Wireless Access

Hello,

 

i've a strange problem about VLAN configuration that occured after a reboot of the controller (3600 OS 6.1.2.3).

In my network i have a VLAN (31) associated with the Corporate wifi network (used by most users), this VLAN is configurated on the GE1/1 in Access Mode (follow some pics):

 

 

 

 

 

My Corporate VAP is associated to this VLAN in tunnel mode (i do not have NGPEF licences intalled)

 

 

The problem is that the traffic that exit from port 1/1 has not VLAN ID set on the ethernet packet, so the firewall on the other end of the wire could not manage this traffic. Everything worked fine until i've restored an old configuration, but doublechecking i thinks that this configuration should be ok.

 

 

any help is appreciated.

 

Thanks,

Davide

#3600

Make sure your infrastructure can ping the ip address of that interface on your network.  Also make sure you do not have "ip nat inside" or source nat configured for that VLAN interface.

 

Hello,

 

Thanks for the rapid answer. 

No, i can not ping the interface on the VLAN 31.

 

My phisic infrastructure is very simple:

3600 GE1/1 ------- wire ------- Firewall 

(there is nothing in the middle)

 

On GE1/1 is configurated the VLAN 31, same thing on the interface of the Firewall (eth7=physic interface; eth7.31=VLAN31)

The strange thing is that my packets arive on the physic interface eth7 and not on the eth7.31

 

ex:

 

tcpdump -n -i eth7
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth7, link-type EN10MB (Ethernet), capture size 96 bytes
16:43:24.898633 arp who-has 10.31.0.240 tell 10.31.0.213
16:43:24.928618 arp who-has 10.31.0.240 tell 10.31.0.229
16:43:25.618190 arp who-has 10.31.0.240 tell 10.31.0.229

 

Using wireshark i also checked that the VLAN ID is missing, so the problem should be on the controller.

 

 

 

 

So if you have a subinterface, that means you are doing 802.1q encapsulation, and the controller port needs to be on a trunk?  In that case, change that management port to a trunk.  Make sure that VLAN 31 is allowed, but make the default or management VLAN anything but 31.

 

Hello, 

Thanks again, i've changed the configuration on the port 1, but still i receive packets (arp requests asking for the GW) on the physic port insteed the virtual one. :smileysad:

 

Should i reboot the controller after change this settings?

 

You should not need to reboot. Try to ping the controller from the firewall.

What is the native vlan on that port?

the ping do not works in both direction 10.31.0.193 (Controller) <--> 10.31.0.240 (Firewall)
I've set the native VLAN 31 on port 1/1. however i'm not very skilled on aruba so please can you tell me how check it ? (maybe using cli). I will not reply until next day because i'm leaving now, thanks very much for your help.

 

Davide

Okay.  Let's check to make sure the port is a trunk by typing "show trunk".  If it is NOT a trunk, change it to a trunk by typing:

 

config t

interface gigabitethernet 1/1

switchport mode trunk

switchport trunk allowed vlan all

switchport trunk native vlan 1

 

show trunk

 

You should see the trunk, your VLANs allowed and your native VLAN.

 

As Colin suggested, if you are looking for 802.1q encapsulation, then the port must be trunked.   However, your native VLAN is not tagged.  Thus in your screenshot, you have VLAN 31 as your native VLAN, this will not get tagged; add VLAN 1 to the allowed VLANs and make that your native VLAN.

 

Also, on Colin's commands to create your trunk port, one minor correction:

 

config t

interface gigabitethernet 1/1

switchport mode trunk

switchport trunk allowed vlan all

switchport trunk native vlan 1

 

show trunk

---

@clembo wrote:

As Colin suggested, if you are looking for 802.1q encapsulation, then the port must be trunked.   However, your native VLAN is not tagged.  Thus in your screenshot, you have VLAN 31 as your native VLAN, this will not get tagged; add VLAN 1 to the allowed VLANs and make that your native VLAN.

 

Also, on Colin's commands to create your trunk port, one minor correction:

 

config t

interface gigabitethernet 1/1

switchport mode trunk

switchport trunk allowed vlan all

switchport trunk native vlan 1

 

show trunk

---

 

clembo,

 

Thank you.  I corrected the original post, just like your example.

 

Do you see arp on both sides?

 

on controller you can run "show arp" to verify?

 

Thanks,

Pradeep

Ok thanks you guys, your instructions work like a charm, now everythings is ok (including arp).

This forum is certainly better than the support I have from my direct supplier !!

 

#show trunk

Trunk Port Table
-----------------
Port Vlans Allowed Vlans Active Native Vlan
---- ------------- ------------ -----------
GE1/1 31 31 31

 

#configure t
Enter Configuration commands, one per line. End with CNTL/Z

(3600-) (config) #interface gigabitethernet 1/1
(3600-) (config-if)#switchport mode trunk
(3600-) (config-if)#switchport trunk allowed vlan all
(3600-) (config-if)#switchport trunk native vlan 1
(3600-) (config-if)#show trunk

Trunk Port Table
-----------------
Port Vlans Allowed Vlans Active Native Vlan
---- ------------- ------------ -----------
GE1/1 ALL 1,31,77,192 1

You could also narrow down the list of allowed VLANs to what you need, rather than All (not sure if you need 77 or 192 on the trunk) while leaving your other settings.

 

switchport trunk allowed vlan 1,31

 

Yes, Thanks clembo i did this bu my own ... 

Now i have the vlan 1 and 31, and the 1 is native. everythings fine ... thank you very much