Wireless Access

setup is 10 IAP-225 with one acting as virtual controller.  all are connected to same switch.

management vlan is 400 with gateway on a firewall also connected to switch.

vlan 400 works fine, and guests use default vlan and default dhcp to connect to the internet.  

 

the problem I am having is vlan 200 is also present on the switch.  the vlan 200 is added to all ports with aruba IAPs.  DHCP and gateway is handled by the firewall.  a user can associate with one AP, but as soon as it transitions to another AP, it can no longer ping gateway and forgets its IP address.

 

if Aruba IAP is acting as layer 2 device, then a user should be able to move to any IAP and ping gateway and internet.  Aruba technical support would like me to route all vlan 200 traffic to the management vlan gateway.  for the life of me I do not understand why?  is it not possible for the IAP to add devices to the vlan 200 at the layer 2?  can someone explain how Aruba processes vlans?  

Is your SSID for vlan 200 configured as network assigned?

yes, network assigned, static vlan.  clients successfully gather an IP address from the first WAP they connect to.  roaming to another AP will immediately break IP connectivity.  Association with other WAPs is successful, just layer 2 and 3 breaks down.

If it is network assigned, the routing infrastructure, and not the way should be providing DHCP.

that is expected and encouraged behavior, the gateway (juniper SRX, on vlan200) processes the DHCP requests and successfully hands an IP address to the end device.  then, when the end device roams to a new WAP, layer 2 breaks.

 

Aruba thinks that DHCP is succeeding because DHCP is broadcast, and they would like me to route vlan200 traffic to the gateway of vlan400.  

 

Im pretty confused on how Aruba defines and uses the vlan 200.  I would like the Arubas to simply extend vlan 200 wireless out to end devices.  

Are you blocking anything in the user role?

I dont believe so.  "allow any to all" is the only rule under that role.

 

 

heres a simple diagram.  this is all I need it to do, extend vlan 200 wirelessly to wireless users. all IAPs are connected to the switch via tagged interface.  a detail not shown is that Aruba technical support advised all IAPs communicate between themselves on the native untagged vlan - this is in effect and in use. a question I have is, when the IAPs have a virtual controller, must all traffic be routed through the management vlan?  currently all guest traffic is sent to the management vlan and apparently the Arubas are natting.  when wireless guest clients connect they get a 172.x.x.x address that is not in use anywhere on this network.  Why would Aruba want me to route all of vlan 200 through the gateway of vlan 400 (mgt)  ?  again, the sympom is a device works fine on the first IAP it connects to, but as soon as it roams to another IAP, layer 2 connectivity breaks.  a test Aruba asked me to perform is to SSH to the IAPs and issue a ping to the gateway of vlan 200 (10.0.0.1)  this of course failed because the Arubas are not currently set up to operate in vlan 200 @ layer3.  I think I am missing a fundamental concept of how Aruba works, does anyone have any technical details I can read?

 

Hi Askala,

I have seen issues like this, they were related to some type of Samsung Mobile phone in combination with 802.11k. When we switched that off it worked fine

Hope this helps

---

@mrtwentytwo wrote:
Hi Askala,

I have seen issues like this, they were related to some type of Samsung Mobile phone in combination with 802.11k. When we switched that off it worked fine

Hope this helps

---

I am not sure what 802.11k has to do with routing.

Hi Colin,

 

The issue was that the clients don't get an IP address when the roam to another AP. Like the issue here. 

In my case TAC investigated and advised to switch off 802.11k and it solved the issue.

 

 

Thanks i have disabled 802.11k and im still having the same issue. Please let me know if you think of anything else to try.

---

@Aksala wrote:

 

 

@heres a simple diagram.  this is all I need it to do, extend vlan 200 wirelessly to wireless users. all IAPs are connected to the switch via tagged interface.  a detail not shown is that Aruba technical support advised all IAPs communicate between themselves on the native untagged vlan - this is in effect and in use. a question I have is, when the IAPs have a virtual controller, must all traffic be routed through the management vlan?  currently all guest traffic is sent to the management vlan and apparently the Arubas are natting.  when wireless guest clients connect they get a 172.x.x.x address that is not in use anywhere on this network.  Why would Aruba want me to route all of vlan 200 through the gateway of vlan 400 (mgt)  ?  again, the sympom is a device works fine on the first IAP it connects to, but as soon as it roams to another IAP, layer 2 connectivity breaks.  a test Aruba asked me to perform is to SSH to the IAPs and issue a ping to the gateway of vlan 200 (10.0.0.1)  this of course failed because the Arubas are not currently set up to operate in vlan 200 @ layer3.  I think I am missing a fundamental concept of how Aruba works, does anyone have any technical details I can read?

 

---

There are two modes of operation for an SSID:

 

"Network Assigned" bridges traffic to the local network and traffic is tagged.  It is the responsibility of the switch connected to each access point to put that traffic on a VLAN (200) that has a default gateway that routes user traffic to where it should go.  Clients should get an ip address on VLAN 200, the default gateway of those clients should be a router, and the router should have routes to every other network, as well as the internet.

 

"Virtual Controller Assigned" tunnels all traffic to the virtual controller, where DHCP is provided and client traffic is natted out of the ip address of the virtual controller.  Trunking that VLAN to all access points is not necessary, because user traffic is forwarded to the VC, DHCP is provided by the VC and traffic is NATTED out of the VC.  The result is that your wired infrastructure is not involved, but user traffic is "hidden" behind the natted ip address of the VC.  This is most appropriate for guest traffic and it is convenient, because you do not have to configure your switched infrastructure for it to happen.

 

I hope that helps.

Yes this does clear a few things up. The guest Network makes much more sense now, and explains why i see customer macs on the native vlan of the switch when i initially expected to see them on the internet vlan. I originally wanted customer guests to use a different vlan 401 for internet but abandoned it on the suggestion of Aruba for vc assigned. It was doing the same thing for guests until i changed to controller assigned option.

So i see that one checkbox changes the operation of the system significantly.

Unfortunately this isn't an option for me for the POS devices i need to join vlan 200, and with "network assigned" it should be capable. And indeed it does work flawlessly... Until a device roams to a different IAP. I do see the mac move from one interface to another so it appears the IAP is broadcasting to the switch.. but i cant tell if the IAP is handling those frames properly.

The switch is a new juniper ex2300 that i am very experienced on, and i am very confident i have the vlan set properly, as I am seeing the mac move between interfaces.

I am not familiar with Juniper.  Make sure that VLAN is trunked to every port the AP is on and make sure that VLAN is extended all the way to the layer 3 switch/router that is doing the routing.  From your comments, it would seem that the VLAN is not properly being extended to the Instant AP ports, but that is all I can think of.

I have checked again that vlan 200 is a member of the trunks on which all Arubas are connected.  Aruba has requested that I SSH to an IAP and issue a ping to the gateway of vlan200.  I am not sure why that would possible as I was under the impression that the Arubas were not participating in layer 3 (network assigned) on vlan 200.  

 

I just tested it, and as I suspected, pings fail to the gateway.  I can ping the devices associated with the IAP, but only from the IAP they are connected to.  traceroute to the device times out.  I can not ping anything else on the subnet

 

 

so in short

gateway can ping ipad

gateway can ping itself

gateway can ping all wired devices

IAP can not ping gateway

IAP can ping ipad

IAP can not ping any other device on the vlan.

 

 

I am so confused.

Hi

Is the iPad in vlan 200 or the vlan 400 where the iap is in?

hello, thanks.

 

the IPAD is in vlan 200.  

 

gateway configured using vlan 200

r.anc> show configuration interfaces ge-0/0/15.200

vlan-id 200;
family inet {
    no-redirects;
    address 10.0.0.1/24;
}

 

verified with ARP (macs resolve to APPLE OUI)

er1@jfw1.freshalepubs.bear.anc> show arp | match 10.0.0
34:7c:25:20:d0:47 10.0.0.137 10.0.0.137 ge-0/0/15.200 permanent
34:7c:25:1f:e8:8c 10.0.0.150 10.0.0.150 ge-0/0/15.200 permanent

 

 

verified in ethernet mac table in the switch:

 

r.anc> show ethernet-switching table vlan-id 200

MICROS 34:7c:25:1c:3c:c8 D - ge-1/0/14.0 0 0
MICROS 34:7c:25:1f:e8:8c D - ge-1/0/14.0 0 0
MICROS 34:7c:25:20:d0:47 D - ge-1/0/14.0 0 0
MICROS 5c:f7:e6:8a:d4:54 D - ge-2/0/30.0 0 0

still banging my head on this one.  at this point im just morbidly fascinated with what is going on.  

 

so this is a snapshot of the failing scenario.  one of the three devices is transported to a different location.  the mac moves to the new interface.  arp entry is still present.  dhcp binding still present.  pings to it fail. 

 

IPAD can not browse.  ssh into the IAP and it can no longer ping the IPAD.  eventually the IPAD will forget its DHCP and not reacquire one.  

 

one thing that im not understanding is that I am picking up the Aruba MACS along with the device macs as they move from interface to interface.  I was not expecting this, I was expecting it to pass only the device mac through.  

 

I am assuming that all of the IAPs get an ip address on VLAN400?  Is it safe to say that the Juniper is the default gateway for both VLAN 200 and VLAN 400?  If yes, it is the router, right?

Yes vlan 400 is management to the IAPs. Also, the gateway of vlan 400 is the destination for all of the guest users to access the internet (192.168.10.1/24). All of the rest of the clients on default vlan are browsing and using internet just fine.

Yes, the gateway is in fact on a juniper srx300 for both vlan 200 (10.0.0.1) as well as 400.

"IAP can not ping gateway

IAP can ping ipad

IAP can not ping any other device on the vlan."

 

Does the IAP have static ip addresses or DHCP addresses?  It almost seems that the IAP has the wrong subnet mask, or wrong default gateway.  

IAP gets its addresses via DHCP on vlan 400. Except for the vc, which I have static assigned.

In response to the portion you bolded, it is with respect to vlan 200 that it can not ping anything. Vlan 400 works fine.

---

@Aksala wrote:
IAP gets its addresses via DHCP on vlan 400. Except for the vc, which I have static assigned.

In response to the portion you bolded, it is with respect to vlan 200 that it can not ping anything. Vlan 400 works fine.

---

Here is how a vanilla configuration should work:

 

All 10 IAPs should have DHCP addresses.  They should all be plugged into ports where VLAN 400 is untagged and VLAN 200 is tagged.  There is part of the configuration called the virtual controller address, where you would set an 11th ip address on VLAN 400 as the virtual controller address.  That is the management address on VLAN 400  that the currently assigned Virtual Controller would answer, regardless of which access point is the Virtual Controller.  The access points are never assigned any ip addresses on VLAN 200; they would just bridge user traffic to that VLAN.  If you were to ping any VLAN 200 ip addresses from any access point, it should first go to its default gateway on VLAN 400 and then reach VLAN 200 addresses from there.

 

When you create an SSID on VLAN 200 that is network assigned, all of the access points should just bridge any user traffic to that VLAN.  Those users should get the juniper's address on VLAN 200 as their default gateway.  The question is, does your internet router have a leg on VLAN 200, or does the juniper simply have the router's subnet as a default route, so that VLAN 200 users can get to the internet? 

interesting....

 

apparently I have it cluged together then.  here is a diagram with 3 IAPs showing how its set up now.

 

vlan 1 is untagged only to the IAPs.  this was necessary to make the guest network function.

vlan 400 (mgt) is tagged to IAPs and the firewall

vlan 200 (user) is tagged to IAPs and the firewall

 

there is a directly connected default route out to the internet from the firewall (Juniper SRX).  im going to attempt to untag native vlan 400 to the IAPS and remove vlan 1 from the IAP ports during a maint window and see if it helps.  

 

the Arubas must be arping back to the VC on vlan 1 and then natting and browsing to the internet, which is why im seeing MACS on that vlan 1 between IAPS.  

Hi,

 

From your information i guess that you should change the following.

 

If the IAP have an IP address in vlan 400 for management then that vlan 400 should be untagged on all ports to the IAP. Vlan 1 can be removed. Also check if you didn't setup up vlan 400 on the IAP eth0, so the below screenshot and leave 'uplink management vlan' at 0. Yes this way the IAP doesn't know about vlan 400, as it's doing untagged vlan 1, but this is how it works.

 

ok, I am going to try this change tonight.  

 

some questions. 

 

- when I change the uplink management vlan, is it correct to do it once from the IAP that is currently master? at this screen

- will it then push down the changes to the other IAPs?

- I would like to keep the virtual controller as a specific IP address.  It seems like I should allow the IAPs all to get IP via DHCP.  so at this screen I allow the IAP to be DHCP?

 

 

-Then under system I assign the VC to have the static IP address I would like.  

 

 

is this all correct?

Hi,

 

 

You should change all IAP for the management vlan, it is a per AP setting, just like the IP address assignment.

 

For the VC IP address I normally take an address NOT assigned to any IAP. Then the VC IP address can hop to another IAP if the master failed.

 

 

 

alright, thanks.  I am preparing for this change. I tested untagged vlan 400 to a little-used IAP, and after the reboot it rejoined the IAP list and two users associated with the IAP.  I can not tell if they were able to browse (I am not at the location) but everything looked well from a remote standpoint.

 

I am concerned about losing management to the VC and would like to get a good order of changes that I should make.

 

I intend to leave the master IAP for last.  I have one particular IAP that I would like to remain VC whenever possible and I have selected the option to force it to be VC.

 

I believe the order of changes after all other non-master IAPs are configured should be:

1) set master IAP addressing to DHCP provided

2) change virtual controller IP from 0.0.0.0 to 192.168.10.2

3) change uplink management to vlan 0

4) reboot master virtual controller for changes to take effect.

 

does this seem proper if my intentions are to allow the IAP to get an address via DHCP and still be able to access the virtual controller at 192.168.10.2? 

 

my  concern is that the virtual controller will elect to a different IAP at a different ip address and I will lose connectivity with no way to determine what the new VC address is.

 

I suppose in worst case scenario I can remotely shut down all IAP ports in the switch which will allow only the master IAP to come online, then reactivate all the other ports after that master IAP has rebooted and I have regained connectivity.

 

please let me know what you think.

Hi,

 

I have to build it to 100% test it.

 

I would go for the scenario where you shutdown the other IAP's. That case you are in 100% control.

 

Hope this helps

 

 

that seems to have mostly resolved the issues.  The Arubas seem to need untagged managment to talk among themselves and facilitate romaing.  Thanks for everyones help.