ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 8
Registered: ‎01-21-2010

Inter-VLAN Routing not working

So this is supposed to be enable out of the box according to the 3.3.1 documentation and I'm about to pull what's left of my hair out. I have VLAN 1 on port 0 and VLAN 2 on port 1. Controller is set up as the gateway for both. Both have inter-VLAN routing enable, however I can not ping across? No firewall polices have been created or applied. This is a factory default, with the 2 VLANs created an mapped to the above ports. What am i missing here?
Guru Elite
Posts: 20,822
Registered: ‎03-29-2007

Pinging with WHAT?

What are you pinging with? A client? Check the client's default gateway and subnet mask. The default gateway needs to be an IP address of the controller so the client can find the other subnet.

Inter Vlan routing is always on, by default.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎01-21-2010

Re: Inter-VLAN Routing not working

I have my laptop plugged in to port 1 of the controller trying to ping a Cisco 3560 switch plugged into port 0. I've double checked the default gateways, all are correct. Controller is .1 on both VLANs.
VLAN1 on port 0 is 192.168.1.1
VLAN2 on port 1 is 192.168.2.1
My laptop is 192.168.2.253
Switch is 192.168.1.3.

I can ping 192.168.2.1 and 192.168.1.1
I can not ping the controllers loopback at 192.168.1.2 or the switch at 192.168.1.3
Occasional Contributor I
Posts: 8
Registered: ‎01-21-2010

Re: Inter-VLAN Routing not working

I have the controller gateway set to it's VLAN 1 address of 192.168.1.1. What I'm trying to do is use the controller as our gateway with several VALNs on the inside, but I need to be able to route between these internal networks. If I can't get past this, then no need to go further.
Config below:

(CTRL01-CARY) #show run
Building Configuration...

version 3.3
enable secret "******"
hostname "CTRL01-CARY"
clock timezone PST -8
location "Cary, NC"
mms config 0
controller config 1
ip access-list session validuser
any any any permit
!
vpn-dialer default-dialer
ike authentication PRE-SHARE ******
!
user-role ap-role
!
user-role trusted-ap
!
user-role guest-logon
!
user-role guest
!
user-role stateful-dot1x
!
user-role logon
!
aaa pubcookie-authentication
!

no spanning-tree
interface mgmt
shutdown
!

interface loopback
ip address 192.168.1.2
!

vlan 2


interface gigabitethernet 1/0
description "GE1/0"
trusted
ip access-group validuser session
!

interface gigabitethernet 1/1
description "GE1/1"
trusted
ip access-group validuser session
switchport access vlan 2
!

interface gigabitethernet 1/2
description "GE1/2"
trusted
!

interface gigabitethernet 1/3
description "GE1/3"
trusted
!

interface vlan 1
ip address 192.168.1.1 255.255.255.0
!

interface vlan 2
ip address 192.168.2.1 255.255.255.0
!
ip default-gateway 192.168.1.1

ap mesh-recovery-profile cluster Recovery-Bg-+KJkL2-0Pn78 wpa-hexkey 1813817c958c5da4fa95b43595b5950becc06c456e6fe26c04016f34032f6386e4f74fc74de1db5660bdc74d8ccde26844f576e7f85294db1c4d1263ec8050db683e7297b482402d2e83a9e8f179d888
wms
general poll-interval 60000
general poll-retries 3
general ap-ageout-interval 30
general sta-ageout-interval 30
general learn-ap disable
general persistent-known-interfering enable
general propagate-wired-macs enable
general stat-update enable
general collect-stats disable
!
no crypto-local isakmp permit-invalid-cert
localip 0.0.0.0 ipsec 04646ea39fc42aa76a61fa1fe03aa0c482d973b1010d5f1b
crypto isakmp groupname changeme
crypto-local isakmp dpd idle-timeout 22 retry-timeout 2 retry-attempts 3
crypto-local isakmp xauth

vpdn group l2tp
ppp authentication PAP
!

ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp pool VLAN2_EMP
default-router 192.168.2.1
dns-server 192.168.2.1
lease 1 0 0
network 192.168.2.0 255.255.255.0
authoritative
!
service dhcp

vpdn group pptp
ppp authentication MSCHAPv2
!

mux-address 0.0.0.0

adp discovery enable
adp igmp-join enable
adp igmp-vlan 0



ssh mgmt-auth username/password
mgmt-user admin root 7bf998e4012bc87f9425e8c322a8da769f44f491b6e937bdb3


no database synchronize
database synchronize rf-plan-data

ip mobile domain default
!

ip igmp
!

packet-capture-defaults tcp disable udp disable sysmsg disable other disable
!
ip domain lookup
!
country US
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa server-group "default"
auth-server Internal
!
aaa profile "default"
!
aaa authentication captive-portal "default"
!
aaa authentication vpn
!
aaa authentication mgmt
!
aaa authentication stateful-dot1x
!
aaa authentication wired
!
web-server
!
ap system-profile "default"
!
ap regulatory-domain-profile "default"
country-code US
valid-11g-channel 1
valid-11g-channel 6
valid-11g-channel 11
valid-11a-channel 36
valid-11a-channel 40
valid-11a-channel 44
valid-11a-channel 48
valid-11a-channel 149
valid-11a-channel 153
valid-11a-channel 157
valid-11a-channel 161
valid-11a-channel 165
valid-11g-40mhz-channel-pair 1+
valid-11g-40mhz-channel-pair 5-
valid-11g-40mhz-channel-pair 7+
valid-11g-40mhz-channel-pair 11-
valid-11a-40mhz-channel-pair 36+
valid-11a-40mhz-channel-pair 40-
valid-11a-40mhz-channel-pair 44+
valid-11a-40mhz-channel-pair 48-
valid-11a-40mhz-channel-pair 149+
valid-11a-40mhz-channel-pair 153-
valid-11a-40mhz-channel-pair 157+
valid-11a-40mhz-channel-pair 161-
!
ap wired-ap-profile "default"
!
ap enet-link-profile "default"
!
ap mesh-radio-profile "default"
!
ap mesh-cluster-profile "default"
!
ap snmp-profile "default"
!
ids general-profile "default"
!
ids rate-thresholds-profile "default"
!
ids signature-profile "default"
!
ids impersonation-profile "default"
!
ids unauthorized-device-profile "default"
!
ids signature-matching-profile "default"
!
ids dos-profile "default"
!
ids profile "default"
!
rf arm-profile "default"
!
rf optimization-profile "default"
!
rf event-thresholds-profile "default"
!
rf dot11a-radio-profile "default"
!
rf dot11g-radio-profile "default"
!
wlan ht-ssid-profile "default"
!
wlan ssid-profile "default"
!
wlan virtual-ap "default"
!
ap-group "default"
virtual-ap "default"
!
end
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Inter-VLAN Routing not working

Do you have the ports set to "trusted"? If they are untrusted, you will be in the wired-profile initial role until you authenticate. The default should be trusted, but you should double check.

While you are pinging, from the CLI, do a "show datapath session | include 192.168.1.3" (assuming you are trying to ping the switch) and see if you see a "D" in the flags column. That means it was denied for some reason. If you don't, make sure you see bidirectional packets (source of 192.168.2.253 as well as destination of the same). They will be on different lines with different ports. The protocol should be "1" for ICMP. Post the results if it still doesnt work.
Occasional Contributor I
Posts: 8
Registered: ‎01-21-2010

Re: Inter-VLAN Routing not working

Problem solved... When digging into the CLI, I did a sho IP int and saw that the netmask of the loopback address was 255.255.255.255 (can't specify in the GUI, just is) , where as my vlan 1 address was 255.255.255.0. Makes sense you can't have 2 different masks on the same VLAN. I removed the loopback address and everything came up. Thanks for the help all!
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Inter-VLAN Routing not working

Glad to hear its working, but the loopback mask is always 32-bit. We dont use the loopback interface as a separate subnet. The IP address of a loopback MUST be from an existing subnet and will use /32. Its very strange that removing the loopback interface fixed the issue. When you removed the loopback, you were prompted to reboot, correct? If you rebooted, did it start working before or after the reboot?
Occasional Contributor I
Posts: 8
Registered: ‎01-21-2010

Re: Inter-VLAN Routing not working

I was prompted to reboot, it started working as soon as I applied the change. Thanks for the help!
Search Airheads
Showing results for 
Search instead for 
Did you mean: