Aruba InstantAP Mesh – IAP Mesh

Reading Time: 6 minutes

During the last month, I had several projects which use Aruba InstantAP Mesh. So I would like to share my experience with Aruba InstantAP Mesh.

IAP Mesh is a technology to either connect remote IAP’s to the cluster, if no ethernet connection is available, or to connect different networks with each other when no wired connection is available.

InstantAP Mesh – Basics

IAP mesh is very simple and easy to configure. The setup consists of two components, the Mesh Portal, which has a wired connection and provides the wired connection for all Mesh Points, which are the AP’s with no wired connection. In the IAP world, you cannot specify a dedicated Mesh Portal. A Mesh Point will always connect to the best Mesh Portal available, measured by signal strength.

To form a Mesh, all IAP’s has to be part of the same IAP cluster. This is important, as each cluster has its own VC Key. The IAP use this VC Key to identify the correct Mesh connection.

The first step is to create a PSK based SSID. I assume you know how to do this. Here is mine, just for testing:

wlan access-rule Aruba
 index 2
 rule any any match any any any permit

wlan ssid-profile Aruba
 enable
 index 0
 type employee
 essid Aruba
 wpa-passphrase 601d3a32a2a881f36c538b377bb4d37a225e65cdc35cf2ea
 opmode wpa2-psk-aes
 max-authentication-failures 0
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

Next step is to disable the extended SSID mode. Go to “System–>General” and enable the advanced mode (click the link at the bottom of the window “Show Advanced Options”) and disable the “Extended SSID” option:

InstantAP Mesh - Disable Extended SSID
InstantAP Mesh – Disable Extended SSID

You can also use the CLI:

# no extended-ssid 
# exit  
# commit apply 
committing configuration...
configuration committed.
# wr memory 
Save configuration.

You need to reboot all AP’s in the Cluster to disable the Extended SSID mode. Afterward, you can check the state of the extended SSID mode:

# show swarm state 

AP Swarm State           :swarm_config_sync_complete
mesh auto eth0 bridging  :no
Config in flash       :yes
factory SSID in flash :no
extended-ssid configured :no
extended-ssid active     :no
Factory default status   :no
Source of system time    :NTP server
Config load cnt       :1
VC Channel index      :1
IDS Client Gateway Detect :yes
Config Init success cnt for heartbeat   :0
Config Init success cnt for register    :0
Config Init skipping cnt for heartbeat  :0
Config Init skipping cnt for register   :0
Config Init last success reason   :N/A
Config Init last success time     :N/A

The AP’s are now ready to build a mesh. If one of the AP’s loose wired connectivity, the AP switches to mesh. This happens automatically but can take up to 15mins. The AP will reboot and during boot, you will see the following messages:

Ethernet uplink not active yet
Ethernet uplink not active yet
No uplink active. Becoming Mesh Point

The first 2 lines will repeat many times. After the last line, the AP will boot normally.

You can now check in the Web and CLI if the Mesh is up and running:

InstantAP Mesh - Running Mesh
InstantAP Mesh – Running Mesh

As you can see in the screenshot above, one AP is the Portal and one is the Point. You can get even more details from the CLI:

show ap mesh neighbours 

Neighbor list
-------------
MAC                Portal             Channel  Age  Hops  Cost  Relation                 Flags  RSSI  Rate Tx/Rx  A-Req  A-Resp  A-Fail  HT-Details        Cluster ID
---                ------             -------  ---  ----  ----  -----------------        -----  ----  ----------  -----  ------  ------  ----------        ----------
38:17:c3:09:92:51  80:8d:b7:10:77:b0  116E     0    1     1.00  C 41m:15s                VLK    35    650/390     4      4       0       VHT-80MHzsgi-2ss  bfb3420907204759d77aa4aa01e848a

Total count: 1, Children: 1
Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor
Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; V = Very High Throughput, L = Legacy allowed
        K = Connected; U = Upgrading; G = Descendant-upgrading; Z = Config pending; Y = Assoc-resp/Auth pending
        a = SAE Accepted; b = SAE Blacklisted-neighbour; e = SAE Enabled; u = portal-unreachable; o = opensystem

or this one:

show ap mesh link       

Neighbor list
-------------
MAC                Portal             Channel  Age  Hops  Cost  Relation                 Flags  RSSI  Rate Tx/Rx  A-Req  A-Resp  A-Fail  HT-Details        Cluster ID
---                ------             -------  ---  ----  ----  -----------------        -----  ----  ----------  -----  ------  ------  ----------        ----------
38:17:c3:09:92:51  80:8d:b7:10:77:b0  116E     0    1     1.00  C 41m:19s                VLK    35    702/390     4      4       0       VHT-80MHzsgi-2ss  bfb3420907204759d77aa4aa01e848a

Total count: 1, Children: 1
Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor
Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; V = Very High Throughput, L = Legacy allowed
        K = Connected; U = Upgrading; G = Descendant-upgrading; Z = Config pending; Y = Assoc-resp/Auth pending
        a = SAE Accepted; b = SAE Blacklisted-neighbour; e = SAE Enabled; u = portal-unreachable; o = opensystem

The AP will now use the Mesh link to connect to the Cluster and to send all the client traffic through this mesh link. In this mode, only wireless traffic is bridged through the Mesh link.

If the wired connection comes back, the AP will reboot again and use the wired link again.

InstantAP Mesh – Bridge Wired Traffic

In this scenario, we use the IAP Mesh to connect two networks with no wired connection between them, e.g. bridge over a street.

The same rules as above apply to this as well. So make sure the setup above is working. To enable the bridging from the ethernet port of the AP through the Mesh link enable “Eth bridging”. Click on the AP which should be the Point AP and click on “Edit”, go to “Uplink”:

InstantAP Mesh - Eth0 Bridging
InstantAP Mesh – Eth0 Bridging

You also need to make sure, that the port of the AP is aware of different VLAN’s. To configure the port accordingly, go to “More–>Wired” and create a new wired network:

InstantAP Mesh - Wired Settings
InstantAP Mesh – Wired Settings

Select “Employee” as “Primary usage” and click “Next”:

InstantAP Mesh - VLAN
InstantAP Mesh – VLAN

Select “Trunk” as “Mode” and define the “Native VLAN” and the “Allowed VLANs”. You can, of course, have more than one allowed VLAN. Afterward, click “Next”:

InstantAP Mesh - Security
InstantAP Mesh – Security

As the Mesh link bridges networks from our domain, we can trust all clients.

On the last tab, the “Access” tag, just click “Finish”.

You can now place the AP wherever you need the AP to interconnect two networks.

If the AP is up and running you can check the status in the CLI:

show ap mesh link 

Neighbor list
-------------
MAC                Portal             Channel  Age  Hops  Cost  Relation                 Flags  RSSI  Rate Tx/Rx  A-Req  A-Resp  A-Fail  HT-Details        Cluster ID
---                ------             -------  ---  ----  ----  -----------------        -----  ----  ----------  -----  ------  ------  ----------        ----------
38:17:c3:09:92:51  80:8d:b7:10:77:b0  116E     0    1     1.00  C 17m:50s                VLK    32    325/325     4      4       0       VHT-80MHzsgi-2ss  bfb3420907204759d77aa4aa01e848a

Total count: 1, Children: 1
Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor
Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; V = Very High Throughput, L = Legacy allowed
        K = Connected; U = Upgrading; G = Descendant-upgrading; Z = Config pending; Y = Assoc-resp/Auth pending
        a = SAE Accepted; b = SAE Blacklisted-neighbour; e = SAE Enabled; u = portal-unreachable; o = opensystem

Clients behind the AP are now bridged through the Mesh link as well.

What is your main goal to build a mesh? Interconnect networks or connect AP’s with no wired connection?

If you find this post interesting, leave me a comment and share it with your friends. If you don’t like the post, leave me a comment and share it with your enemy. But whatever you do, leave me a comment, now.

14 thoughts on “Aruba InstantAP Mesh – IAP Mesh”

  1. Just to add to this, I once had a customer issue where his points kept losing connection to his portal. His portal kept changing channels due to perceived interference and the points would take a while to figure out what was happening. We measured channel utilization around his APs, selected the channel least used by surrounding APs, locked the IAP cluster to that otherwise least-used channel (believe it’s in Access Point Control in the Radio Settings), and his downtime went from six plus hours per week to less than half an hour per week.

    Reply
  2. Hello, Thank yu Florian for this good tuto, I spends hours searching in offical doc before enconter your blog. And so i could try the solution. Try but not succeed, See that:
    After configuring the mesh portal and the mesh point fine cause command line return is ok but webgui show me my mesh point as a portal too, and when i put the supposed mesh point in other segment (other swhitch not wired), then the mesh point come in the webgui (after 16 mn ) but after few minutes it come out and then i can’t test the remote connection, Maybe someone has a clue for get a solution ?
    Notice that i try with 2 AP-105 and 6.2.3-4.1.1.3 software wich is a little old. What was you material for this labo ?
    Anyway thank you for your sharing, and have a good day.

    Reply
    • Hi Joik,

      thanks for you comment. I really appreciated your feedback.

      first of all, I would recommend upgrading to the latest available version for your platform. This is really old software. Do you have “enet-vlan” configured? I found this in combination with Mesh leads to some problems.
      I would also recommend contacting TAC, but you should upgrade first 🙂

      Many thanks,
      Florian

      Reply
  3. Hello,

    Our AP-377’s have an SFP port for an 1000BASE-X transceiver. Not a copper RJ-45. We can get a copper transceiver, but is there a way to power the eth0 with PoE and data, but the data does not come from the switch the portals are using, but it connects to an end device?

    Thanks,

    L

    Reply
    • Hi Lawrence,

      Not sure if I understand you correctly. First, the AP-377 is connected via mesh? No wired connection to the network, correct?
      If this is true and you are asking if the IAP can be powered by PoE and still be connected via Mesh, the answer is yes.
      I’m actually not sure, what you mean by “it connects to an end device”?

      BR
      Florian

      Reply
  4. What a nice post you have right here. Step by step is easy to follow. Thank you for sharing.
    what if in the middle of our uplink is lost?
    normal topology : IAP – Switch A – wired link – Switch B – IAP

    mesh topology: IAP – Switch A – Mesh Portal AP – mesh link – Mesh Point AP (bridging eth0) – Switch B – IAP
    can i have mesh topology above?
    have you ever tried it?

    Reply
    • hi feri,

      thanks for the feedback. Really appreciated.

      If the mesh link goes down, it will be like any other link, the connection is lost. But if the reason for the error, like a power outage, is resolved the link will reestablish.

      You can build the mentioned topology. This is one scenario for mesh links. You can either have all IAP’s in one cluster or, which would be my recommendation, run the mesh IAP’s in standalone mode and have all the other IAP’s in one cluster.
      As this looks like a P-t-P link within one campus, you might look at the 387 IAP. This one is designed for such scenarios.

      Hope this helps and addresses your questions.

      BR
      Florian

      Reply
  5. Florian your post was very helpful to me. Thanks for posting it. I followed the directions and was able to get a Mesh Portal & Point up and running with no issues. I added four new APs to the same cluster and now the mesh point is unreachable. One of the new APs became the Virtual Controller and upgraded the firmware on all of the units. Would this have caused the Mesh Point to become unreachable, or something else that I’m missing?

    Thanks again,
    Jason

    Reply
    • Hi Jason,

      what type of IAP is your Mesh Point and what type of IAP’s are the others. Normally, a new IAP should not become VC and upgrade the cluster. Normally, the old VC stays VC until he is rebooted.

      BR
      Florian

      Reply
  6. Thanks!
    Aruba claims it would work by itself. Nonsense. Maybe with APs for USA and Japan but not for the rest of the world.

    Thanks for the detailed instructions. I will come back to this blog.

    Reply
    • Hi Klausi,

      thanks for the comment. but be aware, this description is for versions <8.4. with version, 8.4 things get easier and my plan is to show this as well in a future post but still missing the time to prepare.

      Br
      Florian

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: