09-16-2016 11:10 AM - edited 09-16-2016 11:14 AM
We're just starting out with Aruba Instant here, and are having troubles with out initial test setup. We are trying to get this working with just 1 IAP to start with.
The switch interface that the IAP is connected to is a trunk and has VLANs 908, 1100, and 2521(default). The IAP recieves its IP from our DHCP server from 2521 network. We have 2 SSIDs set up on the IAP, external access(908) and internal access(1100). Internal access is fully functional, it can query our DNS and recieve responses. with correct roles from our internal authentication servers, they may gain external access.
the external access SSID(908) however is recieving no syn from the DNS servers, but is still reciving an address from DHCP, which is run on the same servers as DNS. Packet captures at the IAP interface shows the DNS query, but no responses arrive. Packet captures at the switches uplink shows the queries and their responses arriving. For some reason, the IAP is not recieving DNS queries on the 908, but is on the 1100. There is no firewall setup inbetween the device and the DNS. The only firewall is for external traffic.
I'm having diffulty figuring out why one SSID is able to hit and recieve DNS DHCP and authentication servers, but the other SSID is unable to recieve DNS. We already have a different WiFi solution using the external VLAN, and we can verify that it's correctly routed.
Any help is appreciated.
09-28-2016 06:24 AM
I'm still trying to resolve this issue, but I have a few updates.
After running many packet captures at different points, and different VLAN configurations, we've found the following:
When the IAP is set to vlan 908, and the switch interface it connects to is vlan 908, we are able to resolve DNS.
When the IAP is set to VLAN 2521, broadcasting ssid 908, and the switch interface is set to native vlan2521(untagged) and 908 tagged, we are not able to resolve DNS. When running packet captures at the access switches uplink, we are able to see the DNS response packets arrive at the switch, but no discards or errors occur at the IAP interface on the switch. The switch has routing disabled, so it is not making any decisions. If we tag vlan 1100 ontop of this, that SSID is able to recieve DNS.
Aruba support has been assisting us for the past 2 weeks on this, and are having great difficulty in figuring out why this is occuring, so I want to reach out to more sources of help with Airheads.
10-03-2016 08:51 AM
I must have overlooked this in earlier captures but it seems obvious now.
The controller is tagging packets from devices on the 908 SSID with the management vlan 2521, instead of the 908 vlan. However on the 1100 SSID, the packets are being correctly tagged on the 1100 vlan.
Now my task is to discover why the IAP is tagging only one SSID on its management VLAN instead of the correct one specified in the SSID VLAN setting.
Again, any help or ideas would be appreciated from the community. Thank you.
10-04-2016 04:20 AM
OvaisAEC - The SSIDs HAVE to be network assigned and set to static to be able to assign them a VLAN. I assumed that seemed clear in any of my posts on this topic.
What is occuring is regardless of being set to Network Assigned, and static vlan of 908, the AP is tagging that SSID on vlan 2521 on all traffic instead of 908. For all other SSIDs, the AP will tag the statically assigned VLAN (as expected).
10-04-2016 05:38 AM
HPE MASE Infrastructure / CCIE # 37956 (R&S)
Solutions Architect - HPE Networking | Aruba
Hewlett Packard Enterprise
10-11-2016 06:00 AM
We have a resolution, but it doesnt sit well with us. I will provide details after I've done some investigation, but it appears the Aruba Instant doesn't handle DNS requests normally. I'll be trying to find out how they package their DNS queries and method of delivery.
10-11-2016 08:25 AM - edited 10-11-2016 11:52 AM
The DNS is being packaged normally actually, I was a bit hastey with my last response.
We have DNS working, but the DNS queries are being sent from the IAP on VLAN 2521 (native VLAN) as opposed to VLAN 908 from the same SSID. But the 1100 SSID is still being sent from the IAP on VLAN 1100.
We want the IAP to send the DNS query on VLAN 908, but it is changing to 2521 somehow (no different setup than 1100). We want this to be on 908 as to set up firewall rules for just it, instead of including 2521 (wireless management).