Search the Community
- Global Forums
- Airheads Channel Group - UK and Ireland
- Airheads Channel Group (German speaking)
- Airheads Channel Group - France
- Airheads Channel Groep – Nederland
- Airheads Channel Group - Italy
- Airheads Channel Group - Taiwan
- Airheads Channel Group - Singapore
- Airheads Channel Group - Malaysia
- Airheads Channel Group – Norway
- Airheads Channel Group South Africa
- Airheads Channel Group Bechtle
- Airheads Channel Group - Denmark
- ClearPass Recipe Review
- ClearPass Recipe Submission
- Admin Tool - Assign Role in Bulk
- Admin Tool - User Search
- CWNP Conf 2015
- Airheads Conference Vegas 2015
- Wlan Pro Conference 2015
- Airheads Conference Shanghai 2014
- WLAN Pro Conf EU 2014
- CWNP Conference 2014 (Sep 22 - 24)
- Airheads Local 2014
- Wireless Field Day 7 (Aug 6-8, 2014)
- Black Hat 2014 Contest
- Airheads EMEA Italy 2014 (June 9 - 13)
- Americas Airheads Conference 2014
- WLAN Professionals Summit 2014
- Airheads Roadshow 2013
- EMEA Airheads Conference 2013
- APJ Airheads Conference 2013
- Americas Airheads Conference 2013
- Americas Airheads Conference 2012
- APJ Airheads Conference 2012
- EMEA Airheads Conference 2012
- Airheads EMEA 2012 Contest: How to Enter - Contest Terms & Conditions
- Airheads EMEA 2012 Contest: Create your Entry to Win Here!
- Airheads Conferences Prior to 2012
- Americas Airheads Local Events 2012
- EMEA Airheads Local Events 2012
- Wireless Field Day 3 @ Aruba Networks
- Wireless Tech Field Day 2- Silicon Valley
- Wi-Fi Mobility Symposium- San Jose, CA USA
- SDN Apps
- Connector Translation Testing area
Environment : This article applies to Aruba Instant Access Point.
Where the switch that the Instant AP connects to is a un-managed L2 switch where VLANs cannot be defined.
- In cases, where you do not want to configure additional VLAN for Guest traffic across all switches.
- Virtual Controller (VC) always gives away DHCP IP address and is also the gateway (or) default-router to the clients
- Broadcast and multicast packet from wireless client are not allowed to go through IAP’s Ethernet port
- Unicast packet from client will go to VC first and then VC will “src-nat” it towards internal or external network.
A screenshot of the feature while creating a new WLAN, is shown below:
Question: How check the subnet of Virtual controller assigned IP address or the DHCP pool of the Magic VLAN?
Environment: If client VLAN has been assigned an IP address through Virtual controller, it will be assigned through the Magic VLAN pool in the Virtual controller.
The Magic VLAN DHCP pool on the controller from which clients will be assigned IP address can be verified by the below command.
9/23/2013 21:53:00 PM Target: Abilash-lab Command: show dhcp-allocation
946754172 3c:a9:f4:1d:ac:a4 172.31.99.123 3333 BLR-ASOUNDARARAJAN-T430s 01:3c:a9:f4:1d:ac:a4
This gives detailed information about the DHCP pool range, VLAN ID and the current DHCP leases. Default lease period is 12 hours.
Introduction- As we are already aware, the web pages that we access on a daily basis works based on domain names and DNS server is the one which converts them to IP addresses and provide a seamless browsing experience for users. But what if there is only one DNS server configured and it becomes unreachable?
End user's perception is that the PC is no longer online, even though it has a valid IP address and route that would provide internet access.
Feature Notes- By design, on Instant Access Point only two DNS server IP addresses can be configured from GUI. There are situations, where a corporate design might want to allocate multiple DNS addresses to users. Corporates do this for many reason, couple of them are below:
- To have redundant DNS Server availability to users.
- To configure load balancing of huge DNS queries that come in from user subnets.
Environment- This article applies to all versions of Aruba InstantOS versions.
Network Topology- Network Topology:
- Instant architecture works on be a flat topology so that access points can form a cluster.
Configuration Steps- Configuration from IAP side is almost nil as the IP addresses for multiple DNS server addresses needs to be received from DHCP server on Access Points vlan.
This is how it works:
# IAP gets an IP address from DHCP server in the network on the management vlan
# Within the offer that the IAP receives from DHCP server, also needs to be included are all the IP addresses for DNS servers.
# Once IAP receives these IP addresses in offer, it would assign the same to the VC assigned subnet internally
Therefore, any wireless client connected to VC assigned SSID, would also receive all the DNS server IP addresses as part of DNS server configuration within the dhcp offer.
Verification- The "show dhcp-allocation" command on IAP would verify if the VC subnet has DNS addresses configured, to offer multiple addresses to clients:
IAP# show dhcp-allocation
43460 00:10:18:a9:7e:27 172.31.99.226 3333 KK-Desk-PC2 01:00:10:18:a9:7e:27 ---->>>>> Client obtained IP address
Below is the sample DHCP pool from Aruba Controller:
ip dhcp pool vlan200
dns-server 10.1.1.50 10.1.1.51 10.1.1.52 10.1.1.53 10.1.1.54 10.1.1.55 10.1.1.56 10.1.1.57
network 172.16.200.0 255.255.255.0
Does the routing profile applies to SSID configured for VC Assigned IP addressing ?
Routing profile configured on IAP's does not apply to SSID configured for VC-assigned IP addressing.
The client traffic will be NAT'd with IP address of IAP & send out locally.
If we enable debug pkt dump on IAP & try to reach a destination across the VPN tunnel, we will get the following message:
#icmp: type echo-request(8) code 0 id 1 seq 29724
[asap_firewall_forward(7435):route section] len 74, vlan 1, egress CP, ingress bond0:
[asap_firewall_forward(7485):cp route section] len 74, vlan 1, egress CP, ingress bond0:
[asap_firewall_forward(7552):fastpath route returned 2 opcode 202/202] len 74, vlan 0, egress vlan 15, ingress bond0:
[asap_firewall_forward(7656):skip tunnel routing for this source IP] len 74, vlan 0, egress vlan 15, ingress bond0:
[asap_firewall_forward(7670):slowpath route returned 0 opcode 5, sbr 0, notunnel 1] len 74, vlan 1, egress bond0, ingress bond0:
- Find more articles tagged with:
- arubainstant 184.108.40.206-4.0
- arubainstant 220.127.116.11-4.1
- instant access point
- vc-assigned skip route
- vc-assigned with iap-vpn
How many IP addresses are allowed on a vlan interface?
How many IP addresses are allowed on a loopback interface?
How can I verify if multiple IP addresses have been configured on a vlan interface?
Environment : This article applies to all Aruba mobility switches and code versions.
Aruba OS supports any number of secondary IP addresses on a vlan or a loopback interface.
1. There can be only one Primary IP address.
2. OSPF will NOT form adjacency over secondary IP address.
3. We can also assign Secondary IP addresses to loopback interfaces.
4. Two IP addresses from the same vlan cannot be assigned.
(ArubaS2500-24P) (vlan "1") #interface vlan 1
(ArubaS2500-24P) (vlan "1") #ip address 10.1.1.1 255.255.255.0
(ArubaS2500-24P) (vlan "1") #ip address 10.1.2.1 255.255.255.0 secondary
(ArubaS2500-24P) (vlan "1") #ip address 10.1.3.1 255.255.255.0 secondary
(ArubaS2500-24P) (vlan "1") #exit
(ArubaS2500-24P) (config) #show interface vlan 1
VLAN1 is administratively Up, Line protocol is Up
Hardware is CPU Interface, Address is 00:1a:1e:09:19:40
Description: 802.1Q VLAN
Internet address is 10.1.1.1, Netmask is 255.255.255.0
Internet address is 10.1.2.1, Netmask is 255.255.255.0 secondary
Internet address is 10.1.3.1, Netmask is 255.255.255.0 secondary
IPV6 link-local address is fe80::1a:1e00:109:1940
Global Unicast address(es):
Routing interface is enabled, Forwarding mode is enabled
Directed broadcast is disabled, BCMC Optimization disabled
Encapsulation 802, Loopback not set
Interface index: 50331649
MTU 1500 bytes
Please note that the command " show ip interface vlan 1" will NOT show the secondary interfaces:
(ArubaS2500-24P) (config) #show ip interface vlan 1
vlan 1 is Up, protocol is Up
Internet address is 10.1.1.1/255.255.255.0
Address is statically configured
MTU is 1500
However, show IP interface brief command will show all the IP addresses:
(ArubaS2500-24P) (config) #show ip interface brief
Flags: S - Secondary IP address
Interface IP Address / IP Netmask Admin Protocol Flags
vlan 1 10.1.1.1 / 255.255.255.0 Up Up
vlan 1 10.1.2.1 / 255.255.255.0 Up Up S
vlan 1 10.1.3.1 / 255.255.255.0 Up Up S
mgmt unassigned / unassigned Up Down
How is Local DHCP scope different from Virtual Controller assigned scope?
Virtual Controller(VC) Assigned Scope:
VC Assigned Scope is nothing but a private VLAN on the IAP that acts as a DHCP server for the wireless clients. It is also called as Magic VLAN. Selecting this "Virtual Controller Assigned" option, the client obtains IP address from the Virtual Controller i.e from the Master IAP. Any DHCP request from Slave IAPs will be relayed/forwarded without tagging VLAN ID, therefore the DHCP packet from slave IAP will be forwarded to Master IAP via uplink native VLAN.
Executing "show dhcp-allocation" would show the Magic VLAN and associated parameters.
Local DHCP Scope:
Local DHCP scope is also an in-built DHCP server which allows wireless administrator to create multiple DHCP scopes with unique subnet and define VLAN ID. In this case, any DHCP request from forwarded by Slave IAPs will be tagged with the defined VLAN ID, hence VLAN ID needs to be allowed on the uplink switch, else DHCP request from slave would not reach out to the Master IAP as it will be dropped by the uplink switch.
Executing "show dhcp-allocation" would show the Magic VLAN and associated parameters.
I have a need to be able to place arbitrary devices such as wireless enabled printers on an arbitrary VLAN. The most secure wireless auth method that many of these devices support seems to be WPA-PSK. Having authentication of a device rely strictly on a PSK is less than desirable. Also I'd like to avoid having a per-device SSID to place them on the appropriate VLANs.
In my mind I should be able to have a common SSID with a shared PSK and assign the devices to the appropriate VLAN based on the devices MAC address. In order to have this be scriptable and long-term maintainable I'd like to have the VLAN mapping done via RADIUS. Is there any way to configure the controller to validate the PSK then send a RADIUS login request consisting of the MAC address and have RADIUS instruct the controller what policy or VLAN to place them in?
All I'm finding so far is information on Windows Machine based authentication and there would be no Windows involved on either end of this. Any ideas on how to implement such a thing would be appreciated, Thanks!
You can enable MAC authentication for the SSID by enabling it under the AAA profile in use. Under Configuration > Authentication > L2 Authentication, you can setup a MAC authentication profile that controls how the MAC addresses are checked (delimiter and upper/lower case). Once you create it the way you like it, go into Configuration > Authenticaiton > AAA Profiles and create a new profile. Under MAC authentication profile, select the profile you just created. Under MAC authentication server group, select the group that contains your RADIUS server. Enter the MAC address of your clients as the RADIUS username and password AND set a VSA (you may have to load the Aruba RADIUS dictionary file from the support site) of Aruba-User-VLAN. In the Aruba-User-VLAN attribute, pass back the VLAN number.
Now, when someone connects to the SSID, the controller will validate the PSK and the RADIUS server will validate the MAC address and return the VLAN the device should be placed into.
The built-in server group default will authenticate mac addresses to the internal database; radius is an option. If you configure a MAC authentication profile and authenticate to the server-group default, you can just add the mac addresses to the local database of the controller (username AND password is the mac address). The server-group default also has a rule "set role condition role value-of", which means that if you add the mac addresses to the local database with a particular role, it will override the default mac authentication role that users will get if they pass mac authentication. This means you can have a default role that users would normally get for passing mac authentication if their mac address does not have a role specified in the internal database. You can also add mac addresses with a defined role that will override the default for special devices like a printer, that you specified.
Environment : This article applies to all the controller models and OS versions.
No, we cannot reserve IP addresses for specific machines on the controller’s internal DHCP server. The Aruba controller’s primary job is to host Access Points and serve wireless clients. Additionally, it provides multiple other functionalities along with DHCP capabilities. Aruba controller can provide basic DHCP functionality.
In case IP address reservation is required, we need to use dedicated external DHCP server.
Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
Clients in the captive portal VLAN must be able to reach the controller switch IP address or on the configured IP cp-redirect address, as described here.
VLAN 1: This VLAN contains the controller's switch IP address.
VLAN 3: This VLAN is configured for guest access. This unsecure VLAN connects to the inside of an Internet firewall that runs DHCP and default gateway services for this subnet. The firewall assigns clients IPs from the 192.168.1.0/24 range of IP addresses. The Aruba controller is assigned 192.168.1.200 on VLAN interface 3.
On VLAN 3 guests are able to connect and receive an IP address from the firewall. The problem is that when captive portal is enabled, it is using an address from secure VLAN 1 (https://10.1.1.20) rather than the address from the guest VLAN 3 (192.168.1.200). The IP address from VLAN 1 is not accessible to the hosts on VLAN 3 (by design). Therefore captive portal authentication is failing.
The interface used by captive portal can be configured from CLI as in the following example:
(Aruba6000-wifi) #config t
(Aruba6000-wifi) (config) #ip cp-redirect-address 192.168.1.200
The IP cp-redirect address is the IP address that the controller responds to captive portal requests on to bring up the page with the login query. Every VLAN that you add that you want to do captive portal must be able to route to that address.