Wireless Access

Reply
Occasional Contributor II

Why won't my bridged SSID come up?

Trying to create a bridged SSID where the carrier equipment is already providing DHCP.  LAN devices are getting 192.168.0.x addresses and working fine.  I put the controller on the subnet, and added the configuration, but the SSID is not broadcasting.

 

Default ap-group, SSID is BNET

 

version 6.2
enable secret "******"
hostname "Aruba650"
clock timezone EST -5
location "Building1.floor1"
controller config 3
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list eth validuserethacl
  permit any
!
netservice svc-pcoip2-tcp tcp 4172
netservice svc-netbios-dgm udp 138
netservice svc-snmp-trap udp 162
netservice svc-citrix tcp 2598
netservice svc-syslog udp 514
netservice svc-l2tp udp 1701
netservice svc-ike udp 500
netservice svc-https tcp 443
netservice svc-smb-tcp tcp 445
netservice svc-dhcp udp 67 68 alg dhcp
netservice svc-ica tcp 1494
netservice svc-pptp tcp 1723
netservice svc-sccp tcp 2000 alg sccp
netservice svc-telnet tcp 23
netservice svc-sec-papi udp 8209 alg sec-papi
netservice svc-lpd tcp 515
netservice svc-netbios-ssn tcp 139
netservice svc-sip-tcp tcp 5060
netservice svc-kerberos udp 88
netservice svc-tftp udp 69 alg tftp
netservice svc-pcoip-udp udp 50002
netservice svc-pcoip-tcp tcp 50002
netservice svc-http-proxy3 tcp 8888
netservice svc-noe udp 32512 alg noe
netservice svc-cfgm-tcp tcp 8211
netservice svc-adp udp 8200
netservice svc-pop3 tcp 110
netservice svc-rtsp tcp 554 alg rtsp
netservice svc-msrpc-tcp tcp 135 139
netservice svc-dns udp 53 alg dns
netservice vnc tcp 5900 5905
netservice svc-h323-udp udp 1718 1719
netservice svc-h323-tcp tcp 1720
netservice svc-vocera udp 5002 alg vocera
netservice svc-http tcp 80
netservice svc-http-proxy2 tcp 8080
netservice svc-sip-udp udp 5060
netservice svc-nterm tcp 1026 1028
netservice svc-noe-oxo udp 5000 alg noe
netservice svc-papi udp 8211 alg papi
netservice svc-natt udp 4500
netservice svc-ftp tcp 21 alg ftp
netservice svc-microsoft-ds tcp 445
netservice svc-svp 119 alg svp
netservice svc-smtp tcp 25
netservice svc-gre 47
netservice web tcp list "80 443"
netservice svc-netbios-ns udp 137
netservice svc-sips tcp 5061 alg sips
netservice svc-smb-udp udp 445
netservice svc-ipp-tcp tcp 631
netservice svc-esp 50
netservice svc-pcoip2-udp udp 4172
netservice svc-v6-dhcp udp 546 547
netservice svc-snmp udp 161
netservice svc-bootp udp 67 69
netservice svc-msrpc-udp udp 135 139
netservice svc-ntp udp 123
netservice svc-icmp 1
netservice svc-ipp-udp udp 631
netservice svc-ssh tcp 22
netservice svc-v6-icmp 58
netservice svc-http-proxy1 tcp 3128
netservice svc-vmware-rdp tcp 3389
netexthdr default
!
time-range night-hours periodic
 weekday 18:01 to  23:59
 weekday 00:00 to  07:59
!
time-range weekend periodic
 weekend 00:00 to  23:59
!
time-range working-hours periodic
 weekday 08:00 to  18:00
!
ip access-list session v6-icmp-acl
  ipv6  any any svc-v6-icmp  permit
!
ip access-list session control
  user any udp 68  deny
  any any svc-icmp  permit
  any any svc-dns  permit
  any any svc-papi  permit
  any any svc-sec-papi  permit
  any any svc-cfgm-tcp  permit
  any any svc-adp  permit
  any any svc-tftp  permit
  any any svc-dhcp  permit
  any any svc-natt  permit
!
ip access-list session allow-diskservices
  any any svc-netbios-dgm  permit
  any any svc-netbios-ssn  permit
  any any svc-microsoft-ds  permit
  any any svc-netbios-ns  permit
!
ip access-list session validuser
  network 169.254.0.0 255.255.0.0 any any  deny
  any any any  permit
  ipv6  any any any  permit
!
ip access-list session v6-https-acl
  ipv6  any any svc-https  permit
!
ip access-list session vocera-acl
  any any svc-vocera  permit queue high
!
ip access-list session vmware-acl
  any any svc-vmware-rdp  permit tos 46 dot1p-priority 6
  any any svc-pcoip-tcp  permit tos 46 dot1p-priority 6
  any any svc-pcoip-udp  permit tos 46 dot1p-priority 6
  any any svc-pcoip2-tcp  permit tos 46 dot1p-priority 6
  any any svc-pcoip2-udp  permit tos 46 dot1p-priority 6
!
ip access-list session icmp-acl
  any any svc-icmp  permit
!
ip access-list session v6-control
  ipv6  user any udp 547  deny
  ipv6  any any svc-v6-icmp  permit
  ipv6  any any svc-dns  permit
  ipv6  any any svc-papi  permit
  ipv6  any any svc-sec-papi  permit
  ipv6  any any svc-cfgm-tcp  permit
  ipv6  any any svc-adp  permit
  ipv6  any any svc-tftp  permit
  ipv6  any any svc-dhcp  permit
  ipv6  any any svc-natt  permit
!
ip access-list session v6-dhcp-acl
  ipv6  any any svc-v6-dhcp  permit
!
ip access-list session captiveportal
  user   alias controller svc-https  dst-nat 8081
  user any svc-http  dst-nat 8080
  user any svc-https  dst-nat 8081
  user any svc-http-proxy1  dst-nat 8088
  user any svc-http-proxy2  dst-nat 8088
  user any svc-http-proxy3  dst-nat 8088
!
ip access-list session v6-dns-acl
  ipv6  any any svc-dns  permit
!
ip access-list session allowall
  any any any  permit
  ipv6  any any any  permit
!
ip access-list session https-acl
  any any svc-https  permit
!
ip access-list session sip-acl
  any any svc-sip-udp  permit queue high
  any any svc-sip-tcp  permit queue high
!
ip access-list session citrix-acl
  any any svc-citrix  permit tos 46 dot1p-priority 6
  any any svc-ica  permit tos 46 dot1p-priority 6
!
ip access-list session ra-guard
  ipv6  user any icmpv6 rtr-adv  deny
!
ip access-list session dns-acl
  any any svc-dns  permit
!
ip access-list session v6-allowall
  ipv6  any any any  permit
!
ip access-list session tftp-acl
  any any svc-tftp  permit
!
ip access-list session skinny-acl
  any any svc-sccp  permit queue high
!
ip access-list session srcnat
  user any any  src-nat
!
ip access-list session vpnlogon
  user any svc-ike  permit
  user any svc-esp  permit
  any any svc-l2tp  permit
  any any svc-pptp  permit
  any any svc-gre  permit
!
ip access-list session logon-control
  user any udp 68  deny
  any any svc-icmp  permit
  any any svc-dns  permit
  any any svc-dhcp  permit
  any any svc-natt  permit
!
ip access-list session allow-printservices
  any any svc-lpd  permit
  any any svc-ipp-tcp  permit
  any any svc-ipp-udp  permit
!
ip access-list session cplogout
  user   alias controller svc-https  dst-nat 8081
!
ip access-list session v6-http-acl
  ipv6  any any svc-http  permit
!
ip access-list session http-acl
  any any svc-http  permit
!
ip access-list session dhcp-acl
  any any svc-dhcp  permit
!
ip access-list session captiveportal6
  ipv6  user   alias controller6 svc-https  captive
  ipv6  user any svc-http  captive
  ipv6  user any svc-https  captive
  ipv6  user any svc-http-proxy1  captive
  ipv6  user any svc-http-proxy2  captive
  ipv6  user any svc-http-proxy3  captive
!
ip access-list session ap-uplink-acl
  any any udp 68  permit
  any any svc-icmp  permit
  any host 224.0.0.251 udp 5353  permit
!
ip access-list session noe-acl
  any any svc-noe  permit queue high
!
ip access-list session svp-acl
  any any svc-svp  permit queue high
  user host 224.0.1.116 any  permit
!
ip access-list session ap-acl
  any any svc-gre  permit
  any any svc-syslog  permit
  any user svc-snmp  permit
  user any svc-snmp-trap  permit
  user any svc-ntp  permit
  user any svc-ftp  permit
!
ip access-list session v6-ap-acl
  ipv6  any any svc-gre  permit
  ipv6  any any svc-syslog  permit
  ipv6  any user svc-snmp  permit
  ipv6  user any svc-snmp-trap  permit
  ipv6  user any svc-ntp  permit
  ipv6  user any svc-ftp  permit
!
ip access-list session v6-logon-control
  ipv6  user any udp 68  deny
  ipv6  any any svc-v6-icmp  permit
  ipv6  any any svc-v6-dhcp  permit
  ipv6  any any svc-dns  permit
!
ip access-list session h323-acl
  any any svc-h323-tcp  permit queue high
  any any svc-h323-udp  permit queue high
!
vpn-dialer default-dialer
  ike authentication PRE-SHARE ******
!
user-role ap-role
 access-list session control
 access-list session ap-acl
 access-list session v6-control
 access-list session v6-ap-acl
!
user-role default-vpn-role
 access-list session allowall
 access-list session v6-allowall
!
user-role voice
 access-list session sip-acl
 access-list session noe-acl
 access-list session svp-acl
 access-list session vocera-acl
 access-list session skinny-acl
 access-list session h323-acl
 access-list session dhcp-acl
 access-list session tftp-acl
 access-list session dns-acl
 access-list session icmp-acl
!
user-role default-via-role
 access-list session allowall
!
user-role guest-logon
 captive-portal "default"
 access-list session logon-control
 access-list session captiveportal
 access-list session v6-logon-control
 access-list session captiveportal6
!
user-role guest
 access-list session http-acl
 access-list session https-acl
 access-list session dhcp-acl
 access-list session icmp-acl
 access-list session dns-acl
 access-list session v6-http-acl
 access-list session v6-https-acl
 access-list session v6-dhcp-acl
 access-list session v6-icmp-acl
 access-list session v6-dns-acl
!
user-role stateful-dot1x
!
user-role authenticated
 access-list session allowall
 access-list session v6-allowall
!
user-role logon
 access-list session logon-control
 access-list session captiveportal
 access-list session vpnlogon
 access-list session v6-logon-control
 access-list session captiveportal6
!
!

interface mgmt
 shutdown
!

dialer group evdo_us
  init-string ATQ0V1E0
  dial-string ATDT#777
!

dialer group gsm_us
  init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"
  dial-string ATD*99#
!

dialer group gsm_asia
  init-string AT+CGDCONT=1,"IP","internet"
  dial-string ATD*99***1#
!

dialer group vivo_br
  init-string AT+CGDCONT=1,"IP","zap.vivo.com.br"
  dial-string ATD*99#
!

 

 

interface gigabitethernet 1/0
 description "GE1/0"
 trusted
 trusted vlan 1-4094
!

interface gigabitethernet 1/1
 description "GE1/1"
 trusted
 trusted vlan 1-4094
!

interface gigabitethernet 1/2
 description "GE1/2"
 trusted
 trusted vlan 1-4094
!

interface gigabitethernet 1/3
 description "GE1/3"
 trusted
 trusted vlan 1-4094
!

interface gigabitethernet 1/4
 description "GE1/4"
 trusted
 trusted vlan 1-4094
!

interface gigabitethernet 1/5
 description "GE1/5"
 trusted
 trusted vlan 1-4094
!

interface gigabitethernet 1/6
 description "GE1/6"
 trusted
 trusted vlan 1-4094
!

interface gigabitethernet 1/7
 description "GE1/7"
 trusted
 trusted vlan 1-4094
!

interface vlan 1
 ip address 192.168.0.100 255.255.255.0
!

ip default-gateway 192.168.0.1
no uplink wired vlan 1
uplink disable

ap mesh-recovery-profile cluster Recovery/4E1vbkU1Ckuby+u wpa-hexkey c7d83ed505661272bb4347e1190114baa09ecb159e1ca51090ceb5628e168ecea3b522a04b590c15498d3f775f25afc07f13b9f122d1c28446b8fa469fff5143e8b84a58a3f24b27a6da87db14437cb9
crypto isakmp policy 20
  encryption aes256
!

crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
  set transform-set "default-transform" "default-aes"
!

crypto isakmp eap-passthrough eap-tls
crypto isakmp eap-passthrough eap-peap
crypto isakmp eap-passthrough eap-mschapv2

vpdn group l2tp
!

 
 

!

vpdn group pptp
!

tunneled-node-address 0.0.0.0

adp discovery enable
adp igmp-join enable
adp igmp-vlan 0

voice rtcp-inactivity disable
voice alg-based-cac enable
voice sip-midcall-req-timeout disable
ap ap-blacklist-time 3600


mgmt-user admin root ff6ff7560194a45f1d91de5713e5a57ca7a63a5b91a99be94f

 


no database synchronize
database synchronize rf-plan-data

ip mobile domain default
!

ip igmp
!

ipv6 mld
!

no firewall attack-rate cp 1024
ipv6 firewall ext-hdr-parse-len  100

!

!
firewall cp
packet-capture-defaults tcp disable udp disable interprocess disable sysmsg disable other disable
!
ip domain lookup
!
country US
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa authentication dot1x "dot1x_prof-dvw49"
!
aaa server-group "default"
 auth-server Internal
 set role condition role value-of
!
aaa profile "BNET-aaa_prof"
   initial-role "authenticated"
   authentication-dot1x "dot1x_prof-dvw49"
!
aaa profile "default"
!
aaa authentication captive-portal "default"
!
aaa authentication wispr "default"
!
aaa authentication vpn "default"
!
aaa authentication vpn "default-rap"
!
aaa authentication mgmt
!
aaa authentication stateful-ntlm "default"
!
aaa authentication stateful-kerberos "default"
!
aaa authentication stateful-dot1x
!
aaa authentication wired
!
web-server
!
guest-access-email
!
voice logging
!
voice dialplan-profile "default"
!
voice real-time-config
!
voice sip
!
aaa password-policy mgmt
!
control-plane-security
   no cpsec-enable
!
ids management-profile
!
ids wms-general-profile
   poll-retries 3
!
ids wms-local-system-profile
!
ids ap-rule-matching
!
valid-network-oui-profile
!
qos-profile "default"
!
policer-profile "default"
!
ap system-profile "default"
!
ap regulatory-domain-profile "default"
   country-code US
   valid-11g-channel 1
   valid-11g-channel 6
   valid-11g-channel 11
   valid-11a-channel 36
   valid-11a-channel 40
   valid-11a-channel 44
   valid-11a-channel 48
   valid-11a-channel 149
   valid-11a-channel 153
   valid-11a-channel 157
   valid-11a-channel 161
   valid-11a-channel 165
   valid-11g-40mhz-channel-pair 1-5
   valid-11g-40mhz-channel-pair 7-11
   valid-11a-40mhz-channel-pair 36-40
   valid-11a-40mhz-channel-pair 44-48
   valid-11a-40mhz-channel-pair 149-153
   valid-11a-40mhz-channel-pair 157-161
!
ap wired-ap-profile "default"
!
ap enet-link-profile "default"
!
ap mesh-ht-ssid-profile "default"
!
ap lldp med-network-policy-profile "default"
!
ap mesh-cluster-profile "default"
!
ap lldp profile "default"
!
ap mesh-radio-profile "default"
!
ap wired-port-profile "default"
!
ids general-profile "default"
!
ids rate-thresholds-profile "default"
!
ids signature-profile "default"
!
ids impersonation-profile "default"
!
ids unauthorized-device-profile "default"
!
ids signature-matching-profile "default"
   signature "Deauth-Broadcast"
   signature "Disassoc-Broadcast"
!
ids dos-profile "default"
!
ids profile "default"
!
rf arm-profile "arm-maintain"
   assignment maintain
   no scanning
!
rf arm-profile "arm-scan"
!
rf arm-profile "default"
!
rf optimization-profile "default"
!
rf event-thresholds-profile "default"
!
rf am-scan-profile "default"
!
rf dot11a-radio-profile "default"
!
rf dot11a-radio-profile "rp-maintain-a"
   arm-profile "arm-maintain"
!
rf dot11a-radio-profile "rp-monitor-a"
   mode am-mode
!
rf dot11a-radio-profile "rp-scan-a"
   arm-profile "arm-scan"
!
rf dot11g-radio-profile "default"
!
rf dot11g-radio-profile "rp-maintain-g"
   arm-profile "arm-maintain"
!
rf dot11g-radio-profile "rp-monitor-g"
   mode am-mode
!
rf dot11g-radio-profile "rp-scan-g"
   arm-profile "arm-scan"
!
wlan handover-trigger-profile "default"
!
wlan rrm-ie-profile "default"
!
wlan bcn-rpt-req-profile "default"
!
wlan tsm-req-profile "default"
!
wlan voip-cac-profile "default"
!
wlan ht-ssid-profile "BNET-htssid_prof"
!
wlan ht-ssid-profile "default"
!
wlan edca-parameters-profile station "default"
!
wlan edca-parameters-profile ap "default"
!
wlan dot11k-profile "default"
!
wlan ssid-profile "BNET-ssid_prof"
   essid "BNET"
   opmode wpa2-psk-aes
   wpa-passphrase 88cec7360fa18436b2664e6141717de82b71ab1166b6f01e
   ht-ssid-profile "BNET-htssid_prof"
!
wlan ssid-profile "default"
!
wlan virtual-ap "BNET-vap_prof"
   aaa-profile "BNET-aaa_prof"
   ssid-profile "BNET-ssid_prof"
   vlan 1
   forward-mode bridge
!
wlan virtual-ap "default"
!
ap provisioning-profile "default"
!
rf arm-rf-domain-profile
   arm-rf-domain-key "429ef06559c5a89d110d9c215861c1c3"
!
ap spectrum local-override
!
ap-group "default"
   virtual-ap "BNET-vap_prof"
!
logging level warnings security subcat ids
logging level warnings security subcat ids-ap

snmp-server enable trap

process monitor log
end

Guru Elite

Re: Why won't my bridged SSID come up?

control-plane-security
   no cpsec-enable

 You need to enable control plane security for bridging to work:

 

CAUTION;  This will cause an 8 to 10 minute outage minimum as control plane security is enabled on all of your access points.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Why won't my bridged SSID come up?

Are your APs on vlan 1 also? 

 

You don't have cpsec enabled either.  Are they campus ap? You must have cpsec enabled for bridge mode campus aps or provision them as raps.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Occasional Contributor II

Re: Why won't my bridged SSID come up?

Worked great.  I forgot I was running my APs in bridged campus mode which requires cpsec.

 

Thanks.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: