Security

Reply
Contributor I
Posts: 80
Registered: ‎04-29-2013

unable to ping across vlans without 'ip helper-address' command

This SEEMS the best place to put this, but if necessary, please feel free to move it. 

 

The Setup:

In my environment I have a 3400 controller in production and a ClearPass appliance in production. The 3400 has sub-interfaces in the primary(server/appliance) vlan(7), the management vlan(11), and each separate vlan that SSIDs and the APs(24-29) themselves reside on. the ClearPass appliance resides on a separate vlan (23). The ClearPass appliance is used for RADIUS authentication, and is reachable from a wireless device, or any wired device, other than our guest SSID, which is ACL'ed off.

 

I also have a 7205 controller which is being configured to eventually be the production controller. I have a second ClearPass appliance that is doing RADIUS and 'other NAC stuff' for the 7205 APs. The connections fall into the exact same vlans as the production controller/ClearPass/APs/SSIDs. 

 

The Problem:

Devices connected to the 7205 cannot reach the ClearPass appliance. Example: A laptop is placed on an SSID on the 3400 and recieves an IP of a.b.c.6, and can ping ClearPass. the same laptop disconnects, and reconnects to an SSID on the 7205, recieving an IP of a.b.c.10. The device can no longer ping the ClearPass device. I have - I believe - ruled out a role-acl issue by putting an allowall acl on the role on the 7205.

 

I added an ip helper-address on the SSID interface of my core to point to the IP address of the ClearPass appliance, and now pings go through properly. However, it is my understanding that this is effectively allowing broadcasts to go through the layer 3 interface into the helper-address. 

 

The Question:

Why does the 7205 require a helper-address, when the 3400 does not? The only difference I can see is that the 3400 is in bridged mode, and the 7205 (required for captive-portal and posturing I am told) is in tunnel mode.

 

Thanks,

 

Russell

Guru Elite
Posts: 19,983
Registered: ‎03-29-2007

Re: unable to ping across vlans without 'ip helper-address' command

What is the default gateway of network  a.b.c.10.?  That would be responsible for the routing.  That is where you should start.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: unable to ping across vlans without 'ip helper-address' command

in both cases, the device gets it's DHCP address from the 6509 core, and the default gateway is a.b.c.1

 

Guru Elite
Posts: 19,983
Registered: ‎03-29-2007

Re: unable to ping across vlans without 'ip helper-address' command

But is .1 the 6509?

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: unable to ping across vlans without 'ip helper-address' command

yes. Please note that anything on vlan 24 that ISN'T coming from a device connected to the an AP on the 7205 can access the ClearPass appliance without the ip helper-address statements. Even the 7205 itself, with an extended ping sourced from the vlan 24 subinterface can ping the ClearPass appliance.

 

Russell

Guru Elite
Posts: 19,983
Registered: ‎03-29-2007

Re: unable to ping across vlans without 'ip helper-address' command

We would have to see your toplogy as well as a tech support of the controller to understand everything that is going on.  Right now, we would be just guessing what is wrong...

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: unable to ping across vlans without 'ip helper-address' command

attached. Let me know if more clarification is needed

Guru Elite
Posts: 19,983
Registered: ‎03-29-2007

Re: unable to ping across vlans without 'ip helper-address' command

I don't see any  users on the 7205.  What VLAN what role do users get when they connect and they see this issue?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: unable to ping across vlans without 'ip helper-address' command

Vlan 24 and a role of authenticated.

 

Russell

Guru Elite
Posts: 19,983
Registered: ‎03-29-2007

Re: unable to ping across vlans without 'ip helper-address' command

It does not make sense that this would be blocked.  There is probably something else at play.  You should open a TAC case.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: