Wireless Access

Hello all! This is my first post here, so hello everyone! Also, I apologize if I have this in the wrong place, but I thought this looked like the most appropriate place for my question.

I have an interesting problem, and I'm not sure where the exact problem lies or even how to ask the right question to get a solution. So, I think I'm just going to explain my situation and what I'm trying to accomplish, so I apologize again for this being so long!

I have an existing Aruba network at my High School with around 20 AP-105s. My controller lives in the Middle School where my main server closet is, and it is an Aruba 3600 controller. The two locations are tied together with dedicated fiber, and it's working splendid.

I have purchased around 50 more APs to set up in our Middle School/Elementary school building (the same building where the controller lives). My plan is to set them up exactly like I have at the HS using the same controller.

After getting my new licenses and everything activated and installed on my controller, I decided to see if I could remember how to provision a new AP. I pull out one of the new HP 24 port POE switches that I bought and set it up in my office and plugged it in to the network, and then plugged one of my new AP-105s into it. It booted up, got a DHCP address, and I was able to provision it on my controller. Good so far!

Now it was time to set up that same new HP POE switch as I plan to have it installed in the closet. This is where things started to get a bit hairy.

I have an HP ProCurve switch on my network that I call my "core" switch. It does all the routing and everything for the VLANS on my network. My Aruba 3600 controller connects directly to this switch. A number of ports on this switch are configured as trunk ports and uplink to other switches on my network. One of these ports was already configured this way and not used any more, so I decided to use that to uplink to my new HP POE switch that my new APs will connect to.

After doing some research as to how to configure my new POE switch, I got the trunk connection working. I configured port 1 on the new switch as the trunked uplink to my core switch. I set the IP address of the switch to be in VLAN1, and I was able to configure a different port on the switch to be in a different VLAN, and when I connected a laptop to that port it worked exactly as expected. It got a DHCP address in the correct VLAN, and I was able to access different computers in different VLANS, and I was able to access THAT computer from other machines as well.

So, my final step was to plug in one of my new APs to this port configured for a different VLAN, and this is where things went wrong. The AP would not "check-in" with the controller. It was getting a DHCP address from my DHCP server, as I could see it getting a new lease, but I could not ping the AP nor would it ever show up on the Aruba controller where I could provision it.

If I use the same switch, but uplink it without using trunks (as I did when I first took it out of the box), everything works fine, no matter what VLAN its plugged into. However, this isn't really the configuration I want.

So, I guess my question is, how do I make this work? What am I missing here? It doesn't appear to be my switch, because I can plug in a laptop to that port and it works exactly as it should. So, is there something I need to adjust on my Aruba Controller? If so, I have no idea where to even begin looking. What I'm trying to do is already being done with my existing APs at the High School. All traffic from the HS connects to this core switch over a trunk line, so I'm not sure what could be different.

Thank you all for reading, and if you have any ideas or need any other information from me, please don't hesitate to let me know!

This isn't a Procurve forum, but we're all here to help!!!

Are your switches Procurve E series? I know a bit about these. Are you comfortable posting your core and edge switch (in this test) configurations? Please do so if you are. Also tell us what your NORMAL VLAN is (i.e. the one where the controller IPs live), and any "other" VLAN where you plugged an AP and it didn't work.

In the first instance, I thought maybe you had a DNS/DHCP discovery problem for the AP. i.e. whenever your controller IPs are in a different VLAN/subnet to the AP in question, you've got to give the AP a way to "find" it's controller. Either by dns lookup of "aruba-master", or DHCP options 43/60. I'm going to assume this isn't your issue, because I think you're saying if you make your edge switch ingress into a core switch port on a different VLAN directly (like a Cisco access port, without a 802.1q tagged config), the AP works ok?

This makes me think it's a problem with your tagged/trunk uplink config on the switches. But then, I can't understand why a PC would work and route ok if so?!?!

Just leave your edge switch connected as you'd like, and post your core switch, edge switch and controller config (just the VLAN, port and IP bits). Then tell us from which VLAN the AP works, and does not.

Cheers.

Oh, forgot to say, make sure you're not falling into the Cisco/Procurve terminology trap...

Cisco...

1. A port-channel is an 802.3ad style aggregate connection.

2. A trunk is and 802.1q tagged (multiple VLAN) link.

Procurve...

1. A trunk is an 802.3ad style aggregate connection.

2. A VLAN tagged link is an 802.1q tagged (multiple VLAN) link. You have to tag it on each VLAN you want it to run.

i.e. Cisco and Procurve = A "Trunk" is not the same thing!!!

Cheers.

Thank you for your response! I posted here because I'm still not sure if it's a controller problem or a switch problem, but I appreciate your willingness to help regardless!

I'll get my configs downloaded and posted here ASAP.

OK, here are my configs. First, here is the "core" switch, This is an HP ProCurve 4204vl

; J8770A Configuration Editor; Created on release #L.11.20

hostname "ShenandoahCore4204" 
module 1 type J8768A 
module 2 type J9033A 
interface B15 
   lacp Active 
exit
interface B16 
   lacp Active 
exit
interface B19 
   lacp Active 
exit
ip routing 
snmp-server community "public" Operator Unrestricted 
vlan 1 
   name "DEFAULT_VLAN" 
   untagged A1-A3,A7-A12,A14-A24,B2-B4,B6-B16,B18-B24 
   ip address 192.168.0.1 255.255.255.0 
   tagged A4 
   no untagged A5-A6,A13,B1,B5,B17 
   exit 
vlan 2 
   name "K8Network" 
   untagged A13,B1,B17 
   ip address 192.168.2.1 255.255.255.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16,B18-B24 
   exit 
vlan 3 
   name "HSNetwork" 
   untagged B5 
   ip address 192.168.3.1 255.255.255.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16-B20,B22-B24 
   exit 
vlan 4 
   name "WrlsStaff" 
   ip address 192.168.4.1 255.255.255.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16-B20,B22-B24 
   exit 
vlan 5 
   name "WrlsStdnt" 
   untagged A6 
   ip address 192.168.5.1 255.255.248.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16-B20,B22-B24 
   exit 
vlan 6 
   name "GuestWrls" 
   ip address 192.168.6.1 255.255.255.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16-B20,B22-B24 
   exit 
vlan 9 
   name "StdntWrls" 
   untagged A5 
   ip address 192.168.9.1 255.255.252.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16-B20,B22-B24 
   exit 
ip route 0.0.0.0 0.0.0.0 192.168.0.47 
interface B14
   dhcp-snooping trust
   exit
interface B24
   dhcp-snooping trust
   exit
spanning-tree
spanning-tree priority 0
password manager

Here is the config for my new edge POE switch. It is an HP V1910-24G-PoE:

#
 version 5.20 Release 1108P01
#
 sysname MS-POESWITCH-01
#
 domain default enable system 
#
 ip ttl-expires enable
#
vlan 1
 description DEFAULT_VLAN
#
vlan 2
 description K8Network
#
vlan 3
 description HSNetwork
#
vlan 4
 description WrlsStaff
#
vlan 5
 description ESNetwork
#
vlan 6
 description GuestWrls
#
vlan 9
 description StdntWrls
#
domain system 
 access-limit disable 
 state active 
 idle-cut disable 
 self-service-url disable 
#
user-group system
#
local-user admin
 authorization-attribute level 3
 service-type ssh telnet terminal
#
 stp mode rstp
 stp enable
#
interface NULL0
#
interface Vlan-interface1
 ip address 192.168.0.170 255.255.255.0 
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk permit vlan 1 to 6 9
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/2
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid vlan 2 tagged
 port hybrid vlan 1 untagged
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/4
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/5
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/6
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/7
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/8
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/9
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/10
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/11
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/12
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/13
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/14
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/15
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/16
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/17
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/18
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/19
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/20
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/21
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/22
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/23
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/24
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/25
 stp edged-port enable
#
interface GigabitEthernet1/0/26
 stp edged-port enable
#
interface GigabitEthernet1/0/27
 stp edged-port enable
#
interface GigabitEthernet1/0/28
 stp edged-port enable
#
 ip route-static 0.0.0.0 0.0.0.0 192.168.0.1 
#
 load xml-configuration 
#
user-interface aux 0
 authentication-mode scheme
user-interface vty 0 15
 authentication-mode scheme
#
return

 ...and finally, here is the config for my Aruba Controller:

version 3.3
country US
ap regulatory-domain-profile default
  country-code US
  valid-11g-channel 1
  valid-11g-channel 6
  valid-11g-channel 11
  valid-11a-channel 36
  valid-11a-channel 40
  valid-11a-channel 44
  valid-11a-channel 48
  valid-11a-channel 149
  valid-11a-channel 153
  valid-11a-channel 157
  valid-11a-channel 161
  valid-11a-channel 165
  valid-11g-40mhz-channel-pair 1-5
  valid-11g-40mhz-channel-pair 7-11
  valid-11a-40mhz-channel-pair 36-40
  valid-11a-40mhz-channel-pair 44-48
  valid-11a-40mhz-channel-pair 149-153
  valid-11a-40mhz-channel-pair 157-161

!



logging level warnings stm

wms
 general poll-interval 60000
 general poll-retries 3
 general stat-update enable
 general ap-ageout-interval 30
 general sta-ageout-interval 30
 general learn-ap disable
 general persistent-known-interfering enable
!

adp discovery enable
adp igmp-join enable
adp igmp-vlan 0

netservice svc-icmp 1 
netservice svc-esp 50
netservice svc-gre 47
netservice svc-svp 119
netservice svc-ftp tcp 21
netservice svc-ssh tcp 22
netservice svc-smtp tcp 25
netservice svc-telnet tcp 23
netservice svc-dns udp 53
netservice svc-dhcp udp 67 68
netservice svc-bootp udp 67 69
netservice svc-tftp udp 69
netservice svc-http tcp 80
netservice svc-kerberos udp 88
netservice svc-pop3 tcp 110
netservice svc-ntp udp 123
netservice svc-msrpc-udp udp 135 139
netservice svc-msrpc-tcp tcp 135 139
netservice svc-snmp udp 161
netservice svc-snmp-trap udp 162
netservice svc-smb-udp udp 445
netservice svc-smb-tcp tcp 445
netservice svc-https tcp 443
netservice svc-ike udp 500
netservice svc-rtsp tcp 554
netservice svc-nterm tcp 1026 1028
netservice svc-l2tp udp 1701
netservice svc-pptp tcp 1723
netservice svc-sccp tcp 2000
netservice svc-natt udp 4500
netservice svc-vocera udp 5002
netservice svc-sip-udp udp 5060
netservice svc-sip-tcp tcp 5060
netservice svc-sips tcp 5061
netservice svc-adp udp 8200
netservice svc-papi udp 8211
netservice svc-cfgm-tcp tcp 8211
netservice svc-syslog udp 514
netservice svc-noe udp 32512
netservice svc-noe-oxo udp 5000 alg noe
netservice svc-http-proxy1 tcp 3128
netservice svc-http-proxy2 tcp 8080
netservice svc-http-proxy3 tcp 8888
netservice svc-h323-tcp tcp 1720
netservice svc-h323-udp udp 1718 1719
netservice svc-v6-icmp 58
netservice svc-v6-dhcp udp 546 547

ip access-list session control
 user any udp 68 deny
 any any svc-icmp permit
 any any svc-dns permit
 any any svc-papi permit
 any any svc-cfgm-tcp permit
 any any svc-adp permit
 any any svc-tftp permit
 any any svc-dhcp permit
 any any svc-natt permit
!

ip access-list session logon-control
 user any udp 68 deny
 any any svc-icmp permit
 any any svc-dns permit
 any any svc-dhcp permit
 any any svc-natt permit
!

ip access-list session ap-acl
 any any udp 5000
 any any udp 5555
 any any svc-gre permit
 any any svc-syslog permit
 any user svc-snmp permit
 user any svc-snmp-trap permit
 user any svc-ntp permit
!

ip access-list session allowall
 any any any permit
!

ip access-list session captiveportal
 user alias controller svc-https dst-nat 8081
 user any svc-http dst-nat 8080
 user any svc-https dst-nat 8081
 user any svc-http-proxy1 dst-nat 8088
 user any svc-http-proxy2 dst-nat 8088
 user any svc-http-proxy3 dst-nat 8088
!

ip access-list session cplogout
 user alias controller svc-https dst-nat 8081
!

ip access-list session vpnlogon
 user any svc-ike permit
 user any svc-esp permit
 any any svc-l2tp permit
 any any svc-pptp permit
 any any svc-gre permit
!

ip access-list session srcnat
 user any any src-nat
!

ip access-list session sip-acl
 any any svc-sip-udp permit queue high
 any any svc-sip-tcp permit queue high
!

ip access-list session svp-acl
 any any svc-svp permit queue high
 user host 224.0.1.116 any permit
!

ip access-list session vocera-acl
 any any svc-vocera permit queue high
!

ip access-list session noe-acl
 any any svc-noe permit queue high
!

ip access-list session skinny-acl
 any any svc-sccp permit queue high
!

ip access-list session h323-acl
 any any svc-h323-tcp permit queue high
 any any svc-h323-udp permit queue high
!

ip access-list session dhcp-acl          
 any any svc-dhcp permit
!

ip access-list session icmp-acl          
 any any svc-icmp permit
!

ip access-list session tftp-acl
 any any svc-tftp permit
!

ip access-list session dns-acl
 any any svc-dns permit
!

ip access-list session http-acl
 any any svc-http permit
!

ip access-list session https-acl
 any any svc-https permit
!

ipv6 access-list session v6-logon-control
 user any udp 68 deny
 any any svc-v6-icmp permit
 any any svc-v6-dhcp permit
 any any svc-dns permit
!

ipv6 access-list session v6-dhcp-acl
 any any svc-v6-dhcp permit
!

ipv6 access-list session v6-icmp-acl
 any any svc-v6-icmp permit
!

ipv6 access-list session v6-dns-acl
 any any svc-dns permit
!

ipv6 access-list session v6-http-acl
 any any svc-http permit
!

ipv6 access-list session v6-https-acl
 any any svc-https permit
!

ipv6 access-list session v6-allowall
 any any any permit
!

user-role authenticated
 session-acl allowall
 ipv6 session-acl v6-allowall
!

user-role default-vpn-role
 session-acl allowall
 ipv6 session-acl v6-allowall
!

user-role logon
 session-acl logon-control
 session-acl captiveportal
 session-acl vpnlogon
 ipv6 session-acl v6-logon-control
!

user-role guest-logon
 session-acl logon-control
 session-acl captiveportal
 captive-portal default
!

user-role ap-role
 session-acl control
 session-acl ap-acl
!

user-role voice
 session-acl sip-acl
 session-acl noe-acl
 session-acl svp-acl
 session-acl vocera-acl
 session-acl skinny-acl
 session-acl h323-acl
 session-acl dhcp-acl
 session-acl tftp-acl
 session-acl dns-acl
 session-acl icmp-acl
!

user-role guest
 session-acl http-acl
 session-acl https-acl
 session-acl dhcp-acl
 session-acl icmp-acl
 session-acl dns-acl
 ipv6 session-acl v6-http-acl
 ipv6 session-acl v6-https-acl
 ipv6 session-acl v6-dhcp-acl
 ipv6 session-acl v6-icmp-acl
 ipv6 session-acl v6-dns-acl
!

aaa server-group default
 auth-server Internal
 set role condition role value-of
!
aaa authentication vpn default-role default-vpn-role

mgmt-role read-only
 description "This is the Default View Only Role"
 permit view-only
!

crypto isakmp policy 20
  encryption aes256
!
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
  set transform-set default-transform default-aes
!
wms
 valid-11b-channel 1 mode enable
 valid-11b-channel 6 mode enable
 valid-11b-channel 11 mode enable
 
 valid-11a-channel 36 mode enable
 valid-11a-channel 40 mode enable
 valid-11a-channel 44 mode enable
 valid-11a-channel 48 mode enable
 valid-11a-channel 149 mode enable
 valid-11a-channel 153 mode enable
 valid-11a-channel 157 mode enable
 valid-11a-channel 161 mode enable
 valid-11a-channel 165 mode enable
!

hostname Aruba3600

interface vlan 1
  ip address 192.168.0.20 255.255.0.0
!

ip default-gateway 192.168.0.47

localip 0.0.0.0 ipsec xxx

clock timezone CST -6 0

mgmt-user admin root xxx

enable secret "xxx"

trusted all

 The IP address for my controller is 192.168.0.20, and I have a DNS entry for "aruba-master" pointing to that. The port on the core switch I'm uploading to is B19. The uplink port on the edge POE switch is port GigabitEthernet1/0/1. The port I'm setting up for the AP is GigabitEthernet1/0/3. Right now I have a laptop plugged into that port, and it's working perfectly. I get a DHCP address for VLAN2, and I can ping servers in VLAN1 and get to the internet.

Please let me know if there is any other info from me that may help! Thank you!

Does your DHCP server has a domain name for the IP Scope where you want to configure the new AP?  Usually if you're using DNS for the APs to find the controller the DHCP scope needs the domain name so it can resolve "aruba-master.<your_domain>".

It sounds like you have the network piece configured correctly.  I would assume that if you plug in a laptop on the new switch, get an IP address, you can ping/access the controller.  If this is the case, then I would venture to say your network piece is configured to allow L3 connectivity between the sites.

-Mike

Yes, I do have the domain name in my DHCP server. In fact, one of the first things I checked when I plugged my laptop into that port was a ping to "aruba-master", and it appended the ".domain.name" to the end of it and resolved to the correct address.

So, if my network is configured properly, then does that mean my problem is somewhere in the configuration of my Aruba controller? I hooked up a cable to the console port of the AP I was working with to see if there were any errors, I can try to hook that up again and let you know what happens, if that would help.

Mister Vertigo,

If it is a domain laptop, it might automatically append <domain name>, even though it is not configured in your DHCP server.  If you can, please plug in a non-doman device and see if the domain is being received through DHCP.

Good point. I'll try this when I get back to the office in the morning.

Yeah, I'd agree with the other guys. The switches look ok on the face of it at a glance.

What you can do (if your AP has a console port (125 and 105 do for example)), is plug the console into the AP during boot. Look at the outputs. It's pretty obvious what's going on in terms of controller discovery.

Cheers.

It looks like the domain (option 015) is set properly in DHCP, so I don't think that is the issue.

Here is the output when I plug in to the console on the AP-105 during boot:

APBoot 1.2.4.4 (build 26618)
Built: 2011-01-07 at 13:42:04

Model: AP-10x
CPU:   AR7161 revision: A2
Clock: 680 MHz, DDR clock: 340 MHz, Bus clock: 170 MHz
DRAM:  128 MB
POST1: passed
Copy:  done
Flash: 16 MB
PCI:   scanning bus 0 ...
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0029 00002   01 10000000 00000000 00000000 00000000
       01  00  168c  0029 00002   01 10010000 00000000 00000000 00000000
Net:   eth0
Radio: ar922x#0, ar922x#1

Hit <Enter> to stop autoboot:  0
Checking image @ 0xbf100000
Invalid image format version: 0xffffffff
Checking image @ 0xbf800000
Invalid image format version: 0xffffffff
eth0 up: 1 Gb/s full duplex
DHCP broadcast 1
DHCP broadcast 2
DHCP broadcast 3
DHCP broadcast 4
DHCP broadcast 5

Retry count exceeded; starting again
eth0 up: 1 Gb/s full duplex
DHCP broadcast 1
DHCP broadcast 2
DHCP broadcast 3
DHCP broadcast 4
DHCP broadcast 5

 The DHCP retry repeats over and over again for a while, until the device finally reboots and tries again. However, on my DHCP server, I can see where this device did in fact get a DHCP lease. I'm pretty sure my DHCP is set up OK because my existing APs in the other building have been working fine, and one of the new ones was working OK before I configured the trunk ports on the switch.

Hopefully this output from the AP helps. Thank you all for your help!

I actually did just that before I even booted it up this morning.

Do the AP doesn't seem to be getting the DHCP.

I think you said you confirmed that a laptop connecting to the same port as the WAP is getting a DHCP address.  Is this correct?  If not, can you verify that a laptop connecting to the port where the WAP is does indeed get an IP and has L3 connectivity to the controller?

A few other things:

- It seems all your ports on the POE Switch is setup for edge mode.  Do verify this is true on the port where the WAP is.

- Which VLAN should the WAP be in on the POE switch?

- Which port do you have the WAP connected to on the POE switch?

- Is the power for the WAP in the correct VLAN?

-Mike

Yes, the laptop plugged into the exact same port where the AP is plugged into works just fine. It gets a DHCP lease, gets the address, and can access everything on my network. I can ping aruba-master, and can get out to the internet.

 - Ports as edge mode: I'll be honest, I don't even know what that means. But, looking at the config I posted above I see "stp edged-port enable" listed under every port on the switch

 - Which VLAN: Ultimately, I'll probably put the APs in VLAN1, but right now I'm trying to get it to work on ANY VLAN and not having any luck. I still want to trunk the uplink though because I may have other devices on this switch that I will want in other VLANS at some point.

 - The WAP is on port 3

 - Power for the WAP in the correct VLAN: I have no idea how to set this, or that it was even an option. How do I check this?

I meant port instead of power in my last question. :)

So one difference I see on port g1/0/3 is that it's a hybrib link.  Not sure what that means in HP's term but it seems it can support both tagged and untagged VLAN. 

#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid vlan 2 tagged
 port hybrid vlan 1 untagged
 poe enable
 stp edged-port enable
#

Based on the above config and if I am reading the configuration correctly, your WAP and laptop should get an IP in the VLAN1. Is this true?

What I would do is move the WAP to port g1/0/4, which should be in VLAN1 by default.  You should be able to determine the VLAN by issuing "show vlan" (assuming this is the command to do that).  Try on port g1/0/4 and see if the WAP works.  Not sure if you tried this already or not.

Since the DHCP server and the WAP would be in VLAN1, you do not need the IP-HELPER address on the core end for VLAN1.

-Mike

Ah, ok, that makes sense!

With the config you quoted, the laptop plugged in to that port get an IP address from DHCP on VLAN2

I did find one thing in my current config that was not in the one I posted. Here is the part for that port:

#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid vlan 2 tagged
 port hybrid vlan 1 untagged
 port hybrid pvid vlan 2
 poe enable
 stp edged-port enable

 The "port hybrid pvid vlan 2" is in there as well, and I have to have that in there for the port to work on that VLAN. I get the same results on my WAP with this in there.

Also, I tried plugging the WAP into port 4 which has no VLAN configuration on it at all, so it should default to VLAN1, and I get the same results as above too. I see the device getting a lease on my DHCP server, but the WAP never boots.

Well, when you plug the laptop on port g1/0/3 you get an IP in VLAN2.  When you plug the laptop on port g1/0/4, which VLAN do you get an IP in, assuming the laptop is working?

As Colin suggested, you may need to get a packet capture of the traffic on the DHCP server.

One other thing to try, is to assign a static IP on the WAP from the console and see if it's able to connect.  Search the forum or the KB to do this.  If you don't find it, let me know and I'll get it for you.  This would take the DHCP variable and at least you can verify your network connectivity specific for the WAP.

Are the ports where the WAP is working in the other buildilng configured similar to port g1/0/3?

-Mike

OK, I statically set the IP address for the WAP. From the command line of the WAP I can ping the IP address of the controller, as well as other devices in different VLANs, including the internet. When I try to boot it though, it still tries to connect to DHCP and I don't know how to keep it from doing that.

Ah, OK, I got the AP to boot by typing tftpboot. It came up and showed up on my controller where I could provision it.

So, does that mean I have a DHCP problem?

Seems like it.  It's strange you get an IP on the laptop but not the WAP.  Without having a capture can't help you much more with the DHCP problem.

I would definitely review your DHCP configuration and try to get a capture of the DHCP traffic to/from the WAP.

-Mike

OK, when it worked I had the WAP plugged in to port 6 on the swtich, which was not configured for any VLAN, so the static IP I gave it was in VLAN1, the default, and the same VLAN as the controller.

I tried it again by putting the WAP on port 3 again, which is set up for VLAN2. When I change the IP address and gateway on the WAP for that VLAN, it cannot communicate with the controller, or even the VLAN's gateway IP.

VLAN2 is configured as a TAG VLAN, meaning the WAP would need to be TAG as well and it's not.  The WAP required an UNTAG port/VLAN.  I imagine the ports that do not have a VLAN entry defaults to VLAN1.  You should be able to view this by issuing "show vlan" from the CLI on the network switch.

I'm not familiar with HP switches to say that your configuration on port g1/0/3 is correct.  I'm not sure why you have a TAG VLAN and and UNTAG VLAN on the same port.  That was why I recommended you use a port that doesn't have the added configuration.  At least if you try with VLAN1, it should all work and then maybe you can determine if you have a switch port configuration issue.

For the WAPs that you have in another building, how are the switch ports configured?  Can you post a snapshot of one of the port configuration where you have an existing WAP in another building?  Also, it would be helpful if you can identify which VLAN a WAP that is working in another building with DHCP is on.

-Mike

OK, I figured it out. Your line of questioning got me to my answer!

You asked how my ports were configured on the other switch where they are working, and I discovered that those ports are UNTAGGED, not tagged. So, on my new switch I changed it from being tagged in VLAN3 to untagged, and it booted up perfectly with DHCP and everything.

Thank you all SO MUCH for your patience and your help. You guys didn't have to help me, as it ended up not being a real Aruba issue, but you did anyway, and you got me going! Thank you!

Glad you found your problem. :-)

-Mike