Wireless Access

Hi all,

We have AP 105
We have a virtual AP profile setup in bridge mode with settings:-

VLAN:13, Forward mode:bridge

The controller is untagged vlan 1 and tagged vlan 13.

DHCP is on the controller and give address on Vlan 13.

The APs are connected to network switches and those connected ports are with vlan 1 untagged and vlan 13 tagged.

The address ip is well received but I can't access to network vlan 13 (ping gateway give no responses, no internet access etc).

I've checked in AP-Group> AP> System Profile> Native VLAN and is 1 which is configured. So it must taged the packet in vlan 13.

If I plug a cable on the port instead the AP and at the other end a laptop , everithing works fine.

I must have missed something but I can't find what I have missed.

Thanks in advance for any help.

Hi,

Please clarify the following for better understanding your issue.

1. What type of link you have between Switch and the AP ( Access or Trunk ) ?

2. Controller is the gateway ?

Clarify the above and feel free for any help on this.

Hi,

Thanks for you reply.

1. The AP are access in vlan 10 and trunk in vlan 13

2. No, the gateway is our firewall.

Is your AP configured as a campus AP ?

Do you have CPSec enabled ?

Hi,

As per my understanding,

1. APs are connected to a Switch and Aruba controller is reachable from the AP.

2. APs are getting IP address from VLAN 1 subnet

3. There is one SSID on bridge mode and clients connected to this SSID are not getting IP , right ?

Please ensure the following cofig is in place,

1. The switch port where AP is connected should be a trunk link ( coz client traffic will go out of the tunnel) and VLAN 13 should be allowed.

2. As victor said, CPSec should be enabled in order to bring up Bridge mode SSID.

3.DHCP should be reachable from the switch where AP is connected ( Ensure the IP Helper is configured as per the requirement)

If you fulfill all the above, when a client connected to a bridge mode SSID, AP will forward the DHCP traffic of the client over the uplink port ( will not go through the GRE tunnel) hence DHCP traffic will reach the Switch where AP is connected.

Hope you got some clarity on this.

Thanks for you reply

@Victor :

Yes ap are configured as campus AP

And Yes CPSEC is enabled.

@dhanraj : To clarify

1. yes

2. No, from vlan 10 (DHCP is controller)

3. There is another SSID in Tunnel Mode which works fine.

 Clients who connect to ssid in bridge mode get addess ip in the good vlan (13) but cannot communicate with the gateway, controller etc.  and of course don't have internet access

So clients can get an IP address from the switch.

Do clients shows any devices in their arp cache when you try to ping your gateway or the switch?

from CLI on the client try

# arp -a

You Also said:

"If I plug a cable on the port instead the AP and at the other end a laptop , everithing works fine."

Wouldn't this laptop default to the native vlan? Can you try configuring a switch port to access vlan 13 and see if you client gets an IP and network access that way? Unless i just misunderstood and thats what was tried.

Yes clients get an ip address from the switch.

I can't try the command today. I will do this friday. 

For my test I put the VLAN ID 13 in my network card (advanced options) on my laptop and then plug my laptop instead of the AP and everything works fine (access to network, internet etc.)

One other thing to check. What role does the client get? As i understand in Bridge mode the AP still enforcement the roles Firewall policy on the user. If the user is falling in to a logon role or some restricted role they might get DHCP but then no actual network access.

Just another thought

Hi,

So I tried "arp -a" after a ping command and nothing appears, just the brodcast address of the network of the new SSID.

I've also checked the roles and nothing seems to stop the traffic.

Any ideas ?

Thanks,

up !

What was the solution to your problem?  We are experiencing a similar problem on our bridged networks.

That original post was from 4 years ago!   Please open your own thread with your issue.