During the last month, I had several projects which use Aruba InstantAP Mesh. So I would like to share my experience with Aruba InstantAP Mesh.

IAP Mesh is a technology to either connect remote IAP’s to the cluster, if no ethernet connection is available, or to connect different networks with each other when no wired connection is available.

InstantAP Mesh – Basics

IAP mesh is very simple and easy to configure. The setup consists of two components, the Mesh Portal, which has a wired connection and provides the wired connection for all Mesh Points, which are the AP’s with no wired connection. In the IAP world, you cannot specify a dedicated Mesh Portal. A Mesh Point will always connect to the best Mesh Portal available, measured by signal strength.

To form a Mesh, all IAP’s has to be part of the same IAP cluster. This is important, as each cluster has its own VC Key. The IAP use this VC Key to identify the correct Mesh connection.

The first step is to create a PSK based SSID. I assume you know how to do this. Here is mine, just for testing:

wlan access-rule Aruba
 index 2
 rule any any match any any any permit

wlan ssid-profile Aruba
 enable
 index 0
 type employee
 essid Aruba
 wpa-passphrase 601d3a32a2a881f36c538b377bb4d37a225e65cdc35cf2ea
 opmode wpa2-psk-aes
 max-authentication-failures 0
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

Next step is to disable the extended SSID mode. Go to “System–>General” and enable the advanced mode (click the link at the bottom of the window “Show Advanced Options”) and disable the “Extended SSID” option:

InstantAP Mesh - Disable Extended SSID

InstantAP Mesh – Disable Extended SSID

You can also use the CLI:

# no extended-ssid 
# exit  
# commit apply 
committing configuration...
configuration committed.
# wr memory 
Save configuration.

You need to reboot all AP’s in the Cluster to disable the Extended SSID mode. Afterward, you can check the state of the extended SSID mode:

# show swarm state 

AP Swarm State           :swarm_config_sync_complete
mesh auto eth0 bridging  :no
Config in flash       :yes
factory SSID in flash :no
extended-ssid configured :no
extended-ssid active     :no
Factory default status   :no
Source of system time    :NTP server
Config load cnt       :1
VC Channel index      :1
IDS Client Gateway Detect :yes
Config Init success cnt for heartbeat   :0
Config Init success cnt for register    :0
Config Init skipping cnt for heartbeat  :0
Config Init skipping cnt for register   :0
Config Init last success reason   :N/A
Config Init last success time     :N/A

The AP’s are now ready to build a mesh. If one of the AP’s loose wired connectivity, the AP switches to mesh. This happens automatically but can take up to 15mins. The AP will reboot and during boot, you will see the following messages:

Ethernet uplink not active yet
Ethernet uplink not active yet
No uplink active. Becoming Mesh Point

The first 2 lines will repeat many times. After the last line, the AP will boot normally.

You can now check in the Web and CLI if the Mesh is up and running:

InstantAP Mesh - Running Mesh

InstantAP Mesh – Running Mesh

As you can see in the screenshot above, one AP is the Portal and one is the Point. You can get even more details from the CLI:

show ap mesh neighbours 

Neighbor list
-------------
MAC                Portal             Channel  Age  Hops  Cost  Relation                 Flags  RSSI  Rate Tx/Rx  A-Req  A-Resp  A-Fail  HT-Details        Cluster ID
---                ------             -------  ---  ----  ----  -----------------        -----  ----  ----------  -----  ------  ------  ----------        ----------
38:17:c3:09:92:51  80:8d:b7:10:77:b0  116E     0    1     1.00  C 41m:15s                VLK    35    650/390     4      4       0       VHT-80MHzsgi-2ss  bfb3420907204759d77aa4aa01e848a

Total count: 1, Children: 1
Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor
Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; V = Very High Throughput, L = Legacy allowed
        K = Connected; U = Upgrading; G = Descendant-upgrading; Z = Config pending; Y = Assoc-resp/Auth pending
        a = SAE Accepted; b = SAE Blacklisted-neighbour; e = SAE Enabled; u = portal-unreachable; o = opensystem

or this one:

show ap mesh link       

Neighbor list
-------------
MAC                Portal             Channel  Age  Hops  Cost  Relation                 Flags  RSSI  Rate Tx/Rx  A-Req  A-Resp  A-Fail  HT-Details        Cluster ID
---                ------             -------  ---  ----  ----  -----------------        -----  ----  ----------  -----  ------  ------  ----------        ----------
38:17:c3:09:92:51  80:8d:b7:10:77:b0  116E     0    1     1.00  C 41m:19s                VLK    35    702/390     4      4       0       VHT-80MHzsgi-2ss  bfb3420907204759d77aa4aa01e848a

Total count: 1, Children: 1
Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor
Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; V = Very High Throughput, L = Legacy allowed
        K = Connected; U = Upgrading; G = Descendant-upgrading; Z = Config pending; Y = Assoc-resp/Auth pending
        a = SAE Accepted; b = SAE Blacklisted-neighbour; e = SAE Enabled; u = portal-unreachable; o = opensystem

The AP will now use the Mesh link to connect to the Cluster and to send all the client traffic through this mesh link. In this mode, only wireless traffic is bridged through the Mesh link.

If the wired connection comes back, the AP will reboot again and use the wired link again.

InstantAP Mesh – Bridge Wired Traffic

In this scenario, we use the IAP Mesh to connect two networks with no wired connection between them, e.g. bridge over a street.

The same rules as above apply to this as well. So make sure the setup above is working. To enable the bridging from the ethernet port of the AP through the Mesh link enable “Eth bridging”. Click on the AP which should be the Point AP and click on “Edit”, go to “Uplink”:

InstantAP Mesh - Eth0 Bridging

InstantAP Mesh – Eth0 Bridging

You also need to make sure, that the port of the AP is aware of different VLAN’s. To configure the port accordingly, go to “More–>Wired” and create a new wired network:

InstantAP Mesh - Wired Settings

InstantAP Mesh – Wired Settings

Select “Employee” as “Primary usage” and click “Next”:

InstantAP Mesh - VLAN

InstantAP Mesh – VLAN

Select “Trunk” as “Mode” and define the “Native VLAN” and the “Allowed VLANs”. You can, of course, have more than one allowed VLAN. Afterward, click “Next”:

InstantAP Mesh - Security

InstantAP Mesh – Security

As the Mesh link bridges networks from our domain, we can trust all clients.

On the last tab, the “Access” tag, just click “Finish”.

You can now place the AP wherever you need the AP to interconnect two networks.

If the AP is up and running you can check the status in the CLI:

show ap mesh link 

Neighbor list
-------------
MAC                Portal             Channel  Age  Hops  Cost  Relation                 Flags  RSSI  Rate Tx/Rx  A-Req  A-Resp  A-Fail  HT-Details        Cluster ID
---                ------             -------  ---  ----  ----  -----------------        -----  ----  ----------  -----  ------  ------  ----------        ----------
38:17:c3:09:92:51  80:8d:b7:10:77:b0  116E     0    1     1.00  C 17m:50s                VLK    32    325/325     4      4       0       VHT-80MHzsgi-2ss  bfb3420907204759d77aa4aa01e848a

Total count: 1, Children: 1
Relation: P = Parent; C = Child; N = Neighbor; B = Blacklisted-neighbor
Flags: R = Recovery-mode; S = Sub-threshold link; D = Reselection backoff; F = Auth-failure; H = High Throughput; V = Very High Throughput, L = Legacy allowed
        K = Connected; U = Upgrading; G = Descendant-upgrading; Z = Config pending; Y = Assoc-resp/Auth pending
        a = SAE Accepted; b = SAE Blacklisted-neighbour; e = SAE Enabled; u = portal-unreachable; o = opensystem

Clients behind the AP are now bridged through the Mesh link as well.

What is your main goal to build a mesh? Interconnect networks or connect AP’s with no wired connection?

If you find this post interesting, leave me a comment and share it with your friends. If you don’t like the post, leave me a comment and share it with your enemy. But whatever you do, leave me a comment, now.