Wireless Access

Reply
Occasional Contributor II
Posts: 13
Registered: ‎08-17-2012

Controller responding to traffic under wrong VLAN

So I'm having sort of a weird problem with my controller (Aruba 6.1.3.4).  Here's a breakdown of my network topology

 

VLAN 102 Wireless 192.168.102.0/24

VLAN 100 Internal 192.168.100.0/23

VLAN 25 guest 10.10.25.0/24

 

All of the VLANs are connected via Layer 3 through a Cisco ASA

 

The controller IP is configured on VLAN 100, which is also where all of the APs are located

 

The Problem:

 

When someone on a VLAN other than 100 tries to access the controller (using its VLAN 100 IP address) the controller tries to respond using it's VLAN 100 IP address, but it tags the traffic for the VLAN of the original request

 

Example:

 

User on the guest VLAN 25 pings the controller IP 192.168.100.xxx

Ping gets sent through the ASA and arrives at the controller on VLAN 100

Controller receives the ping, then responds on VLAN 25, but using IP 192.168.100.xxx

The ASA drops the response, because the connection doesn't exist (wrong interface)

 

 

What could possibly be causing this?

Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Re: Controller responding to traffic under wrong VLAN

Do you have "IP Nat INSIDE" on any of your VLANs?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎08-17-2012

Re: Controller responding to traffic under wrong VLAN

Doesn't look like it.  Here's the relevant config:

 

ip cp-redirect-address 192.168.100.17
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list eth validuserethacl
permit any
!
ip access-list session validuser
network 169.254.0.0 255.255.0.0 any any deny
any any any permit
ipv6 any any any permit
!
ip access-list session vmware-acl
!
ip access-list session citrix-acl
!
ip access-list session ra-guard
!
ip access-list session captiveportal6
!

 

vlan 25 "Guest"
vlan 100 "Internal"
vlan 102

no spanning-tree

interface gigabitethernet 1/0
description "GE1/0"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/1
description "GE1/1"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/2
description "GE1/2"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/3
description "GE1/3"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/4
description "GE1/4"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/5
description "GE1/5"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/6
description "GE1/6"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/7
description "GE1/7"
trusted
trusted vlan 1-4094
!

interface port-channel 0
add gigabitethernet 1/4
add gigabitethernet 1/5
trusted
trusted vlan 1-4094
switchport mode trunk
switchport access vlan 102
!

interface vlan 100
ip address 192.168.100.17 255.255.254.0
no ip routing
!

interface vlan 1
no ip routing
shutdown
!

interface vlan 25
ip address 10.10.25.17 255.255.255.0
no ip routing
ip helper-address 192.168.100.50
!

interface vlan 102
ip address 192.168.102.17 255.255.255.0
no ip routing
ip helper-address 192.168.100.50
!

ip default-gateway 192.168.100.1
no uplink wired vlan 1
uplink disable

MVP
Posts: 3,020
Registered: ‎10-25-2011

Re: Controller responding to traffic under wrong VLAN

Well thats a weird config

You should not need the ip helper on your wireless controller, if you got your ASA  Cisco routing thats for sure...

And it looks like it as you got no ip routing on your interface vlans.. you should just need the ip helper on the one that  its routing on your Cisco ASA


Besides  there is something else that got my attention

 

interface port-channel 0
add gigabitethernet 1/4
add gigabitethernet 1/5
trusted
trusted vlan 1-4094
switchport mode trunk
switchport access vlan 102

 

Where are you passing your guest vlan and your internal vlan  to your device that is routing? i mean tagging it i dont see them that you are tagging it like switchport trunk allowed vlan 102,100,25?

 

I know im not helping you in your quetion but im really curious on how is that working?

 

Look like for example i just logged in, in one of  the controllers i have configured

 

interface port-channel 0
        add gigabitethernet 1/0
        add gigabitethernet 1/1                   
        add gigabitethernet 1/2
        add gigabitethernet 1/3
        trusted
        trusted vlan 1,10,12-13,20-24
        switchport mode trunk
        switchport trunk allowed vlan 1,10-13,20-24

 

interface vlan 1
        ip address 192.168.1.60 255.255.255.0
!

interface vlan 12
        no ip routing
!

interface vlan 13
        no ip routing
!

interface vlan 20
        ip address 192.168.20.1 255.255.255.0
        no ip routing
!

interface vlan 21
        no ip routing
!

interface vlan 22                                 
        no ip routing
!

interface vlan 23
        no ip routing
!

interface vlan 24
        no ip routing
!

 

Can you explain me ? how can your guest vlan on your controller communicate with for example ASA defaultt gateway of that network without going through layer 2 on tags or without natting through the controller? 

Maybe here is your issue?

 

well im looking forward to see the resolution! its a weird case you got here

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Occasional Contributor II
Posts: 13
Registered: ‎08-17-2012

Re: Controller responding to traffic under wrong VLAN

[ Edited ]

Basically it's set up like this:

 

Cisco ASA <-- Trunk with all VLANs --> Switch <-- Trunk with all VLANs --> Wireless Controller

 

Edit: I should clarify that the Port channel interface is the only interface that is actually active.  None of the other ports are used.

 

The ASA is the default gateway for every VLAN, and routing/firewall is all it does.  DHCP is handled by a server on the internal VLAN (which is why I needed to configure ip-helper).  I guess I could have the ASA or the switch do the DHCP forwarding as well, and actually I'm going to check to make sure it's not set up to do that already (though it shouldn't cause any issues in theory, since they'd both be forwarding to the same server).

 

I put the "no ip routing" because the controller should not be allowing any traffic to pass between VLANs without going through the ASA.  That could potentially be a security issue, and very likely be a network management issue.  I couldn't really find any good explanation of this feature, so it's quite possible I've misunderstood what it is actually for.

 

I've just allowed all VLANs on the controller's trunk port because that was the default configuration.  The switch is set to ignore any untagged traffic, and traffic on unused VLANs wouldn't actually go anywhere so I'm not too concerned about that, unless you think it could be causing issues?

 

This configuration has actually been working very well for the past few days, with the exception of the problem I opened this thread for.  I wouldn't even really care about this, but it's breaking captive portal because users in the guest VLAN can't access the wireless controller to see the login page.

 

Hope all this is clear, thanks for the input!

Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Re: Controller responding to traffic under wrong VLAN

The best solution is to use the "ip cp-redirect-address" command to redirect users to the ip address of the controller on the guest VLAN for the captive portal

 

config t

ip cp-redirect-address 10.10.25.x

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 3,020
Registered: ‎10-25-2011

Re: Controller responding to traffic under wrong VLAN

Okay i do understadn everything you say and i already know what the no ip routing does but anywaywas thanks for telling, the thing is that in what line you are permitting all the vlans on the controller to be trunked?

That was the part i didnt see and thats why i find itconfusing...

As far i know trusting all the vlans does not mean im trunking them all... it just that im trusting them  but not doing 802.1q

Unless that on aruba controller doing just switch mode trunk will allow all the vlans?

okay thats the confusing part... hehe

in what line does it says you are allowing all the vlans? i lll like to test tho... :)

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Occasional Contributor II
Posts: 13
Registered: ‎08-17-2012

Re: Controller responding to traffic under wrong VLAN

Interesting, I guess if you specify "switchport mode trunk" without specifically allowing any vlans it just adds them all.  It's definitely sending regular traffic over all of my VLANs no problem.  If I disable captive portal the guest users traffic goes through the guest VLAN and the internal users go over the internal VLAN.

 

As for the "ip cp-redirect-address" suggestion, I did in fact try that first.  Unfortunately the controller wouldn't respond to requests from the captive users on that interface.  I think this is because I have a basic license on the controller, and the default firewall rule for captive users only allows them to access the alias named "controller" over http/https which I assume is just the controller's primary IP (In this case, 192.168.100.17 on VLAN 100).

 

I'll reconfirm this when I get back in the office on Monday, but I'm quite positive that changing the ip cp-redirect address to anything but the controller's primary IP address didn't work.  When I test it on Monday I'll run wireshark on the captive user computer and see if I can glean any more information about what is happening.

Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Re: Controller responding to traffic under wrong VLAN


scottraymond wrote:

Interesting, I guess if you specify "switchport mode trunk" without specifically allowing any vlans it just adds them all.  It's definitely sending regular traffic over all of my VLANs no problem.  If I disable captive portal the guest users traffic goes through the guest VLAN and the internal users go over the internal VLAN.

 

As for the "ip cp-redirect-address" suggestion, I did in fact try that first.  Unfortunately the controller wouldn't respond to requests from the captive users on that interface.  I think this is because I have a basic license on the controller, and the default firewall rule for captive users only allows them to access the alias named "controller" over http/https which I assume is just the controller's primary IP (In this case, 192.168.100.17 on VLAN 100).

 

I'll reconfirm this when I get back in the office on Monday, but I'm quite positive that changing the ip cp-redirect address to anything but the controller's primary IP address didn't work.  When I test it on Monday I'll run wireshark on the captive user computer and see if I can glean any more information about what is happening.


If you type "show trunk" it will probably show you that allowed VLANs is all.  Whenever you create a new VLAN, it will add it automatically.  Please change the ip cp-redirect address to the ip address of the VLAN.  Whenever a captive portal user requests the controller's page, it is designed to return the page on that specific ip address and it was made for your particular situation.  Having it as the management ip address is what makes it answer from there.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 3,020
Registered: ‎10-25-2011

Re: Controller responding to traffic under wrong VLAN

Interesting Collin

Thanks for the information

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: