05-08-2012 07:59 AM
Hello all! This is my first post here, so hello everyone! Also, I apologize if I have this in the wrong place, but I thought this looked like the most appropriate place for my question.
I have an interesting problem, and I'm not sure where the exact problem lies or even how to ask the right question to get a solution. So, I think I'm just going to explain my situation and what I'm trying to accomplish, so I apologize again for this being so long!
I have an existing Aruba network at my High School with around 20 AP-105s. My controller lives in the Middle School where my main server closet is, and it is an Aruba 3600 controller. The two locations are tied together with dedicated fiber, and it's working splendid.
I have purchased around 50 more APs to set up in our Middle School/Elementary school building (the same building where the controller lives). My plan is to set them up exactly like I have at the HS using the same controller.
After getting my new licenses and everything activated and installed on my controller, I decided to see if I could remember how to provision a new AP. I pull out one of the new HP 24 port POE switches that I bought and set it up in my office and plugged it in to the network, and then plugged one of my new AP-105s into it. It booted up, got a DHCP address, and I was able to provision it on my controller. Good so far!
Now it was time to set up that same new HP POE switch as I plan to have it installed in the closet. This is where things started to get a bit hairy.
I have an HP ProCurve switch on my network that I call my "core" switch. It does all the routing and everything for the VLANS on my network. My Aruba 3600 controller connects directly to this switch. A number of ports on this switch are configured as trunk ports and uplink to other switches on my network. One of these ports was already configured this way and not used any more, so I decided to use that to uplink to my new HP POE switch that my new APs will connect to.
After doing some research as to how to configure my new POE switch, I got the trunk connection working. I configured port 1 on the new switch as the trunked uplink to my core switch. I set the IP address of the switch to be in VLAN1, and I was able to configure a different port on the switch to be in a different VLAN, and when I connected a laptop to that port it worked exactly as expected. It got a DHCP address in the correct VLAN, and I was able to access different computers in different VLANS, and I was able to access THAT computer from other machines as well.
So, my final step was to plug in one of my new APs to this port configured for a different VLAN, and this is where things went wrong. The AP would not "check-in" with the controller. It was getting a DHCP address from my DHCP server, as I could see it getting a new lease, but I could not ping the AP nor would it ever show up on the Aruba controller where I could provision it.
If I use the same switch, but uplink it without using trunks (as I did when I first took it out of the box), everything works fine, no matter what VLAN its plugged into. However, this isn't really the configuration I want.
So, I guess my question is, how do I make this work? What am I missing here? It doesn't appear to be my switch, because I can plug in a laptop to that port and it works exactly as it should. So, is there something I need to adjust on my Aruba Controller? If so, I have no idea where to even begin looking. What I'm trying to do is already being done with my existing APs at the High School. All traffic from the HS connects to this core switch over a trunk line, so I'm not sure what could be different.
Thank you all for reading, and if you have any ideas or need any other information from me, please don't hesitate to let me know!
05-08-2012 08:45 AM
This isn't a Procurve forum, but we're all here to help!!!
Are your switches Procurve E series? I know a bit about these. Are you comfortable posting your core and edge switch (in this test) configurations? Please do so if you are. Also tell us what your NORMAL VLAN is (i.e. the one where the controller IPs live), and any "other" VLAN where you plugged an AP and it didn't work.
In the first instance, I thought maybe you had a DNS/DHCP discovery problem for the AP. i.e. whenever your controller IPs are in a different VLAN/subnet to the AP in question, you've got to give the AP a way to "find" it's controller. Either by dns lookup of "aruba-master", or DHCP options 43/60. I'm going to assume this isn't your issue, because I think you're saying if you make your edge switch ingress into a core switch port on a different VLAN directly (like a Cisco access port, without a 802.1q tagged config), the AP works ok?
This makes me think it's a problem with your tagged/trunk uplink config on the switches. But then, I can't understand why a PC would work and route ok if so?!?!
Just leave your edge switch connected as you'd like, and post your core switch, edge switch and controller config (just the VLAN, port and IP bits). Then tell us from which VLAN the AP works, and does not.
05-08-2012 08:48 AM
Oh, forgot to say, make sure you're not falling into the Cisco/Procurve terminology trap...
1. A port-channel is an 802.3ad style aggregate connection.
2. A trunk is and 802.1q tagged (multiple VLAN) link.
1. A trunk is an 802.3ad style aggregate connection.
2. A VLAN tagged link is an 802.1q tagged (multiple VLAN) link. You have to tag it on each VLAN you want it to run.
i.e. Cisco and Procurve = A "Trunk" is not the same thing!!!
05-08-2012 11:00 AM
Thank you for your response! I posted here because I'm still not sure if it's a controller problem or a switch problem, but I appreciate your willingness to help regardless!
I'll get my configs downloaded and posted here ASAP.
05-08-2012 11:35 AM
OK, here are my configs. First, here is the "core" switch, This is an HP ProCurve 4204vl
; J8770A Configuration Editor; Created on release #L.11.20 hostname "ShenandoahCore4204" module 1 type J8768A module 2 type J9033A interface B15 lacp Active exit interface B16 lacp Active exit interface B19 lacp Active exit ip routing snmp-server community "public" Operator Unrestricted vlan 1 name "DEFAULT_VLAN" untagged A1-A3,A7-A12,A14-A24,B2-B4,B6-B16,B18-B24 ip address 192.168.0.1 255.255.255.0 tagged A4 no untagged A5-A6,A13,B1,B5,B17 exit vlan 2 name "K8Network" untagged A13,B1,B17 ip address 192.168.2.1 255.255.255.0 ip helper-address 192.168.0.10 tagged B12-B14,B16,B18-B24 exit vlan 3 name "HSNetwork" untagged B5 ip address 192.168.3.1 255.255.255.0 ip helper-address 192.168.0.10 tagged B12-B14,B16-B20,B22-B24 exit vlan 4 name "WrlsStaff" ip address 192.168.4.1 255.255.255.0 ip helper-address 192.168.0.10 tagged B12-B14,B16-B20,B22-B24 exit vlan 5 name "WrlsStdnt" untagged A6 ip address 192.168.5.1 255.255.248.0 ip helper-address 192.168.0.10 tagged B12-B14,B16-B20,B22-B24 exit vlan 6 name "GuestWrls" ip address 192.168.6.1 255.255.255.0 ip helper-address 192.168.0.10 tagged B12-B14,B16-B20,B22-B24 exit vlan 9 name "StdntWrls" untagged A5 ip address 192.168.9.1 255.255.252.0 ip helper-address 192.168.0.10 tagged B12-B14,B16-B20,B22-B24 exit ip route 0.0.0.0 0.0.0.0 192.168.0.47 interface B14 dhcp-snooping trust exit interface B24 dhcp-snooping trust exit spanning-tree spanning-tree priority 0 password manager
Here is the config for my new edge POE switch. It is an HP V1910-24G-PoE:
# version 5.20 Release 1108P01 # sysname MS-POESWITCH-01 # domain default enable system # ip ttl-expires enable # vlan 1 description DEFAULT_VLAN # vlan 2 description K8Network # vlan 3 description HSNetwork # vlan 4 description WrlsStaff # vlan 5 description ESNetwork # vlan 6 description GuestWrls # vlan 9 description StdntWrls # domain system access-limit disable state active idle-cut disable self-service-url disable # user-group system # local-user admin authorization-attribute level 3 service-type ssh telnet terminal # stp mode rstp stp enable # interface NULL0 # interface Vlan-interface1 ip address 192.168.0.170 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 1 to 6 9 poe enable stp edged-port enable # interface GigabitEthernet1/0/2 poe enable stp edged-port enable # interface GigabitEthernet1/0/3 port link-type hybrid port hybrid vlan 2 tagged port hybrid vlan 1 untagged poe enable stp edged-port enable # interface GigabitEthernet1/0/4 poe enable stp edged-port enable # interface GigabitEthernet1/0/5 poe enable stp edged-port enable # interface GigabitEthernet1/0/6 poe enable stp edged-port enable # interface GigabitEthernet1/0/7 poe enable stp edged-port enable # interface GigabitEthernet1/0/8 poe enable stp edged-port enable # interface GigabitEthernet1/0/9 poe enable stp edged-port enable # interface GigabitEthernet1/0/10 poe enable stp edged-port enable # interface GigabitEthernet1/0/11 poe enable stp edged-port enable # interface GigabitEthernet1/0/12 poe enable stp edged-port enable # interface GigabitEthernet1/0/13 poe enable stp edged-port enable # interface GigabitEthernet1/0/14 poe enable stp edged-port enable # interface GigabitEthernet1/0/15 poe enable stp edged-port enable # interface GigabitEthernet1/0/16 poe enable stp edged-port enable # interface GigabitEthernet1/0/17 poe enable stp edged-port enable # interface GigabitEthernet1/0/18 poe enable stp edged-port enable # interface GigabitEthernet1/0/19 poe enable stp edged-port enable # interface GigabitEthernet1/0/20 poe enable stp edged-port enable # interface GigabitEthernet1/0/21 poe enable stp edged-port enable # interface GigabitEthernet1/0/22 poe enable stp edged-port enable # interface GigabitEthernet1/0/23 poe enable stp edged-port enable # interface GigabitEthernet1/0/24 poe enable stp edged-port enable # interface GigabitEthernet1/0/25 stp edged-port enable # interface GigabitEthernet1/0/26 stp edged-port enable # interface GigabitEthernet1/0/27 stp edged-port enable # interface GigabitEthernet1/0/28 stp edged-port enable # ip route-static 0.0.0.0 0.0.0.0 192.168.0.1 # load xml-configuration # user-interface aux 0 authentication-mode scheme user-interface vty 0 15 authentication-mode scheme # return
...and finally, here is the config for my Aruba Controller:
version 3.3 country US ap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161 ! logging level warnings stm wms general poll-interval 60000 general poll-retries 3 general stat-update enable general ap-ageout-interval 30 general sta-ageout-interval 30 general learn-ap disable general persistent-known-interfering enable ! adp discovery enable adp igmp-join enable adp igmp-vlan 0 netservice svc-icmp 1 netservice svc-esp 50 netservice svc-gre 47 netservice svc-svp 119 netservice svc-ftp tcp 21 netservice svc-ssh tcp 22 netservice svc-smtp tcp 25 netservice svc-telnet tcp 23 netservice svc-dns udp 53 netservice svc-dhcp udp 67 68 netservice svc-bootp udp 67 69 netservice svc-tftp udp 69 netservice svc-http tcp 80 netservice svc-kerberos udp 88 netservice svc-pop3 tcp 110 netservice svc-ntp udp 123 netservice svc-msrpc-udp udp 135 139 netservice svc-msrpc-tcp tcp 135 139 netservice svc-snmp udp 161 netservice svc-snmp-trap udp 162 netservice svc-smb-udp udp 445 netservice svc-smb-tcp tcp 445 netservice svc-https tcp 443 netservice svc-ike udp 500 netservice svc-rtsp tcp 554 netservice svc-nterm tcp 1026 1028 netservice svc-l2tp udp 1701 netservice svc-pptp tcp 1723 netservice svc-sccp tcp 2000 netservice svc-natt udp 4500 netservice svc-vocera udp 5002 netservice svc-sip-udp udp 5060 netservice svc-sip-tcp tcp 5060 netservice svc-sips tcp 5061 netservice svc-adp udp 8200 netservice svc-papi udp 8211 netservice svc-cfgm-tcp tcp 8211 netservice svc-syslog udp 514 netservice svc-noe udp 32512 netservice svc-noe-oxo udp 5000 alg noe netservice svc-http-proxy1 tcp 3128 netservice svc-http-proxy2 tcp 8080 netservice svc-http-proxy3 tcp 8888 netservice svc-h323-tcp tcp 1720 netservice svc-h323-udp udp 1718 1719 netservice svc-v6-icmp 58 netservice svc-v6-dhcp udp 546 547 ip access-list session control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-papi permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session ap-acl any any udp 5000 any any udp 5555 any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit ! ip access-list session allowall any any any permit ! ip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ! ip access-list session cplogout user alias controller svc-https dst-nat 8081 ! ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ! ip access-list session srcnat user any any src-nat ! ip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ! ip access-list session svp-acl any any svc-svp permit queue high user host 184.108.40.206 any permit ! ip access-list session vocera-acl any any svc-vocera permit queue high ! ip access-list session noe-acl any any svc-noe permit queue high ! ip access-list session skinny-acl any any svc-sccp permit queue high ! ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ! ip access-list session dhcp-acl any any svc-dhcp permit ! ip access-list session icmp-acl any any svc-icmp permit ! ip access-list session tftp-acl any any svc-tftp permit ! ip access-list session dns-acl any any svc-dns permit ! ip access-list session http-acl any any svc-http permit ! ip access-list session https-acl any any svc-https permit ! ipv6 access-list session v6-logon-control user any udp 68 deny any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit ! ipv6 access-list session v6-dhcp-acl any any svc-v6-dhcp permit ! ipv6 access-list session v6-icmp-acl any any svc-v6-icmp permit ! ipv6 access-list session v6-dns-acl any any svc-dns permit ! ipv6 access-list session v6-http-acl any any svc-http permit ! ipv6 access-list session v6-https-acl any any svc-https permit ! ipv6 access-list session v6-allowall any any any permit ! user-role authenticated session-acl allowall ipv6 session-acl v6-allowall ! user-role default-vpn-role session-acl allowall ipv6 session-acl v6-allowall ! user-role logon session-acl logon-control session-acl captiveportal session-acl vpnlogon ipv6 session-acl v6-logon-control ! user-role guest-logon session-acl logon-control session-acl captiveportal captive-portal default ! user-role ap-role session-acl control session-acl ap-acl ! user-role voice session-acl sip-acl session-acl noe-acl session-acl svp-acl session-acl vocera-acl session-acl skinny-acl session-acl h323-acl session-acl dhcp-acl session-acl tftp-acl session-acl dns-acl session-acl icmp-acl ! user-role guest session-acl http-acl session-acl https-acl session-acl dhcp-acl session-acl icmp-acl session-acl dns-acl ipv6 session-acl v6-http-acl ipv6 session-acl v6-https-acl ipv6 session-acl v6-dhcp-acl ipv6 session-acl v6-icmp-acl ipv6 session-acl v6-dns-acl ! aaa server-group default auth-server Internal set role condition role value-of ! aaa authentication vpn default-role default-vpn-role mgmt-role read-only description "This is the Default View Only Role" permit view-only ! crypto isakmp policy 20 encryption aes256 ! crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes ! wms valid-11b-channel 1 mode enable valid-11b-channel 6 mode enable valid-11b-channel 11 mode enable valid-11a-channel 36 mode enable valid-11a-channel 40 mode enable valid-11a-channel 44 mode enable valid-11a-channel 48 mode enable valid-11a-channel 149 mode enable valid-11a-channel 153 mode enable valid-11a-channel 157 mode enable valid-11a-channel 161 mode enable valid-11a-channel 165 mode enable ! hostname Aruba3600 interface vlan 1 ip address 192.168.0.20 255.255.0.0 ! ip default-gateway 192.168.0.47 localip 0.0.0.0 ipsec xxx clock timezone CST -6 0 mgmt-user admin root xxx enable secret "xxx" trusted all
The IP address for my controller is 192.168.0.20, and I have a DNS entry for "aruba-master" pointing to that. The port on the core switch I'm uploading to is B19. The uplink port on the edge POE switch is port GigabitEthernet1/0/1. The port I'm setting up for the AP is GigabitEthernet1/0/3. Right now I have a laptop plugged into that port, and it's working perfectly. I get a DHCP address for VLAN2, and I can ping servers in VLAN1 and get to the internet.
Please let me know if there is any other info from me that may help! Thank you!
05-08-2012 04:37 PM
Does your DHCP server has a domain name for the IP Scope where you want to configure the new AP? Usually if you're using DNS for the APs to find the controller the DHCP scope needs the domain name so it can resolve "aruba-master.<your_domain>".
It sounds like you have the network piece configured correctly. I would assume that if you plug in a laptop on the new switch, get an IP address, you can ping/access the controller. If this is the case, then I would venture to say your network piece is configured to allow L3 connectivity between the sites.
05-08-2012 08:45 PM
Yes, I do have the domain name in my DHCP server. In fact, one of the first things I checked when I plugged my laptop into that port was a ping to "aruba-master", and it appended the ".domain.name" to the end of it and resolved to the correct address.
So, if my network is configured properly, then does that mean my problem is somewhere in the configuration of my Aruba controller? I hooked up a cable to the console port of the AP I was working with to see if there were any errors, I can try to hook that up again and let you know what happens, if that would help.
05-08-2012 08:51 PM
If it is a domain laptop, it might automatically append <domain name>, even though it is not configured in your DHCP server. If you can, please plug in a non-doman device and see if the domain is being received through DHCP.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
05-09-2012 12:59 AM
Yeah, I'd agree with the other guys. The switches look ok on the face of it at a glance.
What you can do (if your AP has a console port (125 and 105 do for example)), is plug the console into the AP during boot. Look at the outputs. It's pretty obvious what's going on in terms of controller discovery.