ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 9
Registered: ‎11-12-2009

Inter-VLAN routing

I cannot seem to get inter-VLAN routing working properly at all. MMC OS is 3.4.1.0. I have VLAN 1 which is physically connected to the controller and contains our main subnet. I have VLAN 191 which exists only on the controller and is for dot1x wireless clients. I can ping the gateway of VLAN 191 once connected to the SSID for it, and I can ping the VLAN interface of VLAN 1 and the loopback address of the controller - but have no other connectivity at all to VLAN 1. If I turn on source NATing for VLAN 191 - it then seems to work - and I can access VLAN 1 from 191 - but I don't want it sourced NATed.

Can anyone please help?
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Inter-VLAN routing

Dan,

What role are the wired clients getting placed into? Connect to the controller, then do a "show user". Note the role for your user, then do a "show rights ". Make sure your role is allowing the traffic you expect. Also, ping something you expect to be able to ping, then do a "show datapath session | include " and make sure you don't see a "D" in the flag column. If you do, the role you are in is denying the traffic at the controller.
Occasional Contributor I
Posts: 9
Registered: ‎11-12-2009

Re: Inter-VLAN routing

Hi Olin.

The wireless clients are placed into a role which has only one rule - to allow all traffic from any to any. I have another VAP which places the clients directly into VLAN 1 using this role & rule with no problems.

Here is the output from the show datapath session:

192.168.1.254 172.16.8.24 1 245 2048 0 0 0 1 tunnel 393 f FCI
192.168.1.254 172.16.8.24 1 244 2048 0 0 0 1 tunnel 393 13 FCI
192.168.1.254 172.16.8.24 1 247 2048 0 0 0 1 tunnel 393 5 FCI
192.168.1.254 172.16.8.24 1 246 2048 0 0 0 1 tunnel 393 a FCI
172.16.8.24 192.168.1.254 1 245 0 0 0 0 1 tunnel 393 f FYI
172.16.8.24 192.168.1.254 1 244 0 0 0 0 1 tunnel 393 13 FYI
172.16.8.24 192.168.1.254 1 247 0 0 0 0 0 tunnel 393 5 FYI
172.16.8.24 192.168.1.254 1 246 0 0 0 0 0 tunnel 393 a FYI

Dan.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Inter-VLAN routing

From the output you sent, the response to your ICMP requests is getting returned. Was this from a non-working ICMP request?
Occasional Contributor I
Posts: 9
Registered: ‎11-12-2009

Re: Inter-VLAN routing

By non-working, what do you mean? The client making the ping gets no response - that is the issue.

Dan.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Inter-VLAN routing

Yes, that is what I meant by non-working (the host did not receive the replies). It may be a routing issue in the network. Do you have the subnet for the 191 VLAN in your core router?
Occasional Contributor I
Posts: 9
Registered: ‎11-12-2009

Re: Inter-VLAN routing

No - as it's only used to route externally. Could it be that hosts in VLAN 1 don't know how to route back to VLAN 191 via the Aruba controller? The Aruba controller is not the gateway for VLAN 1, so how is that achieved?

Dan.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Inter-VLAN routing

Dan,

That is most likely the issue. For a host on VLAN 1 to be able to reply to your host, it would have to either use the controller as it's default gateway (which you said it did not) or the router that the VLAN 1 client use would have to know how to reach the subnet assigned to VLAN 191 on the controller. Typically, the router on VLAN 1 would have a route statement pointing all VLAN 191 subnet traffic to the IP address assigned to VLAN 1 on the controller.

For testing, you could enter a route on the host you are trying to ping that routes all VLAN 191 traffic to the IP address of the controller on VLAN 1. The syntax is "route add 10.0.0.0 mask 255.0.0.0 192.168.0.1", where 10.0.0.0 is the VLAN 191 subnet, 255.0.0.0 is the VLAN 191 mask and 192.168.0.1 is the address assigned to VLAN 1 on the controller. This would only be used for testing, but it would show you that everything works as expected.

If none of those conditions are true, clients in VLAN 1 won't be able to talk to clients in VLAN 191.
Occasional Contributor I
Posts: 9
Registered: ‎11-12-2009

Re: Inter-VLAN routing

I think you are right. For now, I think we'll have to joint wireless clients to VLAN1 until we have a way of routing them. Many thanks for your help!
Dan.
Search Airheads
Showing results for 
Search instead for 
Did you mean: