Access Points

Reply
Frequent Contributor I
Posts: 64
Registered: ‎11-10-2009

Pinging remote APs from other subnets?

Hello,

We're running Aruba OS 5.0.x and are unable to ping remote APs from anywhere other than 1. the local subnet (i.e. the same one that the access point is on), and 2. the controller. I think this used to work under version 3.4 because I'm sure I used to do this.

We'd like to be able to ping APs from places other than the local subnet or the controller for diagnostic purposes.

Can this be changed and, if so, can it be changed on a per-group or per-AP basis?

Thanks,

- Bob
Guru Elite
Posts: 20,760
Registered: ‎03-29-2007

Pool

The ip addresses created by the pool for the remote APs is proxied by the controller. So if you create an 8.8.8.x pool for remote APs, the controller will answer for ip addresses in that pool. In order to reach that 8.8.8.x pool from another VLAN, you will have to either (1) create a route in your infrastructure for 8.8.8.x and point it to the controller or (2) Make the AP pool range match a routable network on the controller that your infrastructure can reach.

Does that answer your question, at all?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 64
Registered: ‎11-10-2009

Re: Pinging remote APs from other subnets?

I'm not sure.

I'm trying to ping the outside address of the AP (the real address of the AP on the network, not the inside tunnel address). I can ping this from a host on the same subnet but not from somewhere else.

I wouldn't expect these pings to go anywhere near the controller as I'm pinging the AP from a host NOT on the wireless network to the AP outside address.

However, you may have made me think that the APs would normally expect the reach the host that's pinging them by sending a reply back through the L2TP tunnel to the controller, as that's the default route (on the AP)? That won't work because of anti-spoofing rules and things. Although, it probably also won't escape the controller due to filters on the tunnel.
Guru Elite
Posts: 20,760
Registered: ‎03-29-2007

Outside AP address

I understand now.

In the AP system profile, there is a session-acl parameter that is applied to the ethernet interface of each access point to determine what traffic from the outside is allowed in. This is to protect APs that are deployed on the public internet. Change that parameter to a firewall policy that allows ping and you should be able to ping them.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: