MAS Integration on Instant AP and Cloud WiFi

Aruba's Instant Access Point (IAP) and Mobility Access Switch (MAS) work well together to save administrators time in configuration and troubleshooting.

With an Aruba's Instant and Cloud access points, it's easy to provision an SSID and even easier to connect other access points to that cluster, but what about the switch configuration?

To enable these features, all a network admin has to do is enable "MAS integration" on either Aruba Central or the local IAP GUI.

Once "MAS integration" is enabled on the AP, then the network admin has access to the following four integration features.

1) IAP Info on MAS Ports

Using LLDP, IAPs will communicate back to the MAS status messages to let the user see what is connected (or disconnected). If a remote tech pulls the wrong cable, and a quick "show lldp neighbor" command will give the admin a good overview on what is out there. Should there be other CDP-enabled devices, a "show neighbor-devices" command will give additional info.

(host) #show lldp neighbor   Capability codes: (R)Router, (B)Bridge, (A)Access Point, (P)Phone, (S)Station                   (r)Repeater, (O)Other LLDP Neighbor Information ------------------------- Local Intf  Chassis ID         Capability  Remote Intf  Expiry-Time (Secs)  System Name ----------  ----------         ----------  -----------  ------------------  ----------- GE0/0/2     d8:c7:c8:ca:f1:72  A           bond0        107                 d8:c7:c8:ca:f1:72 GE0/0/6     192.168.221.2      B: P         Port 1       163                 Cisco IP Phone SPA502G GE0/0/46    00:26:88:01:c6:80  B:R         fe-0/0/3.0   99                  HOME-ROUTER  Number of neighbors: 3

(host) #show lldp neighbor interface gigabitethernet 0/0/2 detail  Interface: gigabitethernet0/0/2, Number of neighbors: 1 ------------------------------------------------------------ Chassis id: d8:c7:c8:ca:f1:72, Management address: 10.10.10.254 Interface description: bond0, ID: d8:c7:c8:ca:f1:72, MTU: 1522 Device MAC: d8:c7:c8:ca:f1:72 Last Update: Mon May 20 07:05:27 2013 Time to live: 120, Expires in: 100 Secs System capabilities : Bridge,Access point Enabled capabilities: Access point System name: d8:c7:c8:ca:f1:72 System description:   ArubaOS (MODEL: 105), Version 6.2.0.0-3.2.0.2 (37229) Auto negotiation: Supported, Enabled Autoneg capability:   10Base-T, HD: yes, FD: yes   100Base-T, HD: yes, FD: yes   1000Base-T, HD: no, FD: yes Media attached unit type: 1000BaseTFD - Four-pair Category 5 UTP, full duplex mode (30)

2) Rogue AP Verification

Should an admin be on a switch and want to see rogue APs, a quick "show lldp neighbor interface 0/0/0 detail" command can give details as to what else might be denylisted. "show port-error-recovery" will show when the port has changed security status.

(host) #show lldp neighbor interface gigabitethernet 0/0/2 detail   Interface: gigabitethernet0/0/2, Number of neighbors: 1 ------------------------------------------------------------ Chassis id: d8:c7:c8:ca:f1:72, Management address: 10.10.10.254 Interface description: bond0, ID: d8:c7:c8:ca:f1:72, MTU: 1522 Device MAC: d8:c7:c8:ca:f1:72 Last Update: Mon May 20 07:05:27 2013 Time to live: 120, Expires in: 100 Secs System capabilities : Bridge,Access point Enabled capabilities: Access point System name: d8:c7:c8:ca:f1:72 System description:   ArubaOS (MODEL: 105), Version 6.2.0.0-3.2.0.2 (37229) Auto negotiation: Supported, Enabled Autoneg capability:   10Base-T, HD: yes, FD: yes   100Base-T, HD: yes, FD: yes   1000Base-T, HD: no, FD: yes Media attached unit type: 1000BaseTFD - Four-pair Category 5 UTP, full duplex mode (30) MAC:          00:22:cf:51:6f:c1: Denylist                                               MAC:          00:22:cf:51:6f:c0: Denylist

(host) #show port-error-recovery  Layer-2 Interface Error Information ----------------------------------- Interface  Error                        Error seen time            Recovery time ---------  -----                        ---------------            ------------- GE0/0/20   Denylisted device detected  2013-04-03 14:35:45 (EDT)  2013-04-03 14:40:45 (EDT)

3) Auto-Prioritization of POE for Instant Access Points

Since Aruba's IAPs are all POE enabled, admins will likely want to give them priority over other POE devices on the network. To do so, simply use the default using the "poe-factory-initial" profile. The MAS detects the presence of an IAP and will automatically increases the PoE priority from low (default) to high. Below shows an example of an IAP that automatically received a high POE priority with the "poe-factory-initial" profile.

(host) #show poe interface brief   PoE Interface Brief ------------------- Interface  Admin   Consumption(mW)  Port Priority  Port Status ---------  -----   ---------------  -------------  ----------- GE0/0/0    Enable  0                Low            Off GE0/0/1    Enable  0                Low            Off GE0/0/2    Enable  5700             High           On GE0/0/3    Enable  0                Low            Off GE0/0/4    Enable  0                Low            Off GE0/0/5    Enable  0                Low            Off GE0/0/6    Enable  2400             Low            On GE0/0/7    Enable  0                Low            Off

4) VLAN Trunks Sharing via GVRP

To save time provisioning switches with VLAN trunking, GVRP will automagically configure the switch's trunking profile based on the SSID of an Instant or Cloud-managed AP. First, set the VLAN on an SSID.

Then go to the MAS and see VLAN autoconfigured via GVRP.

(host) #show vlan  VLAN CONFIGURATION ------------------ VLAN  Description  Ports ----  -----------  ----- 1     VLAN0001     GE0/0/0-23 GE0/1/0-1 500   GVRP VLAN    GE0/0/2 510   GVRP VLAN    GE0/0/2 520   GVRP VLAN    GE0/0/2

(host) # show gvrp interfaces  Interface GVRP info ------------------- Interface             State    Registrar Mode ---------             -----    -------------- gigabitethernet0/0/2  Enabled  Normal