Controllerless Networks

last person joined: yesterday 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

routing problems with magic vlan

  • 1.  routing problems with magic vlan

    Posted Jul 23, 2014 11:29 AM

    I'm having a weird routing problem when trying to use the Virtual Controller to assign ip's using the magic vlan.

     

    Equipment:  1 IAP 225, 9 IAP 105's

     

    If I connect to the IAP that is the virtual controller (doens't matter if the controller is a 225 or 105) I can route just fine.  No problems with external or internal routing.

     

    However, I cannot route anywhere if I connect to any of the other IAP's that are not running as the controller.  I can't even ping the default gateway of the vlan.

     

    Here is the dhcp settings from that vlan:

     

    #magic-vlan
    {
            vlan-id=3333
            dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
            dhcp-option=1,255.255.254.0
            dhcp-option=3,172.31.98.1
            dhcp-option=6,10.8.2.18
            dhcp-option=54,172.31.98.1
    }

     

    Any thoughts?


    #AP225


  • 2.  RE: routing problems with magic vlan

    Posted Jul 23, 2014 12:04 PM

    What does the rest of your config look like?  Is your network/SSID set to VC Assigned for IP address assignment?



  • 3.  RE: routing problems with magic vlan

    Posted Jul 23, 2014 12:42 PM

    Yes,

     

    the goal of this was to segment off the guest network.  So I created a Guest SSID to use the virtual controller managed ip assignment.  Right now that is the extent of testing.  I have not setup any security and access is currently unrestricted until I resolve this issue with the SSID.

     

    Ian



  • 4.  RE: routing problems with magic vlan

    Posted Jul 23, 2014 12:43 PM

    Did you configure vlan 3333 on the LAN?  You shouldn't need to do that...



  • 5.  RE: routing problems with magic vlan

    Posted Jul 23, 2014 01:12 PM

    No I have not.  I didnt' think I needed to since when I connect to the controller it works just fine.  Its just perplexing that the other iaps won't work with it.

     

     



  • 6.  RE: routing problems with magic vlan

    Posted Jul 23, 2014 01:14 PM

    Can you post the entire IAP config?



  • 7.  RE: routing problems with magic vlan

    Posted Jul 23, 2014 01:24 PM

    Here is it:

     

    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.07.23 10:20:22 =~=~=~=~=~=~=~=~=~=~=~=
    sh run
    version 6.4.0.0-4.1.0
    virtual-controller-country US
    virtual-controller-key 3133393336333835353132343a44453a43382062797465737a
    name "Instant Virtual Controller"
    organization
    virtual-controller-ip 10.8.10.54
    terminal-access
    ntp-server 0.us.pool.ntp.org
    clock timezone Pacific-Time -08 00
    clock summer-time PDT recurring second sunday march 02:00 first sunday november 02:00
    rf-band all
    dynamic-radius-proxy
    ams-ip 10.8.2.5
    ams-key 60fb94dae318cae66224937b82c85dc4b1e0d418b54551d3
    ams-identity 25833716fc0233aafbeda2b4a800f9a3

    allow-new-aps
    allowed-ap 24:de:c6:ce:84:d3
    allowed-ap 24:de:c6:ce:84:ed
    allowed-ap 24:de:c6:ce:84:d9
    allowed-ap 24:de:c6:ce:84:d0
    allowed-ap 24:de:c6:ce:84:d8
    allowed-ap 24:de:c6:ce:84:2b
    allowed-ap 24:de:c6:ce:84:da
    allowed-ap 24:de:c6:ce:84:d6
    allowed-ap 18:64:72:c6:63:00

     

    arm
     wide-bands all
     80mhz-support
     min-tx-power 18
     max-tx-power 127
     band-steering-mode prefer-5ghz
     air-time-fairness-mode preferred-access
     client-aware
     scanning
     client-match

    rf dot11g-radio-profile
     spectrum-monitor
     interference-immunity 3

    rf dot11a-radio-profile
     spectrum-monitor

    internal-domains
     domain-name
     domain-name

    syslog-level warn ap-debug
    syslog-level warn network
    syslog-level warn security
    syslog-level warn system
    syslog-level warn user
    syslog-level warn user-debug
    syslog-level warn wireless


    deny-inter-user-bridging
    deny-local-routing

     


    user guest 9fb79ea1a40485f29da7d23c86066964 portal


    mgmt-user admin 1ebc3cfd407fcdeade12fb8650a884ec60c46c9e821a07b7

    wlan access-rule default_wired_port_profile
     index 0
     rule any any match any any any permit

    wlan access-rule "TP 2.4GHZ"
     index 1
     rule any any match any any any permit

    wlan access-rule wired-instant
     index 2
     rule masterip 0.0.0.0 match tcp 80 80 permit
     rule masterip 0.0.0.0 match tcp 4343 4343 permit
     rule any any match udp 67 68 permit
     rule any any match udp 53 53 permit

    wlan access-rule "internal"
     index 3
     rule any any match any any any permit

    wlan access-rule TP-Guest
     index 4
     rule any any match udp 67 68 permit
     rule any any match udp 53 53 permit
     rule 10.8.1.4 255.255.255.255 match icmp any any permit
     rule 10.8.0.0 255.255.0.0 match any any any deny
     rule any any match any any any permit

    wlan access-rule "TP 5GHZ"
     index 5
     rule any any match any any any permit

    wlan access-rule test
     index 6
     rule any any match any any any permit

    wlan ssid-profile "TP 2.4GHZ"
     enable
     index 0
     type employee
     essid "TP 2.4GHZ"
     opmode wpa2-aes
     max-authentication-failures 0
     vlan guest
     auth-server vdc1
     auth-survivability
     rf-band 2.4
     captive-portal disable
     dtim-period 1
     inactivity-timeout 1000
     broadcast-filter arp
     dmo-channel-utilization-threshold 90
     local-probe-req-thresh 0
     max-clients-threshold 64
     okc
     dot11r
     dot11k
     dot11v

    wlan ssid-profile "internal"
     enable
     index 1
     termination
     type employee
     essid "internal"
     opmode wpa2-aes
     max-authentication-failures 0
     auth-server vdc1
     rf-band all
     captive-portal disable
     dtim-period 1
     inactivity-timeout 1000
     broadcast-filter none
     blacklist
     dmo-channel-utilization-threshold 90
     local-probe-req-thresh 0
     max-clients-threshold 64
     dot11v

    wlan ssid-profile TP-Guest
     enable
     index 2
     type guest
     essid TP-Guest
     wpa-passphrase f5985a98506272e3423f6aeed258d2ebf8c837ddd574653c
     opmode wpa2-psk-aes
     max-authentication-failures 0
     rf-band all
     captive-portal disable
     dtim-period 1
     inactivity-timeout 1000
     broadcast-filter arp
     dmo-channel-utilization-threshold 90
     local-probe-req-thresh 0
     max-clients-threshold 64

    wlan ssid-profile "TP 5GHZ"
     enable
     index 3
     type employee
     essid "TP 5GHZ"
     opmode wpa2-aes
     max-authentication-failures 0
     auth-server vdc1
     auth-survivability
     rf-band 5.0
     captive-portal disable
     dtim-period 1
     inactivity-timeout 1000
     broadcast-filter arp
     dmo-channel-utilization-threshold 90
     local-probe-req-thresh 0
     max-clients-threshold 64
     okc
     dot11r
     dot11k
     dot11v

    wlan ssid-profile test
     enable
     index 4
     type guest
     essid test
     wpa-passphrase 8ead216160a9de007a593acae1c51923af87e11d46958d6e
     opmode wpa2-psk-aes
     max-authentication-failures 0
     vlan guest
     rf-band all
     captive-portal disable
     dtim-period 1
     inactivity-timeout 1000
     broadcast-filter arp
     dmo-channel-utilization-threshold 90
     local-probe-req-thresh 0
     max-clients-threshold 64

    auth-survivability cache-time-out 24

     

    dpi

    wlan auth-server
     ip
     port 1812
     acctport 1813
     key a1c81747945dcec66a03927fcc43f764e495b2fe9fc9ac7e
     nas-ip 10.8.10.54
     rfc3576
     cppm-rfc3576-port 5999

    wlan external-captive-portal
     server localhost
     port 80
     url "/"
     auth-text "Authenticated"


    blacklist-time 3600
    auth-failure-blacklist-time 3600

    ids
     wireless-containment none
     infrastructure-detection-level high
     client-detection-level high
     infrastructure-protection-level high
     client-protection-level high


    wired-port-profile default_wired_port_profile
     switchport-mode trunk
     allowed-vlan all
     native-vlan 1
     shutdown
     access-rule-name default_wired_port_profile
     speed auto
     duplex full
     no poe
     type employee
     captive-portal disable
     no dot1x

    wired-port-profile wired-instant
     switchport-mode access
     allowed-vlan all
     native-vlan guest
     no shutdown
     access-rule-name wired-instant
     speed auto
     duplex auto
     no poe
     type guest
     captive-portal disable
     no dot1x


    enet0-port-profile default_wired_port_profile

    uplink
     preemption
     enforce none
     failover-internet-pkt-lost-cnt 10
     failover-internet-pkt-send-freq 30
     failover-vpn-timeout 180


    airgroup
     disable

    airgroupservice airplay
     disable
     description AirPlay

    airgroupservice airprint
     disable
     description AirPrint

    attack
     drop-bad-arp-enable
     fix-dhcp-enable
     poison-check-enable

     

     

    Accounting 225 - p11-35#



  • 8.  RE: routing problems with magic vlan

    Posted Jul 23, 2014 01:37 PM

    The config for the "test" SSID looks valid.  At this point, I would open up a case.  



  • 9.  RE: routing problems with magic vlan

    Posted Jul 23, 2014 02:40 PM

    I would think that the guest (or is is Test?) VLAN will have to be on the switch-fabric, since clients are dropped off directly by the iAP - vs GRE tunneled to the controller in a controller-based deployment.

     

    We had to choose between exposing the guest clients' VLAN to the switch fabric and building one tunnel from the VC, or keeping the VLAN off the switch-fabric and building a tunnel per AP.



  • 10.  RE: routing problems with magic vlan

    Posted Oct 04, 2019 10:03 AM
    Did you find the solution for this issue? Thanks!!