Wireless Access

Reply
Frequent Contributor II

wireless to wired broadcast

Hey All,

 

I have an IAP-225 running as a RAP.  I have a wired port configured on it and have a switch hanging off that.  We have these wired credit card readers from Shopkeep iPP320 Credit Card Reader they are connected to the switch that is connected to the wired port.  that port is in access mode/tunnel.  The readers get IP's of the same /23 as the wireless clients (whom are .1x auth'ed and split tunneled)  The iPads on the wireless network are running the Shopkeep app that is supposed to be able to "detect" the wired card readers.  That is not happening.  Before I start to yell and scream at Shopkeep I want to be sure i am not missing anything on the AP/controller side.

I do not know what the Shopkeep app is doing to "detect" the wired readers but I assume it is somekind of broad/multicast...

 

Thanks,

 

rif

 

Guru Elite

Re: wireless to wired broadcast

Make sure you don't have "Broadcast Multicast Optimization" enabled on that VLAN.

Also make sure you don't have "Drop Broadcast and Multicast" enabled on the Virtual AP that the wireless clients are connected to.

Is that ethernet port untrusted?

 

Find out what the ip address of the credit card reader.  When it is trying to find the devices, type "show datapath session table <ip address of credit card reader>" on the controller multiple times, so you can see what traffic they are trying to send.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: wireless to wired broadcast

Hi Colin,

 

Thanks for the input.  "Broadcast Multicast Optimization" is not enabled on the IP interface for that vlan.  "Drop Broadcast and Multicast" is not enabled on the VAP to which the wireless client are connected (although "Convert Broadcast ARP requests to unicast" is enabled)  The wired ethernet port is Trusted.  I am presently trying to get the guy out there to do start the "finding" process again so I can see the output of the "show datapath session table" command....

 

Thanks!

 

rif

Frequent Contributor II

Re: wireless to wired broadcast

Hi Colin,

 

So when tracking the reader's IP I get:

 

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
10.1.30.243 10.1.30.1 1 4 0 0/0 0 0 1 pc1 16 0 0 FI
10.1.30.243 10.1.30.1 1 2 0 0/0 0 0 1 pc1 16 0 0 FI
10.1.30.243 10.1.30.1 1 3 0 0/0 0 0 1 pc1 16 0 0 FI
10.1.30.243 10.1.30.1 1 0 0 0/0 0 0 1 pc1 16 0 0 FI
10.1.30.243 10.1.30.1 1 1 0 0/0 0 0 1 pc1 16 0 0 FI
10.1.30.1 10.1.30.243 1 2 2048 0/0 0 0 1 pc1 16 0 0 FCI
10.1.30.1 10.1.30.243 1 3 2048 0/0 0 0 1 pc1 16 0 0 FCI
10.1.30.1 10.1.30.243 1 0 2048 0/0 0 0 1 pc1 16 0 0 FCI
10.1.30.1 10.1.30.243 1 1 2048 0/0 0 0 1 pc1 16 0 0 FCI
10.1.30.1 10.1.30.243 1 4 2048 0/0 0 0 1 pc1 16 0 0 FCI

 

which is the reader sending traffic to the default gateway.  and then the defualt gateway sending traffic back to the reader's IP.  I don't know what traffic it's sending.

 

Then, I tracked the iPads IP address (where the shopkeep app is running) and found this:

 

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
10.1.30.90 10.1.31.255 17 51970 22222 0/0 0 24 1 tunnel 109 10 0 0 FC
10.1.30.90 10.1.31.255 17 50765 22222 0/0 0 24 0 tunnel 109 4 1 56 FC
10.1.30.90 10.1.31.255 17 49569 22222 0/0 0 24 1 tunnel 109 16 0 0 FC
10.1.30.90 10.1.31.255 17 55781 22222 0/0 0 24 1 tunnel 109 a 0 0 FC
10.1.31.255 10.1.30.90 17 22222 55781 0/0 0 0 0 tunnel 109 a 0 0 FY
10.1.31.255 10.1.30.90 17 22222 51970 0/0 0 0 1 tunnel 109 10 0 0 FY
10.1.31.255 10.1.30.90 17 22222 49569 0/0 0 0 1 tunnel 109 16 0 0 FY
10.1.31.255 10.1.30.90 17 22222 50765 0/0 0 0 0 tunnel 109 4 0 0 FY

 

So the iPad seems to be doing what one would think it should be doing, broadcasting for the reader but the reader seems to be misbehaving by sending traffic to the default gateway for a destination of the same subnet/vlan...

 

rif

 

 

Guru Elite

Re: wireless to wired broadcast

The first device just sent 5 pings to the default gateway.

 

The second device sent broadcast packets to 10.1.231.255 on port 22222

 

We need better information somewhere about what is required for this application.

 

You could open a TAC case to make sure that nothing you are doing is blocking the broadcast traffic, however.  I only gave two guesses.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: wireless to wired broadcast

Hi Colin,

 

I did open a TAC case for just that purpose.  However, we purchased these POS devices through Shopkeep and we can't seem to get anyone on the horn that knows about what the app is doing under the hood (protocol wise).  Very frustrating!

 

Thanks for your time,

 

rif

Guru Elite

Re: wireless to wired broadcast

Hold on:

" The readers get IP's of the same /23 as the wireless clients (whom are .1x auth'ed and split tunneled)"

 

What is the role of these split tunneled devices and what are the ACLs attached?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: wireless to wired broadcast

The role of the split tunnel devices is POP-RAP-Role and the ACL's are:

 

POP-RAP-USR

 

IP Version Source Destination Service Action Log Mirror Queue Time Range Pause ARM Scanning BlackList Classify Media TOS 802.1p Priority

IPv4anyanysvc-dhcppermit  Low      
IPv4anyanysvc-dnspermit  Low      
IPv4userDestCorpNetanypermit  Low      
IPv4DestCorpNetuseranypermit  Low      
IPv4anyanyanyroute src-nat   

 

and the DestCorpNet "destination" are our various corperate LAN's

 

 

Guru Elite

Re: wireless to wired broadcast

Fully tunneled devices might not be able to send broadcasts to split-tunneled devices.  Change one or the other to match and test again.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: wireless to wired broadcast

Colin,

 

I can surely try that.  Right now the (wireless) iPads hosting the Shopkeep (broadcasting) app are in split-tunnel mode.  They get a 10.1.30.0/23 address.  The wired readers are in tunnel mode and also get a 10.1.30.0/23 address.   When tracing the iPads broadcast we saw:

 

10.1.30.90      10.1.31.255

10.1.31.255    10.1.30.90

 

that looks like a normal broadcast, but I do not know how to read the reply... how can a broadcast address 10.1.31.255 send a reply (pardon my ignorance)?  Can we assume that 10.1.31.255 is actually the default gateway repying?  If so that would indicate the traffic is getting down the tunnel right, and in fact we did see 10.1.30.243 10.1.30.1 at one point in responce to the broadcast.  

I guess my question is which one does it make the most sence to change?  I think it sounds like I should change the tunneled wired to split-tunnel?

 

Thanks,

 

rif

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: