Reading Time: 6 minutes

During the last month, I had several projects which use Aruba InstantAP Mesh. So I would like to share my experience with Aruba InstantAP Mesh.

IAP Mesh is a technology to either connect remote IAP’s to the cluster, if no ethernet connection is available, or to connect different networks with each other when no wired connection is available.

InstantAP Mesh – Basics

IAP mesh is very simple and easy to configure. The setup consists of two components, the Mesh Portal, which has a wired connection and provides the wired connection for all Mesh Points, which are the AP’s with no wired connection. In the IAP world, you cannot specify a dedicated Mesh Portal. A Mesh Point will always connect to the best Mesh Portal available, measured by signal strength.

To form a Mesh, all IAP’s has to be part of the same IAP cluster. This is important, as each cluster has its own VC Key. The IAP use this VC Key to identify the correct Mesh connection.

The first step is to create a PSK based SSID. I assume you know how to do this. Here is mine, just for testing:

wlan access-rule Aruba index 2 rule any any match any any any permit wlan ssid-profile Aruba enable index 0 type employee essid Aruba wpa-passphrase 601d3a32a2a881f36c538b377bb4d37a225e65cdc35cf2ea opmode wpa2-psk-aes max-authentication-failures 0 rf-band all captive-portal disable dtim-period 1 broadcast-filter arp dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64

Next step is to disable the extended SSID mode. Go to “System–>General” and enable the advanced mode (click the link at the bottom of the window “Show Advanced Options”) and disable the “Extended SSID” option:

InstantAP Mesh – Disable Extended SSID

You can also use the CLI:

# no extended-ssid # exit # commit apply committing configuration... configuration committed. # wr memory Save configuration.

You need to reboot all AP’s in the Cluster to disable the Extended SSID mode. Afterward, you can check the state of the extended SSID mode:

# show swarm state AP Swarm State :swarm_config_sync_complete mesh auto eth0 bridging :no Config in flash :yes factory SSID in flash :no extended-ssid configured :no extended-ssid active :no Factory default status :no Source of system time :NTP server Config load cnt :1 VC Channel index :1 IDS Client Gateway Detect :yes Config Init success cnt for heartbeat :0 Config Init success cnt for register :0 Config Init skipping cnt for heartbeat :0 Config Init skipping cnt for register :0 Config Init last success reason :N/A Config Init last success time :N/A

The AP’s are now ready to build a mesh. If one of the AP’s loose wired connectivity, the AP switches to mesh. This happens automatically but can take up to 15mins. The AP will reboot and during boot, you will see the following messages:

Ethernet uplink not active yet Ethernet uplink not active yet No uplink active. Becoming Mesh Point

The first 2 lines will repeat many times. After the last line, the AP will boot normally.

You can now check in the Web and CLI if the Mesh is up and running:

InstantAP Mesh – Running Mesh

As you can see in the screenshot above, one AP is the Portal and one is the Point. You can get even more details from the CLI:

show ap mesh neighbours Neighbor list ------------- MAC Portal Channel Age Hops Cost Relation Flags RSSI Rate Tx/Rx A-Req A-Resp A-Fail HT-Details Cluster ID --- ------ ------- --- ---- ---- ----------------- ----- ---- ---------- ----- ------ ------ ---------- ---------- 38:17:c3:09:92:51 80:8d:b7:10:77:b0 116E 0 1 1.00 C 41m:15s VLK 35 650/390 4 4 0 VHT-80MHzsgi-2ss bfb3420907204759d77aa4aa01e848a Total count: 1, Children: 1 Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; V = Very High Throughput, L = Legacy allowed K = Connected; U = Upgrading; G = Descendant-upgrading; Z = Config pending; Y = Assoc-resp/Auth pending a = SAE Accepted; b = SAE Blacklisted-neighbour; e = SAE Enabled; u = portal-unreachable; o = opensystem

or this one:

show ap mesh link Neighbor list ------------- MAC Portal Channel Age Hops Cost Relation Flags RSSI Rate Tx/Rx A-Req A-Resp A-Fail HT-Details Cluster ID --- ------ ------- --- ---- ---- ----------------- ----- ---- ---------- ----- ------ ------ ---------- ---------- 38:17:c3:09:92:51 80:8d:b7:10:77:b0 116E 0 1 1.00 C 41m:19s VLK 35 702/390 4 4 0 VHT-80MHzsgi-2ss bfb3420907204759d77aa4aa01e848a Total count: 1, Children: 1 Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; V = Very High Throughput, L = Legacy allowed K = Connected; U = Upgrading; G = Descendant-upgrading; Z = Config pending; Y = Assoc-resp/Auth pending a = SAE Accepted; b = SAE Blacklisted-neighbour; e = SAE Enabled; u = portal-unreachable; o = opensystem

The AP will now use the Mesh link to connect to the Cluster and to send all the client traffic through this mesh link. In this mode, only wireless traffic is bridged through the Mesh link.

If the wired connection comes back, the AP will reboot again and use the wired link again.

InstantAP Mesh – Bridge Wired Traffic

In this scenario, we use the IAP Mesh to connect two networks with no wired connection between them, e.g. bridge over a street.

The same rules as above apply to this as well. So make sure the setup above is working. To enable the bridging from the ethernet port of the AP through the Mesh link enable “Eth bridging”. Click on the AP which should be the Point AP and click on “Edit”, go to “Uplink”:

InstantAP Mesh – Eth0 Bridging

You also need to make sure, that the port of the AP is aware of different VLAN’s. To configure the port accordingly, go to “More–>Wired” and create a new wired network:

InstantAP Mesh – Wired Settings

Select “Employee” as “Primary usage” and click “Next”:

InstantAP Mesh – VLAN

Select “Trunk” as “Mode” and define the “Native VLAN” and the “Allowed VLANs”. You can, of course, have more than one allowed VLAN. Afterward, click “Next”:

InstantAP Mesh – Security

As the Mesh link bridges networks from our domain, we can trust all clients.

On the last tab, the “Access” tag, just click “Finish”.

You can now place the AP wherever you need the AP to interconnect two networks.

If the AP is up and running you can check the status in the CLI:

show ap mesh link Neighbor list ------------- MAC Portal Channel Age Hops Cost Relation Flags RSSI Rate Tx/Rx A-Req A-Resp A-Fail HT-Details Cluster ID --- ------ ------- --- ---- ---- ----------------- ----- ---- ---------- ----- ------ ------ ---------- ---------- 38:17:c3:09:92:51 80:8d:b7:10:77:b0 116E 0 1 1.00 C 17m:50s VLK 32 325/325 4 4 0 VHT-80MHzsgi-2ss bfb3420907204759d77aa4aa01e848a Total count: 1, Children: 1 Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; V = Very High Throughput, L = Legacy allowed K = Connected; U = Upgrading; G = Descendant-upgrading; Z = Config pending; Y = Assoc-resp/Auth pending a = SAE Accepted; b = SAE Blacklisted-neighbour; e = SAE Enabled; u = portal-unreachable; o = opensystem

Clients behind the AP are now bridged through the Mesh link as well.

What is your main goal to build a mesh? Interconnect networks or connect AP’s with no wired connection?

If you find this post interesting, leave me a comment and share it with your friends. If you don’t like the post, leave me a comment and share it with your enemy. But whatever you do, leave me a comment, now.

Share this: Facebook

LinkedIn

Reddit

Twitter

Email

More

Print

Tumblr



Pinterest

Pocket



Telegram

WhatsApp



Skype



Like this: Like Loading...