Archive for July, 2015

Cisco LACP config for Aruba AP

 | 8 Jul 2015 17:30

Aruba LogoDon’t we all love it when we find that a standard requirement states one thing and what to date is implemented elsewhere doesn’t comply? Dual active uplinks for a premium office standard is one of those requirements I found. Now I haven’t seen the standard Cisco wireless deployment for premium sites, but in light of vendor ‘diversity’ Aruba is deployed instead of Cisco.

Motivation aside, the dual uplink raises an interesting question for lightweight access points (LWAPs). Aruba (by default) GRE tunnels all client traffic to the wireless LAN controller (WLC) for processing, filtering and forwarding there, like Cisco and common in corporate environments. The alternatives are split tunneling or no tunneling, which normally comes at the cost of losing corporate controls. The QoS trade-off and headaches of tunneling WLAN traffic to WLCs is food for another post entirely.


Using AP225 APs, I found I had LACP at my disposal. Cheaper models (< AP220) don’t do LACP and only have STP for redundancy. Some of my first concerns:

  • Standard Cisco LACP is mostly configured unconditional, which means the ports don’t come up if LACP isn’t detected on the link. How is an AP meant to get its profile from a WLC if it can’t get there. Remember I don’t want to reconfigure the switch ports after an AP has connected and obtained its profile (configuration) from the WLC.
  • Aruba documentation and forums (Airheads) didn’t list much configuration about Cisco switch port configuration. What I did find was that LACP is supported and needs switch configuration for it to work.
  • A single GRE tunnel using 2 etherchannel members?! LACP uses an IP hash table to select which member link to forward packets on. An AP only has a single IP address and without LACP the WLC also only has a single IP address for termination of LWAP GRE tunnels. Surely all GRE tunnels would only use a single LACP bundle-member, restricting maximum throughput to 1 Gbps. If so, what’s the point?

Reading up I found the following helpful information:

  • Aruba solves the LACP IP hash table problem by using a second WLC IP address to terminate a second GRE tunnel. This second tunnel uses the 2nd member-link. Each GRE tunnel serves a radio, 2.4GHz and 5GHz, this does not enable more than 1 Gbps for 5GHz but at least 2.4GHz traffic won’t eat into the uplink speed available to 5GHz traffic. The Aruba config for LACP centres around “AP LACP GRE striping IP” (see Google for more info).
  • “no port-channel standalone-disable”, this port-channel configuration gem permits link members to come up as individual links. This allows a LWAP to connect to the network, get an IP via DHCP, find the WLC and pull its configuration. Once provisioned by the WLC LACP kicks in.


Beware of the LACP hash algorithm, Cisco switch default is src-mac. In an edge-routed design the source-mac will be the mac of the switch SVI towards the WLC. The Switch terminating the LWAPs is the same as the one terminating the WLC and the WLC also uses LACP to connect to the LAN. For my deployment the solution was src-ip as the GRE sessions towards the LWAPs have a distinct WLC IP address (must be odd/even). Traffic destined for the WLC is also src-ip based, which is good as the load-balancing will then be based on the targets of the clients whether internet or LAN based it works as long as corporate clients don’t all hit the same target at the same time. I think is most situations the resulting total bandwidth restriction of a single LAN source towards wireless clients at 1 Gbps is beneficial to the fair sharing of bandwidth between LAN based services.

The AP225 only pulls PoE over a single link. If the link providing PoE goes down it will reboot and come up one the remaining link.

Though the dual links provide extra bandwidth, if the your NOC doesn’t monitor these links either via WLC management or switch trap/port monitoring, a single link failure won’t be noticed. I think this is no different to the issue of APs losing their physical link and continuing in mesh connectivity, which is great as a last resort but not when the situation isn’t resolved before things get really bad.

Cisco config

This is the LWAP switch port config that worked for me:

WLAN-SW01(config)#int range g1/0/1,g2/0/1
 description WLAN-AP01
 switchport access vlan 4
 switchport mode access
 channel-group 1 mode active
WLAN-SW01(config)#int po1
 description WLAN-AP01
 switchport access vlan 4
 switchport mode access
 no port-channel standalone-disable
WLAN-SW01#sh eth 1 sum
Flags: D - down P - bundled in port-channel
       I - stand-alone s - suspended
       H - Hot-standby (LACP only)
       R - Layer3 S - Layer2
       U - in use f - failed to allocate aggregator

       M - not in use, minimum links not met
       u - unsuitable for bundling
       w - waiting to be aggregated
       d - default port
Group  Port-channel  Protocol    Ports
1      Po1(SU)         LACP      Gi1/0/1(P) Gi2/0/1(P)

When the LWAP hasn’t fetched it’s configuration the Flags show either (D) for down or (I) when the port is up but LACP is inactive. As long as LACP is inactive the APs MAC address will hop between the two ports and a MAC flap warning is reported by the switch.

Jul  8 2015 08:33:59.259 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 94b4.0f50.47f0 in vlan 4 is flapping between port Gi2/0/1 and port Gi1/0/1

Another error I’ve seen is about PoE. What happens is that both member ports offer PoE but the AP only signals acceptance on a single port. The switch doesn’t seem to understand the lack of response, calls the AP rude, turns off PoE on that port and logs the ‘error’.

Jul 8 2015 17:08:39.030 UTC: %ILPOWER-7-DETECT: Interface Gi1/0/2: Power Device detected: IEEE PD
Jul 8 2015 17:08:41.202 UTC: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi2/0/2: PD removed
Jul 8 2015 17:08:41.203 UTC: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface Gi2/0/2: Power given, but Power Controller does not report Power Good
Jul 8 2015 17:08:41.885 UTC: %ILPOWER-7-DETECT: Interface Gi2/0/2: Power Device detected: IEEE PD
Jul 8 2015 17:08:42.995 UTC: %ILPOWER-5-POWER_GRANTED: Interface Gi2/0/2: Power granted
Jul 8 2015 17:08:50.035 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up
Jul 8 2015 17:08:50.187 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to up
Jul 8 2015 17:08:55.025 UTC: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi1/0/2: PD removed

WLAN-SW01#sh power inline
Module Available Used Remaining
 (Watts) (Watts) (Watts)
------ --------- -------- ---------
1 1110.0 200.2 909.8
Interface Admin  Oper       Power   Device              Class Max
--------- ------ ---------- ------- ------------------- ----- ----
Gi1/0/1   auto   on         15.4    Ieee PD             4     30.0
Gi2/0/1   auto   off        0.0     n/a                 n/a   30.0

Check LACP from the WLC

Some great LACP related WLC CLI tools I found on Airheads:

Check if GRE striping IP has been set: “show ap system-profile ”

(WLAN-WLC01) #show ap system-profile LACP

AP system profile "LACP"
Parameter Value
--------- -----
RF Band g
RF Band for AM mode scanning all
Backup LMS IP N/A
Backup LMS IPv6 N/A
LMS Preemption Disabled
LMS Hold-down Period 600 sec
LMS ping interval 20
GRE Striping IP

Check the if an APs LACP has come up: “show ap debug lacp ap-name ”

(WLAN-WLC01) #show ap debug lacp ap-name WLAN-AP01

AP LACP Status
Link Status  LACP Rate  Num Ports  Actor Key  Partner Key  Partner MAC
-----------  ---------  ---------  ---------  -----------  -----------
Up           slow       2          17         1            88:90:8d:d9:b8:00
Slave Interface Status
Slave I/f Name  Permanent MAC Addr  Link Status  Member of LAG  Link Fail Count
--------------  ------------------  -----------  -------------  ---------------
eth0            94:b4:0f:c2:83:b2   Up           Yes            0
eth1            94:b4:0f:c2:83:b3   Up           Yes            0

Check if GRE tunnels are being created to both the switch IP address and the GRE stripping IP address configured in the AP system profile: “show datapath session | include ”

(WLAN-WLC01) #show datapath session | include "30.29"
...   17   4500  4500   0/0  0    0   0   pc1         119  70         71872      FC     47   0     0      0/0  0    0   1   pc1         c    0          0          FC           

There you have it, LACP between an Aruba AP and a Cisco switch. Kudos to Abi’s over at Airheads for this article about LACP on the Aruba AP225 and AirOS 6.3. I was working on 6.4, ymmv with different versions.

One year down the road…

 | 14:37

A year post jumping ship

Seems like a good time to look back a little and wonder why it took me so long. June last year my time at Deloitte (London office) came to an end, with the customer transitioning their IT workforce I was the last from nscglobal to leave the account. I had a good time working in a small project team, always on site but then the people and the interesting work made up for the hassle and cost of the daily commute. So Long, and Thanks for All the Fish.

Life without two wheels sucks

But then again, if I’d still had my dear BMW, I would have gone back the O2 account in Slough. Despite the daunting prospect at the time. It was the right time to jump ship and join my wife’s limited company. This is where it pays off to leave a wealth of happy customers and (ex)colleagues, that and God’s provision.  Either way, I’m grateful. May last year I was an employee living in a 2 bedroom ground floor apartment with mould growing in my boys’ bedroom. Now by the grace of friends and benefit of being self-employed; I’m happy with my work, we live in an amazing house and are practically debt free since moving to the UK in 2008. Oh, and I’ve started running again, properly this time…

3.5 hour commute

A what?! Yes, you read that right. I have a 3.5 hour commute, each way. Blessed as I am, I only rarely have to make the trek to Macclesfield. It’s funny for these things work out, but it does work and it works very well. We now have a great accountant, contact me if you need his details (you really should!). He’s just finished our 14/15 numbers and I can’t tell you great it is to get on with the person dealing with our business finances.

I’m eager to find out what the new financial year will bring. First up is another contract extension, it’s great having happy clients, there’s no better advertisement than that. Second, longer bound by the restrictions of an employer on what I blog about. I’m now able to write a lot more about the interesting challenges faced at my customers and the solutions found to them.