Wireless Access

Reply
Occasional Contributor II
Posts: 13
Registered: ‎02-15-2011

Setting up APs in New Building - VLANs, Trunks, DHCP, oh my!

Hello all! This is my first post here, so hello everyone! Also, I apologize if I have this in the wrong place, but I thought this looked like the most appropriate place for my question.

I have an interesting problem, and I'm not sure where the exact problem lies or even how to ask the right question to get a solution. So, I think I'm just going to explain my situation and what I'm trying to accomplish, so I apologize again for this being so long!

I have an existing Aruba network at my High School with around 20 AP-105s. My controller lives in the Middle School where my main server closet is, and it is an Aruba 3600 controller. The two locations are tied together with dedicated fiber, and it's working splendid.

I have purchased around 50 more APs to set up in our Middle School/Elementary school building (the same building where the controller lives). My plan is to set them up exactly like I have at the HS using the same controller.

After getting my new licenses and everything activated and installed on my controller, I decided to see if I could remember how to provision a new AP. I pull out one of the new HP 24 port POE switches that I bought and set it up in my office and plugged it in to the network, and then plugged one of my new AP-105s into it. It booted up, got a DHCP address, and I was able to provision it on my controller. Good so far!

Now it was time to set up that same new HP POE switch as I plan to have it installed in the closet. This is where things started to get a bit hairy.

I have an HP ProCurve switch on my network that I call my "core" switch. It does all the routing and everything for the VLANS on my network. My Aruba 3600 controller connects directly to this switch. A number of ports on this switch are configured as trunk ports and uplink to other switches on my network. One of these ports was already configured this way and not used any more, so I decided to use that to uplink to my new HP POE switch that my new APs will connect to.

After doing some research as to how to configure my new POE switch, I got the trunk connection working. I configured port 1 on the new switch as the trunked uplink to my core switch. I set the IP address of the switch to be in VLAN1, and I was able to configure a different port on the switch to be in a different VLAN, and when I connected a laptop to that port it worked exactly as expected. It got a DHCP address in the correct VLAN, and I was able to access different computers in different VLANS, and I was able to access THAT computer from other machines as well.

So, my final step was to plug in one of my new APs to this port configured for a different VLAN, and this is where things went wrong. The AP would not "check-in" with the controller. It was getting a DHCP address from my DHCP server, as I could see it getting a new lease, but I could not ping the AP nor would it ever show up on the Aruba controller where I could provision it.

If I use the same switch, but uplink it without using trunks (as I did when I first took it out of the box), everything works fine, no matter what VLAN its plugged into. However, this isn't really the configuration I want.

So, I guess my question is, how do I make this work? What am I missing here? It doesn't appear to be my switch, because I can plug in a laptop to that port and it works exactly as it should. So, is there something I need to adjust on my Aruba Controller? If so, I have no idea where to even begin looking. What I'm trying to do is already being done with my existing APs at the High School. All traffic from the HS connects to this core switch over a trunk line, so I'm not sure what could be different.

Thank you all for reading, and if you have any ideas or need any other information from me, please don't hesitate to let me know!

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Setting up APs in New Building - VLANs, Trunks, DHCP, oh my!

This isn't a Procurve forum, but we're all here to help!!!

 

Are your switches Procurve E series? I know a bit about these. Are you comfortable posting your core and edge switch (in this test) configurations? Please do so if you are. Also tell us what your NORMAL VLAN is (i.e. the one where the controller IPs live), and any "other" VLAN where you plugged an AP and it didn't work.

 

In the first instance, I thought maybe you had a DNS/DHCP discovery problem for the AP. i.e. whenever your controller IPs are in a different VLAN/subnet to the AP in question, you've got to give the AP a way to "find" it's controller. Either by dns lookup of "aruba-master", or DHCP options 43/60. I'm going to assume this isn't your issue, because I think you're saying if you make your edge switch ingress into a core switch port on a different VLAN directly (like a Cisco access port, without a 802.1q tagged config), the AP works ok?

 

This makes me think it's a problem with your tagged/trunk uplink config on the switches. But then, I can't understand why a PC would work and route ok if so?!?!

 

Just leave your edge switch connected as you'd like, and post your core switch, edge switch and controller config (just the VLAN, port and IP bits). Then tell us from which VLAN the AP works, and does not.

 

Cheers.

Kudos appreciated, but I'm not hunting! (ACMX 104)
MVP
Posts: 562
Registered: ‎11-28-2011

Re: Setting up APs in New Building - VLANs, Trunks, DHCP, oh my!

Oh, forgot to say, make sure you're not falling into the Cisco/Procurve terminology trap...

 

Cisco...

 

1. A port-channel is an 802.3ad style aggregate connection.

2. A trunk is and 802.1q tagged (multiple VLAN) link.

 

Procurve...

 

1. A trunk is an 802.3ad style aggregate connection.

2. A VLAN tagged link is an 802.1q tagged (multiple VLAN) link. You have to tag it on each VLAN you want it to run.

 

i.e. Cisco and Procurve = A "Trunk" is not the same thing!!!

 

Cheers.

Kudos appreciated, but I'm not hunting! (ACMX 104)
Occasional Contributor II
Posts: 13
Registered: ‎02-15-2011

Re: Setting up APs in New Building - VLANs, Trunks, DHCP, oh my!

Thank you for your response! I posted here because I'm still not sure if it's a controller problem or a switch problem, but I appreciate your willingness to help regardless!

 

I'll get my configs downloaded and posted here ASAP.

Occasional Contributor II
Posts: 13
Registered: ‎02-15-2011

Re: Setting up APs in New Building - VLANs, Trunks, DHCP, oh my!

OK, here are my configs. First, here is the "core" switch, This is an HP ProCurve 4204vl

 

; J8770A Configuration Editor; Created on release #L.11.20

hostname "ShenandoahCore4204" 
module 1 type J8768A 
module 2 type J9033A 
interface B15 
   lacp Active 
exit
interface B16 
   lacp Active 
exit
interface B19 
   lacp Active 
exit
ip routing 
snmp-server community "public" Operator Unrestricted 
vlan 1 
   name "DEFAULT_VLAN" 
   untagged A1-A3,A7-A12,A14-A24,B2-B4,B6-B16,B18-B24 
   ip address 192.168.0.1 255.255.255.0 
   tagged A4 
   no untagged A5-A6,A13,B1,B5,B17 
   exit 
vlan 2 
   name "K8Network" 
   untagged A13,B1,B17 
   ip address 192.168.2.1 255.255.255.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16,B18-B24 
   exit 
vlan 3 
   name "HSNetwork" 
   untagged B5 
   ip address 192.168.3.1 255.255.255.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16-B20,B22-B24 
   exit 
vlan 4 
   name "WrlsStaff" 
   ip address 192.168.4.1 255.255.255.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16-B20,B22-B24 
   exit 
vlan 5 
   name "WrlsStdnt" 
   untagged A6 
   ip address 192.168.5.1 255.255.248.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16-B20,B22-B24 
   exit 
vlan 6 
   name "GuestWrls" 
   ip address 192.168.6.1 255.255.255.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16-B20,B22-B24 
   exit 
vlan 9 
   name "StdntWrls" 
   untagged A5 
   ip address 192.168.9.1 255.255.252.0 
   ip helper-address 192.168.0.10 
   tagged B12-B14,B16-B20,B22-B24 
   exit 
ip route 0.0.0.0 0.0.0.0 192.168.0.47 
interface B14
   dhcp-snooping trust
   exit
interface B24
   dhcp-snooping trust
   exit
spanning-tree
spanning-tree priority 0
password manager

 

Here is the config for my new edge POE switch. It is an HP V1910-24G-PoE:

 

#
 version 5.20 Release 1108P01
#
 sysname MS-POESWITCH-01
#
 domain default enable system 
#
 ip ttl-expires enable
#
vlan 1
 description DEFAULT_VLAN
#
vlan 2
 description K8Network
#
vlan 3
 description HSNetwork
#
vlan 4
 description WrlsStaff
#
vlan 5
 description ESNetwork
#
vlan 6
 description GuestWrls
#
vlan 9
 description StdntWrls
#
domain system 
 access-limit disable 
 state active 
 idle-cut disable 
 self-service-url disable 
#
user-group system
#
local-user admin
 authorization-attribute level 3
 service-type ssh telnet terminal
#
 stp mode rstp
 stp enable
#
interface NULL0
#
interface Vlan-interface1
 ip address 192.168.0.170 255.255.255.0 
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk permit vlan 1 to 6 9
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/2
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/3
 port link-type hybrid
 port hybrid vlan 2 tagged
 port hybrid vlan 1 untagged
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/4
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/5
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/6
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/7
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/8
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/9
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/10
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/11
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/12
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/13
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/14
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/15
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/16
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/17
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/18
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/19
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/20
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/21
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/22
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/23
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/24
 poe enable
 stp edged-port enable
#
interface GigabitEthernet1/0/25
 stp edged-port enable
#
interface GigabitEthernet1/0/26
 stp edged-port enable
#
interface GigabitEthernet1/0/27
 stp edged-port enable
#
interface GigabitEthernet1/0/28
 stp edged-port enable
#
 ip route-static 0.0.0.0 0.0.0.0 192.168.0.1 
#
 load xml-configuration 
#
user-interface aux 0
 authentication-mode scheme
user-interface vty 0 15
 authentication-mode scheme
#
return

 ...and finally, here is the config for my Aruba Controller:

 

version 3.3
country US
ap regulatory-domain-profile default
  country-code US
  valid-11g-channel 1
  valid-11g-channel 6
  valid-11g-channel 11
  valid-11a-channel 36
  valid-11a-channel 40
  valid-11a-channel 44
  valid-11a-channel 48
  valid-11a-channel 149
  valid-11a-channel 153
  valid-11a-channel 157
  valid-11a-channel 161
  valid-11a-channel 165
  valid-11g-40mhz-channel-pair 1-5
  valid-11g-40mhz-channel-pair 7-11
  valid-11a-40mhz-channel-pair 36-40
  valid-11a-40mhz-channel-pair 44-48
  valid-11a-40mhz-channel-pair 149-153
  valid-11a-40mhz-channel-pair 157-161

!



logging level warnings stm

wms
 general poll-interval 60000
 general poll-retries 3
 general stat-update enable
 general ap-ageout-interval 30
 general sta-ageout-interval 30
 general learn-ap disable
 general persistent-known-interfering enable
!

adp discovery enable
adp igmp-join enable
adp igmp-vlan 0

netservice svc-icmp 1 
netservice svc-esp 50
netservice svc-gre 47
netservice svc-svp 119
netservice svc-ftp tcp 21
netservice svc-ssh tcp 22
netservice svc-smtp tcp 25
netservice svc-telnet tcp 23
netservice svc-dns udp 53
netservice svc-dhcp udp 67 68
netservice svc-bootp udp 67 69
netservice svc-tftp udp 69
netservice svc-http tcp 80
netservice svc-kerberos udp 88
netservice svc-pop3 tcp 110
netservice svc-ntp udp 123
netservice svc-msrpc-udp udp 135 139
netservice svc-msrpc-tcp tcp 135 139
netservice svc-snmp udp 161
netservice svc-snmp-trap udp 162
netservice svc-smb-udp udp 445
netservice svc-smb-tcp tcp 445
netservice svc-https tcp 443
netservice svc-ike udp 500
netservice svc-rtsp tcp 554
netservice svc-nterm tcp 1026 1028
netservice svc-l2tp udp 1701
netservice svc-pptp tcp 1723
netservice svc-sccp tcp 2000
netservice svc-natt udp 4500
netservice svc-vocera udp 5002
netservice svc-sip-udp udp 5060
netservice svc-sip-tcp tcp 5060
netservice svc-sips tcp 5061
netservice svc-adp udp 8200
netservice svc-papi udp 8211
netservice svc-cfgm-tcp tcp 8211
netservice svc-syslog udp 514
netservice svc-noe udp 32512
netservice svc-noe-oxo udp 5000 alg noe
netservice svc-http-proxy1 tcp 3128
netservice svc-http-proxy2 tcp 8080
netservice svc-http-proxy3 tcp 8888
netservice svc-h323-tcp tcp 1720
netservice svc-h323-udp udp 1718 1719
netservice svc-v6-icmp 58
netservice svc-v6-dhcp udp 546 547

ip access-list session control
 user any udp 68 deny
 any any svc-icmp permit
 any any svc-dns permit
 any any svc-papi permit
 any any svc-cfgm-tcp permit
 any any svc-adp permit
 any any svc-tftp permit
 any any svc-dhcp permit
 any any svc-natt permit
!

ip access-list session logon-control
 user any udp 68 deny
 any any svc-icmp permit
 any any svc-dns permit
 any any svc-dhcp permit
 any any svc-natt permit
!

ip access-list session ap-acl
 any any udp 5000
 any any udp 5555
 any any svc-gre permit
 any any svc-syslog permit
 any user svc-snmp permit
 user any svc-snmp-trap permit
 user any svc-ntp permit
!

ip access-list session allowall
 any any any permit
!

ip access-list session captiveportal
 user alias controller svc-https dst-nat 8081
 user any svc-http dst-nat 8080
 user any svc-https dst-nat 8081
 user any svc-http-proxy1 dst-nat 8088
 user any svc-http-proxy2 dst-nat 8088
 user any svc-http-proxy3 dst-nat 8088
!

ip access-list session cplogout
 user alias controller svc-https dst-nat 8081
!

ip access-list session vpnlogon
 user any svc-ike permit
 user any svc-esp permit
 any any svc-l2tp permit
 any any svc-pptp permit
 any any svc-gre permit
!

ip access-list session srcnat
 user any any src-nat
!

ip access-list session sip-acl
 any any svc-sip-udp permit queue high
 any any svc-sip-tcp permit queue high
!

ip access-list session svp-acl
 any any svc-svp permit queue high
 user host 224.0.1.116 any permit
!

ip access-list session vocera-acl
 any any svc-vocera permit queue high
!

ip access-list session noe-acl
 any any svc-noe permit queue high
!

ip access-list session skinny-acl
 any any svc-sccp permit queue high
!

ip access-list session h323-acl
 any any svc-h323-tcp permit queue high
 any any svc-h323-udp permit queue high
!

ip access-list session dhcp-acl          
 any any svc-dhcp permit
!

ip access-list session icmp-acl          
 any any svc-icmp permit
!

ip access-list session tftp-acl
 any any svc-tftp permit
!

ip access-list session dns-acl
 any any svc-dns permit
!

ip access-list session http-acl
 any any svc-http permit
!

ip access-list session https-acl
 any any svc-https permit
!

ipv6 access-list session v6-logon-control
 user any udp 68 deny
 any any svc-v6-icmp permit
 any any svc-v6-dhcp permit
 any any svc-dns permit
!

ipv6 access-list session v6-dhcp-acl
 any any svc-v6-dhcp permit
!

ipv6 access-list session v6-icmp-acl
 any any svc-v6-icmp permit
!

ipv6 access-list session v6-dns-acl
 any any svc-dns permit
!

ipv6 access-list session v6-http-acl
 any any svc-http permit
!

ipv6 access-list session v6-https-acl
 any any svc-https permit
!

ipv6 access-list session v6-allowall
 any any any permit
!

user-role authenticated
 session-acl allowall
 ipv6 session-acl v6-allowall
!

user-role default-vpn-role
 session-acl allowall
 ipv6 session-acl v6-allowall
!

user-role logon
 session-acl logon-control
 session-acl captiveportal
 session-acl vpnlogon
 ipv6 session-acl v6-logon-control
!

user-role guest-logon
 session-acl logon-control
 session-acl captiveportal
 captive-portal default
!

user-role ap-role
 session-acl control
 session-acl ap-acl
!

user-role voice
 session-acl sip-acl
 session-acl noe-acl
 session-acl svp-acl
 session-acl vocera-acl
 session-acl skinny-acl
 session-acl h323-acl
 session-acl dhcp-acl
 session-acl tftp-acl
 session-acl dns-acl
 session-acl icmp-acl
!

user-role guest
 session-acl http-acl
 session-acl https-acl
 session-acl dhcp-acl
 session-acl icmp-acl
 session-acl dns-acl
 ipv6 session-acl v6-http-acl
 ipv6 session-acl v6-https-acl
 ipv6 session-acl v6-dhcp-acl
 ipv6 session-acl v6-icmp-acl
 ipv6 session-acl v6-dns-acl
!

aaa server-group default
 auth-server Internal
 set role condition role value-of
!
aaa authentication vpn default-role default-vpn-role

mgmt-role read-only
 description "This is the Default View Only Role"
 permit view-only
!

crypto isakmp policy 20
  encryption aes256
!
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
  set transform-set default-transform default-aes
!
wms
 valid-11b-channel 1 mode enable
 valid-11b-channel 6 mode enable
 valid-11b-channel 11 mode enable
 
 valid-11a-channel 36 mode enable
 valid-11a-channel 40 mode enable
 valid-11a-channel 44 mode enable
 valid-11a-channel 48 mode enable
 valid-11a-channel 149 mode enable
 valid-11a-channel 153 mode enable
 valid-11a-channel 157 mode enable
 valid-11a-channel 161 mode enable
 valid-11a-channel 165 mode enable
!

hostname Aruba3600

interface vlan 1
  ip address 192.168.0.20 255.255.0.0
!

ip default-gateway 192.168.0.47

localip 0.0.0.0 ipsec xxx

clock timezone CST -6 0

mgmt-user admin root xxx

enable secret "xxx"

trusted all

 The IP address for my controller is 192.168.0.20, and I have a DNS entry for "aruba-master" pointing to that. The port on the core switch I'm uploading to is B19. The uplink port on the edge POE switch is port GigabitEthernet1/0/1. The port I'm setting up for the AP is GigabitEthernet1/0/3. Right now I have a laptop plugged into that port, and it's working perfectly. I get a DHCP address for VLAN2, and I can ping servers in VLAN1 and get to the internet.

 

Please let me know if there is any other info from me that may help! Thank you!


Aruba Employee
Posts: 135
Registered: ‎06-18-2007

Re: Setting up APs in New Building - VLANs, Trunks, DHCP, oh my!

Does your DHCP server has a domain name for the IP Scope where you want to configure the new AP?  Usually if you're using DNS for the APs to find the controller the DHCP scope needs the domain name so it can resolve "aruba-master.<your_domain>".

 

It sounds like you have the network piece configured correctly.  I would assume that if you plug in a laptop on the new switch, get an IP address, you can ping/access the controller.  If this is the case, then I would venture to say your network piece is configured to allow L3 connectivity between the sites.

 

-Mike

Occasional Contributor II
Posts: 13
Registered: ‎02-15-2011

Re: Setting up APs in New Building - VLANs, Trunks, DHCP, oh my!

Yes, I do have the domain name in my DHCP server. In fact, one of the first things I checked when I plugged my laptop into that port was a ping to "aruba-master", and it appended the ".domain.name" to the end of it and resolved to the correct address.

 

So, if my network is configured properly, then does that mean my problem is somewhere in the configuration of my Aruba controller? I hooked up a cable to the console port of the AP I was working with to see if there were any errors, I can try to hook that up again and let you know what happens, if that would help.

Guru Elite
Posts: 21,487
Registered: ‎03-29-2007

Re: Setting up APs in New Building - VLANs, Trunks, DHCP, oh my!

Mister Vertigo,

 

If it is a domain laptop, it might automatically append <domain name>, even though it is not configured in your DHCP server.  If you can, please plug in a non-doman device and see if the domain is being received through DHCP.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎02-15-2011

Re: Setting up APs in New Building - VLANs, Trunks, DHCP, oh my!

Good point. I'll try this when I get back to the office in the morning.

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Setting up APs in New Building - VLANs, Trunks, DHCP, oh my!

Yeah, I'd agree with the other guys. The switches look ok on the face of it at a glance.

 

What you can do (if your AP has a console port (125 and 105 do for example)), is plug the console into the AP during boot. Look at the outputs. It's pretty obvious what's going on in terms of controller discovery.

 

Cheers.

Kudos appreciated, but I'm not hunting! (ACMX 104)
Search Airheads
Showing results for 
Search instead for 
Did you mean: