sae-aes for the 6 GHz band.
• If the provisioned mesh band is set to ALL or 6GHz, then only the wpa3-sae-aes operating mode is allowed.
• If the provisioned mesh band is not available in the flex-dual band, then it will operate on ALL mesh band instead of the band you configured. It implies that if the configured mesh band is not available in the flex-dual mode, the mesh AP will enable the mesh function on all its radios.

Aruba Central now provides mesh support for WPA3-SAE operating mode on all radio bands of an Aruba AP. The following table displays the Aruba AP models that support WPA3-SAE operating mode on all the radio bands:

Table 1: Supported APs

AP Family	AP Model
500 Series	AP-503, AP-503H, AP-503R, AP-504, AP-505, AP-505H
510 Series	AP-514, AP-515, AP-518
530 Series	AP-534, AP-535
550 Series	AP-555
560 Series	AP-565, AP-565EX, AP-567, AP-567EX
570 Series	AP-574, AP-575, AP-575EX, AP-577, AP-577EX
580 Series	AP-584, AP-585, AP-585EX, AP-587, AP-587EX
600 Series	AP-605R
610 Series	AP-615
630 Series	AP-635
650 Series	AP-655

Mobility Mesh

AOS 10.2.0.0 supports Mobility Mesh feature that provides fast roaming for APs deployed in a wireless mesh network. The mesh points for which fast roaming is enabled are called mobility mesh points. The mobility mesh points can dynamically reselect and reconnect to a new selected mesh point based on detection of RF conditions, such as beacon frames and RSSI Received Signal Strength Indicator. RSSI is a mechanism by which RF energy is measured by the circuitry on a wireless NIC (0-255). The RSSI is not standard across vendors. Each vendor determines its own RSSI scale/values. value.

The Mobility Mesh feature involves the following steps:

1. Detecting roaming condition—The mesh points identify fast moving environments such as buses or the subway to apply fast roaming.
2. Background scanning—The mesh points perform fast scanning of other mesh points in the background. In fast scanning, the radio immediately initiates another channel scan request when the current scan request is complete. The background scan implies that when mesh is connected, the mesh point collects information about surrounding radio channels. The background scan is triggered due to missed beacon frames or low RSSI value below the threshold.
3. Roaming or reconnection—The mesh points rapidly choose the best mesh point neighbor to connect from all the neighbors.

The following CLI command enables Mobility Mesh on the AP:

Radio Selection for Mesh Links

The radio used for the mesh link can be configured in split 5 GHz enabled access points. When split 5 GHz radio is enabled on the access point, the operations on the 5 GHz band is split and carried out by two separate radios—lower 5 GHz radio and upper 5 GHz radio. The lower 5 GHz radio operates on channels 32–64 and the upper 5 GHz radio operates on channels 100-173. With two active 5 GHz radios, the mesh link functions can be dedicated to one radio while the other radio can be used to service clients.

The radio used for the mesh link can be configured using the rf-split5G-band-range command and can be configured only using the CLI. This configuration can only be applied on dual-5 GHz radio or split- 5 GHz radio enabled APs. Apply the configuration and reboot the AP for the changes to take effect.

The following CLI command configures the radio for mesh link:

The radio assignment and operating band information is listed in the following table.

Table 2: Radio Assignment and Band Information

Radio Mode	Radio	Operating Band
Split 5 GHz (550 Series access points)	Radio 0	Lower 5 GHz band
	Radio 2	Upper 5 GHz band