Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor I
Posts: 6
Registered: ‎07-23-2014

routing problems with magic vlan

[ Edited ]

I'm having a weird routing problem when trying to use the Virtual Controller to assign ip's using the magic vlan.

 

Equipment:  1 IAP 225, 9 IAP 105's

 

If I connect to the IAP that is the virtual controller (doens't matter if the controller is a 225 or 105) I can route just fine.  No problems with external or internal routing.

 

However, I cannot route anywhere if I connect to any of the other IAP's that are not running as the controller.  I can't even ping the default gateway of the vlan.

 

Here is the dhcp settings from that vlan:

 

#magic-vlan
{
        vlan-id=3333
        dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
        dhcp-option=1,255.255.254.0
        dhcp-option=3,172.31.98.1
        dhcp-option=6,10.8.2.18
        dhcp-option=54,172.31.98.1
}

 

Any thoughts?

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: routing problems with magic vlan

What does the rest of your config look like?  Is your network/SSID set to VC Assigned for IP address assignment?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor I
Posts: 6
Registered: ‎07-23-2014

Re: routing problems with magic vlan

Yes,

 

the goal of this was to segment off the guest network.  So I created a Guest SSID to use the virtual controller managed ip assignment.  Right now that is the extent of testing.  I have not setup any security and access is currently unrestricted until I resolve this issue with the SSID.

 

Ian

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: routing problems with magic vlan

Did you configure vlan 3333 on the LAN?  You shouldn't need to do that...

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor I
Posts: 6
Registered: ‎07-23-2014

Re: routing problems with magic vlan

No I have not.  I didnt' think I needed to since when I connect to the controller it works just fine.  Its just perplexing that the other iaps won't work with it.

 

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: routing problems with magic vlan

Can you post the entire IAP config?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor I
Posts: 6
Registered: ‎07-23-2014

Re: routing problems with magic vlan

Here is it:

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.07.23 10:20:22 =~=~=~=~=~=~=~=~=~=~=~=
sh run
version 6.4.0.0-4.1.0
virtual-controller-country US
virtual-controller-key 3133393336333835353132343a44453a43382062797465737a
name "Instant Virtual Controller"
organization
virtual-controller-ip 10.8.10.54
terminal-access
ntp-server 0.us.pool.ntp.org
clock timezone Pacific-Time -08 00
clock summer-time PDT recurring second sunday march 02:00 first sunday november 02:00
rf-band all
dynamic-radius-proxy
ams-ip 10.8.2.5
ams-key 60fb94dae318cae66224937b82c85dc4b1e0d418b54551d3
ams-identity 25833716fc0233aafbeda2b4a800f9a3

allow-new-aps
allowed-ap 24:de:c6:ce:84:d3
allowed-ap 24:de:c6:ce:84:ed
allowed-ap 24:de:c6:ce:84:d9
allowed-ap 24:de:c6:ce:84:d0
allowed-ap 24:de:c6:ce:84:d8
allowed-ap 24:de:c6:ce:84:2b
allowed-ap 24:de:c6:ce:84:da
allowed-ap 24:de:c6:ce:84:d6
allowed-ap 18:64:72:c6:63:00

 

arm
 wide-bands all
 80mhz-support
 min-tx-power 18
 max-tx-power 127
 band-steering-mode prefer-5ghz
 air-time-fairness-mode preferred-access
 client-aware
 scanning
 client-match

rf dot11g-radio-profile
 spectrum-monitor
 interference-immunity 3

rf dot11a-radio-profile
 spectrum-monitor

internal-domains
 domain-name
 domain-name

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless


deny-inter-user-bridging
deny-local-routing

 


user guest 9fb79ea1a40485f29da7d23c86066964 portal


mgmt-user admin 1ebc3cfd407fcdeade12fb8650a884ec60c46c9e821a07b7

wlan access-rule default_wired_port_profile
 index 0
 rule any any match any any any permit

wlan access-rule "TP 2.4GHZ"
 index 1
 rule any any match any any any permit

wlan access-rule wired-instant
 index 2
 rule masterip 0.0.0.0 match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule "internal"
 index 3
 rule any any match any any any permit

wlan access-rule TP-Guest
 index 4
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit
 rule 10.8.1.4 255.255.255.255 match icmp any any permit
 rule 10.8.0.0 255.255.0.0 match any any any deny
 rule any any match any any any permit

wlan access-rule "TP 5GHZ"
 index 5
 rule any any match any any any permit

wlan access-rule test
 index 6
 rule any any match any any any permit

wlan ssid-profile "TP 2.4GHZ"
 enable
 index 0
 type employee
 essid "TP 2.4GHZ"
 opmode wpa2-aes
 max-authentication-failures 0
 vlan guest
 auth-server vdc1
 auth-survivability
 rf-band 2.4
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64
 okc
 dot11r
 dot11k
 dot11v

wlan ssid-profile "internal"
 enable
 index 1
 termination
 type employee
 essid "internal"
 opmode wpa2-aes
 max-authentication-failures 0
 auth-server vdc1
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 blacklist
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64
 dot11v

wlan ssid-profile TP-Guest
 enable
 index 2
 type guest
 essid TP-Guest
 wpa-passphrase f5985a98506272e3423f6aeed258d2ebf8c837ddd574653c
 opmode wpa2-psk-aes
 max-authentication-failures 0
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

wlan ssid-profile "TP 5GHZ"
 enable
 index 3
 type employee
 essid "TP 5GHZ"
 opmode wpa2-aes
 max-authentication-failures 0
 auth-server vdc1
 auth-survivability
 rf-band 5.0
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64
 okc
 dot11r
 dot11k
 dot11v

wlan ssid-profile test
 enable
 index 4
 type guest
 essid test
 wpa-passphrase 8ead216160a9de007a593acae1c51923af87e11d46958d6e
 opmode wpa2-psk-aes
 max-authentication-failures 0
 vlan guest
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

auth-survivability cache-time-out 24

 

dpi

wlan auth-server
 ip
 port 1812
 acctport 1813
 key a1c81747945dcec66a03927fcc43f764e495b2fe9fc9ac7e
 nas-ip 10.8.10.54
 rfc3576
 cppm-rfc3576-port 5999

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"


blacklist-time 3600
auth-failure-blacklist-time 3600

ids
 wireless-containment none
 infrastructure-detection-level high
 client-detection-level high
 infrastructure-protection-level high
 client-protection-level high


wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x

wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x


enet0-port-profile default_wired_port_profile

uplink
 preemption
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180


airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint

attack
 drop-bad-arp-enable
 fix-dhcp-enable
 poison-check-enable

 

 

Accounting 225 - p11-35#

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: routing problems with magic vlan

The config for the "test" SSID looks valid.  At this point, I would open up a case.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 703
Registered: ‎12-01-2010

Re: routing problems with magic vlan

I would think that the guest (or is is Test?) VLAN will have to be on the switch-fabric, since clients are dropped off directly by the iAP - vs GRE tunneled to the controller in a controller-based deployment.

 

We had to choose between exposing the guest clients' VLAN to the switch fabric and building one tunnel from the VC, or keeping the VLAN off the switch-fabric and building a tunnel per AP.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
Showing results for 
Search instead for 
Did you mean: