Wireless Access

Hoping someone gives me the obvious headslap answer to this because I've been going around in circles. I have a 650 upgraded to the newest firmware that I can only make work if I have only one IP\VLAN active on the controller at a time. I have two IP's set on two separate VLANs and ports set to these different VLANs but if I plug into a port on the VLAN that is not the management VLAN (to activate the second IP) I then lose contact with the controller on either IP (and so do the AP's) until I yank the cable out of that secondary VLAN.

It is very odd as I have another 650 still on older firmware that is setup the exact same way and it works flawlessly (plus I have a 3400 on the newsert firmware doing the same thing just fine also). I'm not trying to do anything tricky. I'm not having the controller do any ACL anything, as I have all inter-VLAN routing off. I just want to have two VLAN's pushed out as separated SSID's that will automatically route through the controller onto the wired network on the expected, matching VLAN. Super simple. I've checked and double the subnet masks and IP ranges and everything. This is what I have

 

IP 192.168.208.2     255.255.252.0     VLAN 101     Management      ports 0-4 (access)

IP 192.168.200.11   255.255.254.0     VLAN 100                                port 5

VLAN 1 is disabled

I have the AP's up and running fine on VLAN 101 and all is great but I'd like to add the second VLAN (100) to an additional SSID so I can have some wirelss units put directly on that VLAN with our main wired network.

Anyway, any thoughts (should I use more disparate IP ranges, should I put the non-management VLAN on DHCP, is there a better way to do this?) would be appreciated as I know the controller 650 can do this, I have proof (albeit with older firmware)

thanks

Steve

#3400

can you run a few commands:

 

show ip interface brief

show ip route

show vlan

show trunk

show port status

show interface gigabitethernet 1/5 switchport

show spanning-tree

show ip interface brief

Interface                   IP Address / IP Netmask        Admin   Protocol
vlan 101                 192.168.208.2 / 255.255.252.0     up      up
vlan 1                    172.16.0.254 / 255.255.255.0     down    down
vlan 100                     10.10.8.2 / 255.255.255.0     up      down
loopback                    unassigned / unassigned        up      up
mgmt                        unassigned / unassigned        down    down

 

show ip route

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 192.168.208.1 to network 0.0.0.0 at cost 1
S*    0.0.0.0/0  [1/0] via 192.168.208.1*
C    192.168.208.0/22 is directly connected, VLAN101

 

show vlan

 

VLAN   Description   Ports   AAA    Profile

1           Default           GE1/7 Pc0-7   N/A

100       VLAN100       GE1/5-6           N/A

101       VLAN101       GE1/0-4           N/A

 

show trunk

 

Trunk Port Table
-----------------
Port  Vlans Allowed  Vlans Active  Native Vlan
----  -------------  ------------  -----------

 

show port status

 

Port Status
-----------
Slot-Port  PortType  adminstate  operstate  poe      Trusted  SpanningTree  PortMode
---------  --------  ----------  ---------  ---      -------  ------------  --------
1/0        GE        Enabled     Down       Enabled  Yes      Disabled      Access
1/1        GE        Enabled     Down       Enabled  Yes      Disabled      Access
1/2        GE        Enabled     Down       Enabled  Yes      Disabled      Access
1/3        GE        Enabled     Down       Enabled  Yes      Disabled      Access
1/4        GE        Enabled     Up         N/A      Yes      Forwarding    Access
1/5        GE        Enabled     Down       N/A      Yes      Disabled      Access
1/6        GE        Enabled     Down       N/A      Yes      Disabled      Access
1/7        GE        Enabled     Down       N/A      Yes      Disabled      Access

show interface gigabitethernet 1/5 switchport

 

Name:  GE1/5
Switchport:  Enabled
Administrative mode:  static access
Operational mode:  static access
Administrative Trunking Encapsulation:  dot1q
Operational Trunking Encapsulation:  dot1q
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (Default)
Trunking Vlans Enabled: NONE
Trunking Vlans Active: NONE

 

show spanning-tree

 

Spanning Tree is executing the IEEE compatible Rapid Spanning Tree protocol
Bridge Identifier has priority 32768, address 00:1a:1e:21:be:c0
Configured hello time 2, max age 20, forward delay 15
Current root has priority 32000, address 00:07:50:0c:44:00
Topology change flag is not set , detected flag not set , changes 393
Times: hold 1, topology change 35 hello 2, max age 20, forward delay 15
Timers: hello 0, notification 0
Last topology change: 0 days, 0 hours, 38 mins, 10 secs

 

 

 

Hope that helps and thanks in advance for any clues\

Steve

Steve, of the results you showed the only thing I initially question is spanning-tree enabled.  Is this necessary in your environment?   can you try and shut it off and try again:

 

no spanning-tree

 

also, are the ports trusted?

all the ports are trusted. I will try turning off STP and see what happens and report back

thanks

Steve

it looks like spanning-tree indeed was the culprit. I'm surprised it would matter with different VLAN's but it did. I've switched to a trunked port as recommended due to that so that should be even better. Thanks both for all your help Steve

Of course, it would matter if you don't run PVST (or Rapid PVST). Aruba new OS supports both of them. Regards,

Amin

 

 

 

Can you please run the following ?

 

show  controller-ip

show ip route

 

A couple more questions :

- Both ports going to the same UPLINK  Switch ? If this is the case then I recommed creating a trunk and add those VLANs ..

- Once you bring the VLAN 100 up are the APs able to reach the controller or just you cant reach it through SSH and HTTPS?

- When you loose connectiviy are you wired or wireless ?

- Any reason you have STP turned on , on the Aruba side of things? Do you STP on , on the UPLINK SWITCH ?

 

 

 

 

show  controller-ip

 

Switch IP Address: 192.168.208.2

Switch IP is configured to be Vlan Interface: 101

Switch IPv6 address is not configured.

show ip route

 

see previous reply

 

 

- Both ports going to the same UPLINK  Switch ?

yes but each port has a different VLAN. I do this with my other controllers all to one Edge switch just fine. Not sure the difference of trunking versus just splitting it out to multiple switch ports. The switches know how to handle it in my experience

- Once you bring the VLAN 100 up are the APs able to reach the controller or just you cant reach it through SSH and HTTPS?

all connectivity is lost (the AP's lose it too

- When you loose connectiviy are you wired or wireless ?
wired

- Any reason you have STP turned on , on the Aruba side of things? Do you STP on , on the UPLINK SWITCH ?

  no although that has never been a problem for me in the past. I will try turning it off and see what happens.

 

 

thanks for your response and help, it is much appreciated. I'll let you know what I find out with STP