Wireless Access

This is related to my previous question but since it's more deeper to the vlan, I thought better create a new question.

Previously, the controller is connected directly to an "ISP" or service provider.

The way they setup the controller is as follows:

VLAN 1: 10.0.0.1/21, Port 1/1,1/3,Pc0-7 --> AP LAN and MGMT LAN.

VLAN 2: 32.145.145.32/24, Port 1/0-1 --> WAN IP address

VLAN 3: 10.3.0.1/24, Port 1/1 --> WLAN for SSID A

VLAN 4: 10.4.0.1/24, Port 1/1 --> WLAN for SSID B

VLAN 5: 10.5.0.1/21, Port 1/1 --> WLAN for SSID C

Now that we have moved the controller to our LAN, my plan is to replace VLAN 1 and split them to  two parts:

1. VLAN 100 for MGMT and Private SSID WLAN

2. VLAN 80 for all APs LAN.

And then replace VLAN 5 with VLAN 50 and delete the other unused vlans.

So in my head, the VLAN configuration should like this:

VLAN 2: 192.168.100.2/24, Port 1/0-1 --> WAN IP address

VLAN 50: 192.50.0.1/21, Port 1/1 --> WLAN for SSID C

VLAN 80: 192.80.0.1/24, Port 1/1 --> WLAN for APs

VLAN 100: (I didn't assign IP because it's the native VLAN in our environment) Port 1/1 --> WLAN for Private SSID and MGMT

At the moment, only VLAN 1 and 2 is in operation state UP but I don't use VLAN 1.

I can get to the controller through VLAN 2 but the others are DOWN.

I'm clueless at the moment because I have set TRUNK mode on the switch and they are able to communicate to the other switches through VLAN 2, 50, 80, 100 with no issue.

Is the controller not tagging the VLANs on Port 1/1 or I need to manually enable those VLAN first?

I rebooted the controller and the POE switch where the APs are connected to but still not working.

I also unable to ping the controller's VLAN 50 and 80 IP addresses from the switch that's connected directly to Port 1/1. It seems like it's in shutdown mode.

Currently Port 1/0 is set to Access mode and Port 1/1 is set to Trunk mode in the controller.

Where should I start to troubleshoot this?

Help please? :)

Hi,

Couple of questions to understand the issue,

1. What is your controller IP ? ( Use "show controller-ip" command to know)

2. All VLAN interfaces are UP ? ( Use "Show ip interface Brief")

3. Is Master-Master or Master-Local configured or configured and removed ?

4. Check the routing table to verify VLAN subnets are populated and there are no IPSec routes available .

Please clarify the above. we can can easily fix the issue.

---

dhanraj_puduchery@yahoo.com wrote:

Hi,

 

Couple of questions to understand the issue,

1. What is your controller IP ? ( Use "show controller-ip" command to know)

2. All VLAN interfaces are UP ? ( Use "Show ip interface Brief")

3. Is Master-Master or Master-Local configured or configured and removed ?

4. Check the routing table to verify VLAN subnets are populated and there are no IPSec routes available .

 

Please clarify the above. we can can easily fix the issue.

---

Thank you kindly for the respond.

1. What is your controller IP ? ( Use "show controller-ip" command to know)

It's the VLAN-2 IP address.

Switch IP Address: 192.168.100.219

Switch IP is configured to be Vlan Interface: 2

2. All VLAN interfaces are UP ? ( Use "Show ip interface Brief")

No. That's the problem that I don't get why.

vlan 2                 192.168.100.2 / 255.255.255.0     up      up
vlan 1                        10.0.0.1 / 255.255.248.0     up      down
vlan 5                        10.5.0.1 / 255.255.248.0     up      down
vlan 4                        10.4.0.1 / 255.255.255.0     up      down
vlan 3                        10.3.0.1 / 255.255.255.0     up      down
vlan 50                     192.50.0.1 / 255.255.248.0     up      down
vlan 80                     192.80.0.1 / 255.255.255.0     up      down
vlan 100                    unassigned / unassigned        up      down
loopback                    unassigned / unassigned        up      up
mgmt                        unassigned / unassigned        down    down

3. Is Master-Master or Master-Local configured or configured and removed ?

I don't know what that means but I'll google it.

4. Check the routing table to verify VLAN subnets are populated and there are no IPSec routes available .

(Aruba3600-US-Highline) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 192.168.100.1 to network 0.0.0.0 at cost 1
S*    0.0.0.0/0  [1/0] via 192.168.100.1*
C    192.168.100.0 is directly connected, VLAN2

Do I need to add route for each vlan? I'm using the controller as the gateway for all the WiFi VLANs.   

How do I check the IPSec routes? I'll google it also.

Thank you

HI,

Solution is very simple.

you need to use the following commands to get it done.

"interface VLAN 1"

"operstate up"

if there are no active intrfaces mapped to a VLAN, that VLAN interface protocol will be down so in Aruba we have use "operstate UP" to bring up a VLAN interface unconditionally.

Thank you for the reply.

But I'm not going to use VLAN 1. Our native VLAN is 100.

Do I still have to use VLAN 1 for the AP to communicate or is that just an example command that I need to do on VLAN 100?

I apologize for the basic question since I'm new to this. 

HI,

That was an example. whichever the VLAN interface you want to enable ( bring up) you need to apply "operstate up".

coming to AP VLAN, it can be any VLAN but you need to ensure that AP subnet is reachable to Controller IP (in your case VLAN 2) means, AP and Controller should have reachability.

Please feel free for any further clarity on this.

Thank you.

I did what you told me to and now the VLANs are in oper UP.

But, I still not able to ping that VLAN IP address on the controller.

This is the network layout. 

Controller --> Force10 Switch --> Gateway

From Force10 Switch, I can ping the gateway IP on VLAN 50, 80 and 100.

From Force10 Switch and Gateway, I'm not able to ping the Controller IP on VLAN 50 and 80 and vice versa. 

It seems like the controller is not tagging the packets even though the port 1/1 is already set as a trunk and allowed VLAN 50 and 80 traffic. 

Any other suggestions?

HI,

What link you have between Controller and Force switch ? what is the gateway for Force switch ? what is if the link between Controller and Switch is a trunk, so what is the native VLAN configured on the force Switch ?

can you share the output of " show port status", "show trunk" and "show iproute" on the controller.

it is a routing issue, we can fix it by understanding datapath.

Please ignore the other VLANs because I was testing it.

The VLAN that we need to worry about is 50,80 and 100.

Port Status
-----------
Slot-Port  PortType  adminstate  operstate  poe      Trusted  SpanningTree  PortMode
---------  --------  ----------  ---------  ---      -------  ------------  --------
1/0        GE        Enabled     Up         Enabled  Yes      Forwarding    Access
1/1        GE        Enabled     Up         Enabled  Yes      Blocking      Trunk
1/2        GE        Enabled     Up         Enabled  Yes      Forwarding    Access
1/3        GE        Enabled     Up         Enabled  Yes      Blocking      Access

Trunk Port Table
-----------------
Port   Vlans Allowed            Vlans Active             Native Vlan
----   -------------            ------------             -----------
GE1/1  2,30,50,80,100,146,1401  2,30,50,80,100,146,1401  100

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 192.168.30.1 to network 0.0.0.0 at cost 3
Gateway of last resort is 192.168.100.1 to network 0.0.0.0 at cost 1
S*    0.0.0.0/0  [1/0] via 192.168.100.1*
C    192.168.100.0 is directly connected, VLAN2
C    192.168.30.0 is directly connected, VLAN30
C    192.50.0.0 is directly connected, VLAN50
C    192.80.0.0 is directly connected, VLAN80

HI,

Issue is identified. look at your trunk port (1/1        GE        Enabled     Up         Enabled  Yes      Blocking      Trunk ). STP is blocking that port for some VLANs.

1. Do you have multiple links between Controller and Force Switch which is causing a loop? if not, disable Spanning tree in Aruba Controller "no spanning tree" globally and on the interface.

2. If you have multiple links, and configure the PVSTP properly such that the trunk links on the Controller is forwarding all VLAN traffic.

Please feel free if you need any further help on this.

I apologize for the delay.

That was exactly it. I have another set of eyes to look over my configuration and we found out that the spanning tree was causing the issue so we created port channeling or we could do what you just suggested by disabling the spanning tree on the controller or the switch.

Now that it's working and the AP is seeing the controller and provisioning, I have another issue with the wifi clients kept getting an ip address from VLAN 1 instead of 50. Even though I have set the Virtual AP that they need to use VLAN 50 instead of 1. DHCP and everything has been setup correctly on VLAN 50.

I'm going to open another thread since it's a different issue. That way people that has the same issue with me trying to connect all 4 ports to a switch, know what to do to fix it based on this thread.

Hi,

User VLAN is not only depends on VAP-VLAN, it has least precedence, check whether any SDR is configured or any VLAN is mapped to the authenticated user role.

use the following commands for diagnosing the issue,

1. show ap essid----> to know which VLAN is mapped

2. show user --> to know which role is mapped to the user

3. show rights <role name> to know which VLAN is mapped to the user role

4. show log security <count> (show log security 50 ) ---> to know how the user VLAN is being derived

Please feel free for any further help on this.

Hi,

Thanks for the tips.

Show ap essid shown the vap was using vlan 50, 1. 

How do I get rid of vlan 1?

Hi,

Aruba supports VLAN pooling meas, we can map multiple VLANs to a single VAP. chec whether you have mapped both the VLANs.

user " show wlan virtual-ap <profile name>" if you find two VLANs mapped, use " wlan virtual-ap <profile name> vlan 50"

and also check whether the uplink device port is a trunk link, if it is make it as access link.

Please feel for any further help on this.