Controllerless Networks

We're just starting out with Aruba Instant here, and are having troubles with out initial test setup. We are trying to get this working with just 1 IAP to start with.

 

The switch interface that the IAP is connected to is a trunk and has VLANs 908, 1100, and 2521(default). The IAP recieves its IP from our DHCP server from 2521 network. We have 2 SSIDs set up on the IAP, external access(908) and internal access(1100). Internal access is fully functional, it can query our DNS and recieve responses. with correct roles from our internal authentication servers, they may gain external access.

 

the external access SSID(908) however is recieving no syn from the DNS servers, but is still reciving an address from DHCP, which is run on the same servers as DNS. Packet captures at the IAP interface shows the DNS query, but no responses arrive. Packet captures at the switches uplink shows the queries and their responses arriving. For some reason, the IAP is not recieving DNS queries on the 908, but is on the 1100. There is no firewall setup inbetween the device and the DNS. The only firewall is for external traffic.

I'm having diffulty figuring out why one SSID is able to hit and recieve DNS DHCP and authentication servers, but the other SSID is unable to recieve DNS. We already have a different WiFi solution using the external VLAN, and we can verify that it's correctly routed.

Any help is appreciated.

 

Type 214

Version 6.4.2.3-4.1.1.4

I'm still trying to resolve this issue, but I have a few updates.

After running many packet captures at different points, and different VLAN configurations, we've found the following:

 

When the IAP is set to vlan 908, and the switch interface it connects to is vlan 908, we are able to resolve DNS.

When the IAP is set to VLAN 2521, broadcasting ssid 908, and the switch interface is set to native vlan2521(untagged) and 908 tagged, we are not able to resolve DNS. When running packet captures at the access switches uplink, we are able to see the DNS response packets arrive at the switch, but no discards or errors occur at the IAP interface on the switch. The switch has routing disabled, so it is not making any decisions. If we tag vlan 1100 ontop of this, that SSID is able to recieve DNS.

Aruba support has been assisting us for the past 2 weeks on this, and are having great difficulty in figuring out why this is occuring, so I want to reach out to more sources of help with Airheads.

 

Another update.

 

I must have overlooked this in earlier captures but it seems obvious now.

 

The controller is tagging packets from devices on the 908 SSID with the management vlan 2521, instead of the 908 vlan. However on the 1100 SSID, the packets are being correctly tagged on the 1100 vlan. 

 

Now my task is to discover why the IAP is tagging only one SSID on its management VLAN instead of the correct one specified in the SSID VLAN setting.

 

Again, any help or ideas would be appreciated from the community. Thank you.

Please share snapshots for both SSIDs, how you have configured the vlan settings ? it should be network assigned and static assignment of Vlan x.

 

 

OvaisAEC - The SSIDs HAVE to be network assigned and set to static to be able to assign them a VLAN. I assumed that seemed clear in any of my posts on this topic.

 

What is occuring is regardless of being set to Network Assigned, and static vlan of 908, the AP is tagging that SSID on vlan 2521 on all traffic instead of 908. For all other SSIDs, the AP will tag the statically assigned VLAN (as expected).

 

 

 

Please share the screenshot

Best Regards
Ovais Iqbal
HPE MASE Infrastructure / CCIE # 37956 (R&S)
Solutions Architect - HPE Networking | Aruba
Hewlett Packard Enterprise
M: +92-321-2960496

[cid:image001.png@01D114CA.B2A915F0][cid:image006.png@01D1531F.AEC5DF70]

hpe.com/networking www.arubanetworks.com

As seen, the VLAN is on 908. However the IAP will tag this SSID on 2521 (why only this one, and not the other SSID on vlan 1100, same setup?).

 

for the SSID on VLAN 1100

We have a resolution, but it doesnt sit well with us. I will provide details after I've done some investigation, but it appears the Aruba Instant doesn't handle DNS requests normally. I'll be trying to find out how they package their DNS queries and method of delivery.

The DNS is being packaged normally actually, I was a bit hastey with my last response.

We have DNS working, but the DNS queries are being sent from the IAP on VLAN 2521 (native VLAN) as opposed to VLAN 908 from the same SSID. But the 1100 SSID is still being sent from the IAP on VLAN 1100. 

 

We want the IAP to send the DNS query on VLAN 908, but it is changing to 2521 somehow (no different setup than 1100). We want this to be on 908 as to set up firewall rules for just it, instead of including 2521 (wireless management).

Here is an example of the DNS query from a client connected to the 908 VLAN ssid, who recieves a DHCP address for the vlan (10.98.x.x). This is taken from the IAP interface. Somehow the IAP changes the VLAN on the 908 SSID to vlan 2521. Aruba engineers are baffled and unsure of how this could happen. Any ideas from the community would be appreciated.

 

 

TAC could not help?  I am assuming they have your tech support.  If you feel like you are not getting anywhere, you should escalate the case. 

 

Since we do not have your tech support on the forum, we would just be guessing..

We've already escalated with TAC support up to their Senior Engineers, they have been on the case for several weeks now. I'm hoping someone in the community with fresh eyes might have some insight.