Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Why won't my bridged SSID come up?

Jump to Best Answer
  • 1.  Why won't my bridged SSID come up?

    Posted Jul 06, 2014 06:28 PM

    Trying to create a bridged SSID where the carrier equipment is already providing DHCP.  LAN devices are getting 192.168.0.x addresses and working fine.  I put the controller on the subnet, and added the configuration, but the SSID is not broadcasting.

     

    Default ap-group, SSID is BNET

     

    version 6.2
    enable secret "******"
    hostname "Aruba650"
    clock timezone EST -5
    location "Building1.floor1"
    controller config 3
    ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
    ip access-list eth validuserethacl
      permit any
    !
    netservice svc-pcoip2-tcp tcp 4172
    netservice svc-netbios-dgm udp 138
    netservice svc-snmp-trap udp 162
    netservice svc-citrix tcp 2598
    netservice svc-syslog udp 514
    netservice svc-l2tp udp 1701
    netservice svc-ike udp 500
    netservice svc-https tcp 443
    netservice svc-smb-tcp tcp 445
    netservice svc-dhcp udp 67 68 alg dhcp
    netservice svc-ica tcp 1494
    netservice svc-pptp tcp 1723
    netservice svc-sccp tcp 2000 alg sccp
    netservice svc-telnet tcp 23
    netservice svc-sec-papi udp 8209 alg sec-papi
    netservice svc-lpd tcp 515
    netservice svc-netbios-ssn tcp 139
    netservice svc-sip-tcp tcp 5060
    netservice svc-kerberos udp 88
    netservice svc-tftp udp 69 alg tftp
    netservice svc-pcoip-udp udp 50002
    netservice svc-pcoip-tcp tcp 50002
    netservice svc-http-proxy3 tcp 8888
    netservice svc-noe udp 32512 alg noe
    netservice svc-cfgm-tcp tcp 8211
    netservice svc-adp udp 8200
    netservice svc-pop3 tcp 110
    netservice svc-rtsp tcp 554 alg rtsp
    netservice svc-msrpc-tcp tcp 135 139
    netservice svc-dns udp 53 alg dns
    netservice vnc tcp 5900 5905
    netservice svc-h323-udp udp 1718 1719
    netservice svc-h323-tcp tcp 1720
    netservice svc-vocera udp 5002 alg vocera
    netservice svc-http tcp 80
    netservice svc-http-proxy2 tcp 8080
    netservice svc-sip-udp udp 5060
    netservice svc-nterm tcp 1026 1028
    netservice svc-noe-oxo udp 5000 alg noe
    netservice svc-papi udp 8211 alg papi
    netservice svc-natt udp 4500
    netservice svc-ftp tcp 21 alg ftp
    netservice svc-microsoft-ds tcp 445
    netservice svc-svp 119 alg svp
    netservice svc-smtp tcp 25
    netservice svc-gre 47
    netservice web tcp list "80 443"
    netservice svc-netbios-ns udp 137
    netservice svc-sips tcp 5061 alg sips
    netservice svc-smb-udp udp 445
    netservice svc-ipp-tcp tcp 631
    netservice svc-esp 50
    netservice svc-pcoip2-udp udp 4172
    netservice svc-v6-dhcp udp 546 547
    netservice svc-snmp udp 161
    netservice svc-bootp udp 67 69
    netservice svc-msrpc-udp udp 135 139
    netservice svc-ntp udp 123
    netservice svc-icmp 1
    netservice svc-ipp-udp udp 631
    netservice svc-ssh tcp 22
    netservice svc-v6-icmp 58
    netservice svc-http-proxy1 tcp 3128
    netservice svc-vmware-rdp tcp 3389
    netexthdr default
    !
    time-range night-hours periodic
     weekday 18:01 to  23:59
     weekday 00:00 to  07:59
    !
    time-range weekend periodic
     weekend 00:00 to  23:59
    !
    time-range working-hours periodic
     weekday 08:00 to  18:00
    !
    ip access-list session v6-icmp-acl
      ipv6  any any svc-v6-icmp  permit
    !
    ip access-list session control
      user any udp 68  deny
      any any svc-icmp  permit
      any any svc-dns  permit
      any any svc-papi  permit
      any any svc-sec-papi  permit
      any any svc-cfgm-tcp  permit
      any any svc-adp  permit
      any any svc-tftp  permit
      any any svc-dhcp  permit
      any any svc-natt  permit
    !
    ip access-list session allow-diskservices
      any any svc-netbios-dgm  permit
      any any svc-netbios-ssn  permit
      any any svc-microsoft-ds  permit
      any any svc-netbios-ns  permit
    !
    ip access-list session validuser
      network 169.254.0.0 255.255.0.0 any any  deny
      any any any  permit
      ipv6  any any any  permit
    !
    ip access-list session v6-https-acl
      ipv6  any any svc-https  permit
    !
    ip access-list session vocera-acl
      any any svc-vocera  permit queue high
    !
    ip access-list session vmware-acl
      any any svc-vmware-rdp  permit tos 46 dot1p-priority 6
      any any svc-pcoip-tcp  permit tos 46 dot1p-priority 6
      any any svc-pcoip-udp  permit tos 46 dot1p-priority 6
      any any svc-pcoip2-tcp  permit tos 46 dot1p-priority 6
      any any svc-pcoip2-udp  permit tos 46 dot1p-priority 6
    !
    ip access-list session icmp-acl
      any any svc-icmp  permit
    !
    ip access-list session v6-control
      ipv6  user any udp 547  deny
      ipv6  any any svc-v6-icmp  permit
      ipv6  any any svc-dns  permit
      ipv6  any any svc-papi  permit
      ipv6  any any svc-sec-papi  permit
      ipv6  any any svc-cfgm-tcp  permit
      ipv6  any any svc-adp  permit
      ipv6  any any svc-tftp  permit
      ipv6  any any svc-dhcp  permit
      ipv6  any any svc-natt  permit
    !
    ip access-list session v6-dhcp-acl
      ipv6  any any svc-v6-dhcp  permit
    !
    ip access-list session captiveportal
      user   alias controller svc-https  dst-nat 8081
      user any svc-http  dst-nat 8080
      user any svc-https  dst-nat 8081
      user any svc-http-proxy1  dst-nat 8088
      user any svc-http-proxy2  dst-nat 8088
      user any svc-http-proxy3  dst-nat 8088
    !
    ip access-list session v6-dns-acl
      ipv6  any any svc-dns  permit
    !
    ip access-list session allowall
      any any any  permit
      ipv6  any any any  permit
    !
    ip access-list session https-acl
      any any svc-https  permit
    !
    ip access-list session sip-acl
      any any svc-sip-udp  permit queue high
      any any svc-sip-tcp  permit queue high
    !
    ip access-list session citrix-acl
      any any svc-citrix  permit tos 46 dot1p-priority 6
      any any svc-ica  permit tos 46 dot1p-priority 6
    !
    ip access-list session ra-guard
      ipv6  user any icmpv6 rtr-adv  deny
    !
    ip access-list session dns-acl
      any any svc-dns  permit
    !
    ip access-list session v6-allowall
      ipv6  any any any  permit
    !
    ip access-list session tftp-acl
      any any svc-tftp  permit
    !
    ip access-list session skinny-acl
      any any svc-sccp  permit queue high
    !
    ip access-list session srcnat
      user any any  src-nat
    !
    ip access-list session vpnlogon
      user any svc-ike  permit
      user any svc-esp  permit
      any any svc-l2tp  permit
      any any svc-pptp  permit
      any any svc-gre  permit
    !
    ip access-list session logon-control
      user any udp 68  deny
      any any svc-icmp  permit
      any any svc-dns  permit
      any any svc-dhcp  permit
      any any svc-natt  permit
    !
    ip access-list session allow-printservices
      any any svc-lpd  permit
      any any svc-ipp-tcp  permit
      any any svc-ipp-udp  permit
    !
    ip access-list session cplogout
      user   alias controller svc-https  dst-nat 8081
    !
    ip access-list session v6-http-acl
      ipv6  any any svc-http  permit
    !
    ip access-list session http-acl
      any any svc-http  permit
    !
    ip access-list session dhcp-acl
      any any svc-dhcp  permit
    !
    ip access-list session captiveportal6
      ipv6  user   alias controller6 svc-https  captive
      ipv6  user any svc-http  captive
      ipv6  user any svc-https  captive
      ipv6  user any svc-http-proxy1  captive
      ipv6  user any svc-http-proxy2  captive
      ipv6  user any svc-http-proxy3  captive
    !
    ip access-list session ap-uplink-acl
      any any udp 68  permit
      any any svc-icmp  permit
      any host 224.0.0.251 udp 5353  permit
    !
    ip access-list session noe-acl
      any any svc-noe  permit queue high
    !
    ip access-list session svp-acl
      any any svc-svp  permit queue high
      user host 224.0.1.116 any  permit
    !
    ip access-list session ap-acl
      any any svc-gre  permit
      any any svc-syslog  permit
      any user svc-snmp  permit
      user any svc-snmp-trap  permit
      user any svc-ntp  permit
      user any svc-ftp  permit
    !
    ip access-list session v6-ap-acl
      ipv6  any any svc-gre  permit
      ipv6  any any svc-syslog  permit
      ipv6  any user svc-snmp  permit
      ipv6  user any svc-snmp-trap  permit
      ipv6  user any svc-ntp  permit
      ipv6  user any svc-ftp  permit
    !
    ip access-list session v6-logon-control
      ipv6  user any udp 68  deny
      ipv6  any any svc-v6-icmp  permit
      ipv6  any any svc-v6-dhcp  permit
      ipv6  any any svc-dns  permit
    !
    ip access-list session h323-acl
      any any svc-h323-tcp  permit queue high
      any any svc-h323-udp  permit queue high
    !
    vpn-dialer default-dialer
      ike authentication PRE-SHARE ******
    !
    user-role ap-role
     access-list session control
     access-list session ap-acl
     access-list session v6-control
     access-list session v6-ap-acl
    !
    user-role default-vpn-role
     access-list session allowall
     access-list session v6-allowall
    !
    user-role voice
     access-list session sip-acl
     access-list session noe-acl
     access-list session svp-acl
     access-list session vocera-acl
     access-list session skinny-acl
     access-list session h323-acl
     access-list session dhcp-acl
     access-list session tftp-acl
     access-list session dns-acl
     access-list session icmp-acl
    !
    user-role default-via-role
     access-list session allowall
    !
    user-role guest-logon
     captive-portal "default"
     access-list session logon-control
     access-list session captiveportal
     access-list session v6-logon-control
     access-list session captiveportal6
    !
    user-role guest
     access-list session http-acl
     access-list session https-acl
     access-list session dhcp-acl
     access-list session icmp-acl
     access-list session dns-acl
     access-list session v6-http-acl
     access-list session v6-https-acl
     access-list session v6-dhcp-acl
     access-list session v6-icmp-acl
     access-list session v6-dns-acl
    !
    user-role stateful-dot1x
    !
    user-role authenticated
     access-list session allowall
     access-list session v6-allowall
    !
    user-role logon
     access-list session logon-control
     access-list session captiveportal
     access-list session vpnlogon
     access-list session v6-logon-control
     access-list session captiveportal6
    !
    !

    interface mgmt
     shutdown
    !

    dialer group evdo_us
      init-string ATQ0V1E0
      dial-string ATDT#777
    !

    dialer group gsm_us
      init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"
      dial-string ATD*99#
    !

    dialer group gsm_asia
      init-string AT+CGDCONT=1,"IP","internet"
      dial-string ATD*99***1#
    !

    dialer group vivo_br
      init-string AT+CGDCONT=1,"IP","zap.vivo.com.br"
      dial-string ATD*99#
    !

     

     

    interface gigabitethernet 1/0
     description "GE1/0"
     trusted
     trusted vlan 1-4094
    !

    interface gigabitethernet 1/1
     description "GE1/1"
     trusted
     trusted vlan 1-4094
    !

    interface gigabitethernet 1/2
     description "GE1/2"
     trusted
     trusted vlan 1-4094
    !

    interface gigabitethernet 1/3
     description "GE1/3"
     trusted
     trusted vlan 1-4094
    !

    interface gigabitethernet 1/4
     description "GE1/4"
     trusted
     trusted vlan 1-4094
    !

    interface gigabitethernet 1/5
     description "GE1/5"
     trusted
     trusted vlan 1-4094
    !

    interface gigabitethernet 1/6
     description "GE1/6"
     trusted
     trusted vlan 1-4094
    !

    interface gigabitethernet 1/7
     description "GE1/7"
     trusted
     trusted vlan 1-4094
    !

    interface vlan 1
     ip address 192.168.0.100 255.255.255.0
    !

    ip default-gateway 192.168.0.1
    no uplink wired vlan 1
    uplink disable

    ap mesh-recovery-profile cluster Recovery/4E1vbkU1Ckuby+u wpa-hexkey c7d83ed505661272bb4347e1190114baa09ecb159e1ca51090ceb5628e168ecea3b522a04b590c15498d3f775f25afc07f13b9f122d1c28446b8fa469fff5143e8b84a58a3f24b27a6da87db14437cb9
    crypto isakmp policy 20
      encryption aes256
    !

    crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
    crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
    crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
    crypto dynamic-map default-dynamicmap 10000
      set transform-set "default-transform" "default-aes"
    !

    crypto isakmp eap-passthrough eap-tls
    crypto isakmp eap-passthrough eap-peap
    crypto isakmp eap-passthrough eap-mschapv2

    vpdn group l2tp
    !

     
     

    !

    vpdn group pptp
    !

    tunneled-node-address 0.0.0.0

    adp discovery enable
    adp igmp-join enable
    adp igmp-vlan 0

    voice rtcp-inactivity disable
    voice alg-based-cac enable
    voice sip-midcall-req-timeout disable
    ap ap-blacklist-time 3600


    mgmt-user admin root ff6ff7560194a45f1d91de5713e5a57ca7a63a5b91a99be94f

     


    no database synchronize
    database synchronize rf-plan-data

    ip mobile domain default
    !

    ip igmp
    !

    ipv6 mld
    !

    no firewall attack-rate cp 1024
    ipv6 firewall ext-hdr-parse-len  100

    !

    !
    firewall cp
    packet-capture-defaults tcp disable udp disable interprocess disable sysmsg disable other disable
    !
    ip domain lookup
    !
    country US
    aaa authentication mac "default"
    !
    aaa authentication dot1x "default"
    !
    aaa authentication dot1x "dot1x_prof-dvw49"
    !
    aaa server-group "default"
     auth-server Internal
     set role condition role value-of
    !
    aaa profile "BNET-aaa_prof"
       initial-role "authenticated"
       authentication-dot1x "dot1x_prof-dvw49"
    !
    aaa profile "default"
    !
    aaa authentication captive-portal "default"
    !
    aaa authentication wispr "default"
    !
    aaa authentication vpn "default"
    !
    aaa authentication vpn "default-rap"
    !
    aaa authentication mgmt
    !
    aaa authentication stateful-ntlm "default"
    !
    aaa authentication stateful-kerberos "default"
    !
    aaa authentication stateful-dot1x
    !
    aaa authentication wired
    !
    web-server
    !
    guest-access-email
    !
    voice logging
    !
    voice dialplan-profile "default"
    !
    voice real-time-config
    !
    voice sip
    !
    aaa password-policy mgmt
    !
    control-plane-security
       no cpsec-enable
    !
    ids management-profile
    !
    ids wms-general-profile
       poll-retries 3
    !
    ids wms-local-system-profile
    !
    ids ap-rule-matching
    !
    valid-network-oui-profile
    !
    qos-profile "default"
    !
    policer-profile "default"
    !
    ap system-profile "default"
    !
    ap regulatory-domain-profile "default"
       country-code US
       valid-11g-channel 1
       valid-11g-channel 6
       valid-11g-channel 11
       valid-11a-channel 36
       valid-11a-channel 40
       valid-11a-channel 44
       valid-11a-channel 48
       valid-11a-channel 149
       valid-11a-channel 153
       valid-11a-channel 157
       valid-11a-channel 161
       valid-11a-channel 165
       valid-11g-40mhz-channel-pair 1-5
       valid-11g-40mhz-channel-pair 7-11
       valid-11a-40mhz-channel-pair 36-40
       valid-11a-40mhz-channel-pair 44-48
       valid-11a-40mhz-channel-pair 149-153
       valid-11a-40mhz-channel-pair 157-161
    !
    ap wired-ap-profile "default"
    !
    ap enet-link-profile "default"
    !
    ap mesh-ht-ssid-profile "default"
    !
    ap lldp med-network-policy-profile "default"
    !
    ap mesh-cluster-profile "default"
    !
    ap lldp profile "default"
    !
    ap mesh-radio-profile "default"
    !
    ap wired-port-profile "default"
    !
    ids general-profile "default"
    !
    ids rate-thresholds-profile "default"
    !
    ids signature-profile "default"
    !
    ids impersonation-profile "default"
    !
    ids unauthorized-device-profile "default"
    !
    ids signature-matching-profile "default"
       signature "Deauth-Broadcast"
       signature "Disassoc-Broadcast"
    !
    ids dos-profile "default"
    !
    ids profile "default"
    !
    rf arm-profile "arm-maintain"
       assignment maintain
       no scanning
    !
    rf arm-profile "arm-scan"
    !
    rf arm-profile "default"
    !
    rf optimization-profile "default"
    !
    rf event-thresholds-profile "default"
    !
    rf am-scan-profile "default"
    !
    rf dot11a-radio-profile "default"
    !
    rf dot11a-radio-profile "rp-maintain-a"
       arm-profile "arm-maintain"
    !
    rf dot11a-radio-profile "rp-monitor-a"
       mode am-mode
    !
    rf dot11a-radio-profile "rp-scan-a"
       arm-profile "arm-scan"
    !
    rf dot11g-radio-profile "default"
    !
    rf dot11g-radio-profile "rp-maintain-g"
       arm-profile "arm-maintain"
    !
    rf dot11g-radio-profile "rp-monitor-g"
       mode am-mode
    !
    rf dot11g-radio-profile "rp-scan-g"
       arm-profile "arm-scan"
    !
    wlan handover-trigger-profile "default"
    !
    wlan rrm-ie-profile "default"
    !
    wlan bcn-rpt-req-profile "default"
    !
    wlan tsm-req-profile "default"
    !
    wlan voip-cac-profile "default"
    !
    wlan ht-ssid-profile "BNET-htssid_prof"
    !
    wlan ht-ssid-profile "default"
    !
    wlan edca-parameters-profile station "default"
    !
    wlan edca-parameters-profile ap "default"
    !
    wlan dot11k-profile "default"
    !
    wlan ssid-profile "BNET-ssid_prof"
       essid "BNET"
       opmode wpa2-psk-aes
       wpa-passphrase 88cec7360fa18436b2664e6141717de82b71ab1166b6f01e
       ht-ssid-profile "BNET-htssid_prof"
    !
    wlan ssid-profile "default"
    !
    wlan virtual-ap "BNET-vap_prof"
       aaa-profile "BNET-aaa_prof"
       ssid-profile "BNET-ssid_prof"
       vlan 1
       forward-mode bridge
    !
    wlan virtual-ap "default"
    !
    ap provisioning-profile "default"
    !
    rf arm-rf-domain-profile
       arm-rf-domain-key "429ef06559c5a89d110d9c215861c1c3"
    !
    ap spectrum local-override
    !
    ap-group "default"
       virtual-ap "BNET-vap_prof"
    !
    logging level warnings security subcat ids
    logging level warnings security subcat ids-ap

    snmp-server enable trap

    process monitor log
    end


    #3600


  • 2.  RE: Why won't my bridged SSID come up?
    Best Answer

    Posted Jul 06, 2014 06:33 PM
    control-plane-security
       no cpsec-enable

     You need to enable control plane security for bridging to work:

     

    CAUTION;  This will cause an 8 to 10 minute outage minimum as control plane security is enabled on all of your access points.



  • 3.  RE: Why won't my bridged SSID come up?

    Posted Jul 06, 2014 06:40 PM

    Are your APs on vlan 1 also? 

     

    You don't have cpsec enabled either.  Are they campus ap? You must have cpsec enabled for bridge mode campus aps or provision them as raps.



  • 4.  RE: Why won't my bridged SSID come up?

    Posted Jul 07, 2014 09:03 AM

    Worked great.  I forgot I was running my APs in bridged campus mode which requires cpsec.

     

    Thanks.