Wireless Access

Hello everyone

I'm doing a test on my new controller.

I am trying to configure VLAN 10 on 10.1.2.0/24 for users in the VLAN 10 to get access to the internet.

According to the network diagram below, I can access the internet on VLAN 8 which is connected to ISP Router. The ISP modem has DHCP server installed on it on 192.168.10.0/24 subnet.

How can do and configure VLAN 10 to allow users on that VLAN to access internet thru the VLAN8

I’ve enabled “IP NAT INSIDE” on VLAN10 and add a default route pointing to the ISP Router.

Some results of tests :

The clients are able to ping the interface VLAN8 On Aruba : 192.168.10.2

The clients are able to ping the interface VLAN10 On Aruba 10.1.2.1

The clients are not able to ping the interface of the ISP router: 192.168.10.1

Network Diagram :

[ISP Modem 192.168.10.1]< -------192.168.10.0------->(192.168.10.2) - [Aruba Controller] - (10.1.2.1)< -------10.1.2.0------->[10.1.2.1 - VLAN10]

Below some extract of my settings :

interface vlan 8

        ip address 192.168.10.2 255.255.255.0

interface vlan 10

        ip address 10.1.2.1 255.255.255.0

        ip nat inside

        operstate up

show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static

       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10

Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10

Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10

Gateway of last resort is 192.168.10.1 to network 0.0.0.0 at cost 1

S*    0.0.0.0/0  [1/0] via 192.168.10.1*

S    172.18.30.0/24 [1/0] ipsec map VPN

C    192.168.10.0/24 is directly connected, VLAN8

C    10.2.0.0/24 is directly connected, VLAN12

C    10.3.0.0/24 is directly connected, VLAN13

C    10.4.0.0/24 is directly connected, VLAN14

C    10.5.0.0/24 is directly connected, VLAN15

C    10.1.2.0/24 is directly connected, VLAN10

C    10.1.0.0/24 is directly connected, VLAN11

C    172.18.10.0/24 is an ipsec map VPN

 it seems to be a NAT issues on VLAN's interfaces, but i couldn't understand what's wrong.

Any help will be welcome.

Thanks.

Setup looks to be fine.  How are you testing, wired or wireless client?

I test wireless client and i can not access internet. And if I ping 8.8.8.8 with vlan 10 interface, the ping is not succeced.

Tanks

The default gatway of your clients should be 10.1.2.1

Thank you Joseph for your reply.

I configure the dhcp server for users access like this:

ip dhcp pool do-AP01-users
network 10.1.2.0 255.255.255.0
default-router 10.1.2.1
dns-server 10.1.2.1
ip dhcp excluded-address 10.1.0.1 10.1.0.100

I enable dhcp server for users on controller.

---

@Nickoo wrote:

I test wireless client and i can not access internet. And if I ping 8.8.8.8 with vlan 10 interface, the ping is not succeced.

 

Tanks

---

If your controller cannot get to the internet, the client's that are source-natted through the controller also cannot get to the internet.  You need to figure out why the ip address of the controller is not allowed to reach the internet.

Thanks Joseph for your reply.

The controller interface witch is on vlan 8 (192.168.10.0 subnet) can get internet from the ISP Modem. But not the controller interface on vlan 10 (10.1.2.0 subnet).

Can the controller ping addresses beyond the default gateway?

You should honestly only need to do an ip nat inside on the interface with your clients, and all the traffic should be natted out of the ip address of the controller.

Hello Joseph.

Thanks again for your help.

Test ping succeeded on VLAN 8 but the not on VLAN 10.

(Aruba) #ping 8.8.8.8 source 8

Press 'q' to abort.

Sending 5, 92-byte ICMP Echos to 8.8.8.8 from 192.168.10.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4.709/4.8162/5.046 ms

(Aruba) #ping 8.8.8.8 source 10

Press 'q' to abort.

Sending 5, 92-byte ICMP Echos to 8.8.8.8 from 10.1.2.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

I send you some output of my configuration.

(aruba) #show ip interface brief

Interface                   IP Address / IP Netmask        Admin   Protocol   VRRP-IP         (VRRP-Id)

vlan 8                    192.168.10.2 / 255.255.255.0     up      up         none            (none)

vlan 1                    172.16.0.254 / 255.255.255.0     down    down       none            (none)

vlan 10                       10.1.2.1 / 255.255.255.0     up      up         none            (none)

loopback                  192.168.10.4 / 255.255.255.255   up      up

(aruba) #show ip dhcp database

DHCP enabled

# users01-pool

subnet 10.1.2.0 netmask 255.255.255.0 {

        option vendor-class-identifier  "ArubaAP";

        option vendor-encapsulated-options  "192.168.10.2";

        option routers 10.1.2.1;

        range 10.1.2.101 10.1.2.254;

        authoritative;

}

(aruba) #show interface vlan 10

VLAN10 is up line protocol is up

Hardware is CPU Interface, Interface address is 20:4C:03:0A:91:E0 (bia 20:4C:03:0A:91:E0)

Description: 802.1Q VLAN

Internet address is 10.1.2.1  255.255.255.0

IPv6 Router Advertisements are disabled

Routing interface is enable, Forwarding mode is enable

Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP enable

Encapsulation 802, loopback not set

MTU 1500 bytes

IP NAT Inside is enabled on this interface

Last clearing of "show interface" counters 0 day 0 hr 57 min 11 sec

link status last changed 0 day 0 hr 53 min 28 sec

Proxy Arp is disabled for the Interface

Auto Operstate up is enabled for this Interface

(aruba) #show interface vlan 8

VLAN8 is up line protocol is up

Hardware is CPU Interface, Interface address is 20:4C:03:0A:91:E0 (bia 20:4C:03:0A:91:E0)

Description: 802.1Q VLAN

Internet address is 192.168.10.2  255.255.255.0

IPv6 Router Advertisements are disabled

Routing interface is enable, Forwarding mode is enable

Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP enable

Encapsulation 802, loopback not set

MTU 1500 bytes

Last clearing of "show interface" counters 0 day 1 hr 2 min 59 sec

link status last changed 0 day 0 hr 59 min 16 sec

Proxy Arp is disabled for the Interface

(aruba) #show datapath session | include 10.1.2.1

10.1.2.105      192.168.10.2    17   8211  8419   1/0     0    0   0   0/0/2       2    0          0          FYCI

192.168.10.2    10.1.2.104      47   0     0      0/0     0    0   0   0/0/0       7e8  1973       222794     F

10.1.2.104      192.168.10.2    17   8211  8222   0/0     0    0   1   0/0/0       12   0          0          FYCI

192.168.10.2    10.1.2.104      17   8222  8211   0/0     0    0   1   0/0/0       12   0          0          FYI

192.168.10.2    10.1.2.105      17   8419  8211   0/0     0    0   0   0/0/2       2    0          0          FYI

10.1.2.103      192.168.10.2    17   8211  8419   0/0     0    0   0   0/0/4       8    0          0          FYCI

10.1.2.102      192.168.10.2    17   8211  8222   0/0     0    0   1   0/0/6       11   0          0          FYCI

192.168.10.2    10.1.2.103      17   8211  8211   0/0     0    0   9   0/0/4       94   0          0          FYI

10.1.2.1        10.1.2.104      17   8222  8211   0/0     0    0   1   local       f    2          208        FCI

(aruba) #

(aruba) #show datapath session | include 192.168.10.2

10.1.2.105      192.168.10.2    17   8211  8419   0/0     0    0   1   0/0/2       15   0          0          FYCI

192.168.10.2    10.1.2.104      47   0     0      0/0     0    0   0   0/0/0       839  2053       231324     F

192.168.10.2    10.1.2.105      17   8419  8211   0/0     0    0   1   0/0/2       15   0          0          FYI

192.168.10.2    10.1.2.103      17   8211  8211   0/0     0    0   3   0/0/4       37   0          0          FYI

192.168.10.2    10.1.2.105      47   0     0      0/0     0    0   0   0/0/2       837  2051       180488     F

192.168.10.2    10.1.2.102      17   8211  8211   0/0     0    0   2   0/0/6       25   0          0          FYI

10.1.2.104      192.168.10.2    47   0     0      0/0     0    40  0   0/0/0       839  2087       234316     FC

10.1.2.104      192.168.10.2    17   8211  8494   0/0     0    0   1   0/0/0       5    0          0          FYCI

192.168.10.2    10.1.2.103      17   8494  8211   0/0     0    0   1   0/0/4       5    0          0          FYI

192.168.10.2    192.168.10.24   17   8419  8211   0/0     0    0   1   0/0/1       d    0          0          FYI

10.1.2.102      192.168.10.2    17   8211  8494   0/0     0    0   1   0/0/6       4    0          0          FYCI

10.1.2.102      192.168.10.2    47   0     0      0/0     0    40  0   0/0/6       82d  2076       233348     FC

192.168.10.2    192.168.10.24   47   0     0      0/0     0    0   0   0/0/1       833  2047       230796     F

10.1.2.103      192.168.10.2    17   8211  8211   0/0     0    0   1   0/0/4       37   22         13348      FCI

192.168.10.2    192.168.10.24   17   8224  8211   0/0     0    0   1   local       4    2          746        FCI

192.168.10.2    10.1.2.102      17   8494  8211   0/0     0    0   1   0/0/6       4    0          0          FYI

192.168.10.24   192.168.10.2    47   0     0      0/0     0    40  0   0/0/1       833  2081       233788     FC

192.168.10.2    10.1.2.102      17   8421  8211   0/0     0    0   1   0/0/6       c    0          0          FYI

192.168.10.24   192.168.10.2    17   8211  8224   0/0     0    0   1   local       4    0          0          FYI

192.168.10.2    10.1.2.104      17   8211  8211   0/0     0    0   3   0/0/0       25   0          0          FYI

192.168.10.24   192.168.10.2    17   8211  8419   0/0     0    0   1   0/0/1       d    0          0          FYCI

192.168.10.2    10.1.2.103      47   0     0      0/0     0    0   1   0/0/4       831  2045       230620     F

192.168.10.2    192.168.10.24   17   8421  8211   0/0     0    0   0   0/0/1       4    0          0          FYI

8.8.8.8         192.168.10.2    1    32    0      1/4108  0    0   1   local       14   1          120        FI

Did you try to ping from a user on that VLAN, instead of the source interface?

I just did this:

created a vlan 10

setup a dhcp scope of 2.2.2.0 255.255.255.0 dns 8.8.8.8 default gateway 2.2.2.1

made the controller interface on vlan 10 2.2.2.1

set interface vlan 10 to "ip nat inside"

Created a WLAN tied to vlan 10 with the wizard.

My user with ip address 2.2.2.2 just created this post.

I cannot ping to 8.8.8.8 from source interface 10, however..

Hi Joseph,

I will ping from a user on that VLAN tomorrow.

I'm only on that site tomorrow morning. I will send you my feedback.

Thanks for all.