AP Provisioning

AP Provisioning is automated with some code written by the NIS dev team. It is triggered two different ways: on demand and scheduled.

Core

Information gathering

The code ingests the MAC address of an AP. It queries the MM to determine the AP's:

  • name
  • group
  • AAC

It then queries the AAC to get the AP's LLDP neighbor information, where it finds:

  • The name of the switch
  • The interface description

NOTE: For the AAC, the MM returns the IP address as used by the AP. This IP address is how the code connects to the AAC.

Generating the name and group

It uses the LLDP information to determine the building abbreviation and the HLINK, if it exists. This is used to determine the expected group and name.

The AP name takes the form BLDG-HLINK, where:

  • BLDG is the uppercase building abbreviation
  • HLINK is the HLINK (or link identifier for older installations)

The AP group takes the form apg-bldg where:

  • apg is a fixed prefix
  • bldg is the lowercase building abbreviation

Edge cases

  • The HLINK may not exist yet (this is particularly common in new installations). In this case, the AP's MAC address is used in place of an HLINK.
  • The AP may already be provisioned in a custom group. If the AP's current group is of the form apg-bldg-foo, where -foo is some suffix beginning with a -, then this is considered a match, and the program will not move the AP to a different group.

Creating a group

When a program provisions an AP, it checks to make sure that the AP group exists. If it does not, it creates a group at the region level (see Configuration Hierarchy) which looks like:

{
  "dot11a_prof": {
    "profile-name": "rpa-default"
  },
  "profile-name": "apg-bldg",
  "reg_domain_prof": {
    "profile-name": "rdp-blacksburg"
  },
  "virtual_ap": [
    {
      "profile-name": "vap-eduroam"
    },
    {
      "profile-name": "vap-vtopenwifi"
    }
  ]
}

Regulatory domain

The regulatory domain is chosen based on the AAC prefix.

  • If the AAC starts with, col, bur, or res then the RDP is set to rdp-blacksburg
  • If the AAC starts with vtc, then the RDP is set to rdp-roanoke.
  • If the AAC starts with nvc, then the RDP is not set.
  • If the AAC starts with anything else, the group is not created.

On Demand

  • AP boots
  • MD sends an SNMP trap to AKiPS
  • Provisioning app periodically (every 2s) pull trap events from AKiPS (specifically, the host akips.nis.vt.edu)
  • waits 5 minutes
  • App looks up the AAC for that MD from the MM
    • probably with the show ap detail wired-mac xx:xx:xx:xx:xx:xx command (via api)

This is how APs are provisioned when they are deployed. This also fixes APs that are moved to a new location.

  • tool checks akips every 2s
  • events are added with a 5 min delay
  • 4 attempts with at a 5 minute interval before giving up

Scheduled

The reconciler runs at 06:00 ET daily. It pulls the AP database from the MM. It builds a list of APs that are incorrectly provisioned and runs the core process on them. This is how we get APs to have the correct name when the HLINK is assigned after the AP is deployed.

This process is limited to 20 APs per day.

Work order process

From earlyb:

The provisioning piece doesn't talk to Atlas at all. There is a WAP inventory job that does talk to Atlas. I don't remember exactly what that job does, but I think it generates a report of mismatches between the network and Atlas.

Limitations

Also from earlyb:

The only thing I can think of is that the provisioner is unable to talk to any controller that only has an IPv6 address. The docker swarm where it's deployed apparently has some problem reaching those addresses. This may be resolved in the future when we shift where it's deployed. Or maybe not.

Logs

  • Currently in the ELK stack
  • log_aaa-* index
  • 1s precision, look at the timestamp in the log
  • instance.name:orca-job-prod_wap-provision-*
  • fields.group: laa.nis.docker