Wireless Access

We are running a 3600 controller (AOS 6.3.1.13) to terminate our RAPs.  On the initial deployment we had a single VLAN 196, which all RAPs used for access to the internal LAN.  Now we want to segregate the RAPs into 2 separate VLANs based on their use – VLAN 82 for our partners, VLAN 83 for employees.  The new VLANs have been created, IP addresses assigned, and the uplink port to the LAN has been changed to trunk mode.

The upstream device is a PA5020, which is our L3 device and where the default gateway for each VLAN resides.  The PA port has VLAN 196 as the primary VLAN, with VLANs 82 & 83 configured as sub interfaces with their respective gateway IP addresses.

When we try to ping the controller IP addresses for either VLAN 82 or 83, the PA sends the traffic out the correct path to the 3600, but the controller always sends the return traffic on the VLAN of the default gateway, in this case VLAN 196, which the PA drops.  We’ve tried adding static routes, multiple default gateways, and various other ideas, but to no avail.  This seems like a simple thing to do - what are we missing here?

interface gigabitethernet 1/0
description "Uplink to LAN"
trusted
trusted vlan 1-4094
switchport mode trunk

interface vlan 196
ip address 10.0.199.34 255.255.252.0
no ip routing
!

interface vlan 82
ip address 10.0.82.7 255.255.255.0
no ip routing
ip helper-address 10.0.2.67
ip helper-address 10.0.2.68
!

interface vlan 83
ip address 10.0.83.7 255.255.255.0
no ip routing
ip helper-address 10.0.2.67
ip helper-address 10.0.2.68
!

ip default-gateway 10.0.196.1

What's the native VLAN on the PA device trunk port?

Looks like you need to add a couple of things.

(Aruba7010) (config-if)#switchport trunk allowed vlan 82,83,196

(Aruba7010) (config-if)#switchport trunk native vlan <native VLAN ID>

OK, here are the revised port settings:

interface gigabitethernet 1/0
description "Uplink to LAN"
trusted
trusted vlan 1-4094
switchport mode trunk
switchport trunk native vlan 196
switchport trunk allowed vlan 82-83,196

I've attached a screenshot of the PA port configuration

Still unable to ping the IP addresses of VLANs 82 or 83.

Ok, the controller port config looks good.

I notice you have an additional VLAN on the PA-5020. Is the controller patched directly into ethernet1/8 on the PA-5020?

There are a pair of PA-5020’s in an active/standby configuration, so we have a pair of Cisco 3560G switches in between to support uplinks to both firewalls.  The controller switchport config is:

interface GigabitEthernet0/22

 description AMC4

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 196

 switchport trunk allowed vlan 80,82,83,196

 switchport mode trunk

end

The PA-5020 switchport config is:

interface GigabitEthernet0/20

 description CORE-FW2 E1/8

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 196

 switchport trunk allowed vlan 80,82,83,196

 switchport mode trunk

end

The additional VLAN 80 is for guest traffic from our campus 3600 controllers and isn’t used with the RAPs.

Regards,

Duane

So, you're trunking VLAN 80 on the Cisco side but not on the Aruba? I'd recommend to either remove VLAN 80 from the Cisco port configuration or add it to the Aruba port configuration as an allowed VLAN.

Run 'show vlan status' on your controller and confirm that your VLANs are enabled. Also check the IP/netmask, operstate, what ports they are assigned to and verify there is no AAA profile assigned.

Is there an IP address on VLAN interface 82 or 83 on the Cisco switch?Can you ping these IP addresses from your controller? If there isn't an IP address on these VLANs on the Cisco switch, can you add one and attempt to ping them from the controller?

Can you ping VLAN 82 or 83 IP address on PS-5020 from the Cisco switch?

I added VLAN 80 on the controller, although it shouldn't have any impact on this issue.  All VLANs are up:

Vlan Status
-----------
VlanId IPAddress Adminstate Operstate PortCount Nat Inside Mode Ports AAA Profile
------ --------- ---------- --------- --------- ---------- ---- ----- -----------
1 172.16.0.254/255.255.255.0 Enabled Up 7 Disabled Regular GE1/1-7 Pc0-7 N/A
80 10.0.80.7/255.255.254.0 Enabled Up 1 Disabled Regular GE1/0 N/A
82 10.0.82.7/255.255.255.0 Enabled Up 1 Disabled Regular GE1/0 N/A
83 10.0.83.7/255.255.255.0 Enabled Up 1 Disabled Regular GE1/0 N/A
196 10.0.199.34/255.255.252.0 Enabled Up 1 Disabled Regular GE1/0 N/A

The Cisco switch has no IP addresses and I can't add any, but I can ping the PA addresses from the controller:

(RCH_AMC4) #ping 10.0.82.1
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 10.0.82.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.746/2.7964/10.07 ms

(RCH_AMC4) #ping 10.0.80.1
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 10.0.80.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.914/2.8956/10.682 ms

(RCH_AMC4) #ping 10.0.83.1
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 10.0.83.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.846/1.9918/6.351 ms

(RCH_AMC4) #ping 10.0.196.1
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 10.0.196.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.929/1.8868/5.587 ms

I can also ping them from the Cisco switch.  I'm thinking it's an issue on the PA - found this post on a similar issue when connected to an ASA firewall:  

http://community.arubanetworks.com/t5/Wireless-Access/Controller-responding-to-traffic-under-wrong-VLAN/td-p/42228

Ah ok. 

Maybe try pinging the controller from the PA and check the datapath session on the controller to help to see what's happenning.

#show datapath session table <PA IP Address>

..where the PA IP address is the source IP address you're pinging from.

In relation to that ASA post, are you doing any NATing between the VLANs on the trunk?