We set up Aruba 7210 controlers on master/stanby (without mobility master).
On WLAN config, we want to broadcast a 802.1X network with bridge to let clients make dhcp request and get an IP from externa DHCP server
Now WLAN is configured and we can see client mac address on AP switch port (ie the port on which AP is connected) but no ARP request.
Seems like VLAN used for WLAN config does'nt let ARP request pass.
What could be wrong ?
We found https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-configure-External-DHCP-server-for-a-Network-in-Instant/ta-p/187466 but cannot find such config on our 8.3 system.
You have to trunk that client VLAN to each access point.
Do you mean on controller config ? If so, what should be the process ?
On core switch side, this VLAN is already working with "old" 3600 controllers in the same way. I "just" cannot make it agin with the 7210/8.3...
After wireshark config analysis, no arp request comes out from physical port of the AP (ie on switch that connects AP).
Souns like ARP request cannot "cross" WLAN.
WLAN is in bridge mode. WLAN's VLAN is basic (no ip address).
What is the configuration for the Virtual AP? Is the VLAN 1? If it is not, it will tag with that VLAN number. If it is one, it is bridging with no tag. You also need to have Control Plane Security Enabled for it to work. You should set the Virtual AP VLAN number to something to make it predictable.
For virtual-ap :
wlan virtual-ap "WIFI-ACAD-2"aaa-profile "WIFI-ACAD-2"vlan 151forward-mode bridgessid-profile "WIFI-ACAD-2"!
CPSec is already enabled (see capture)
It tags with VLAN 151, and i can see client mac address on core switch (where AP is connected). But no arp request.
Well, the client has to obtain an ip address before it ARPs for a default gateway. Also, make sure that the Initial Role in the AAA profile points to a role that has the "allowall"ACL to allow all traffic to go through.
Here is (capture) the roles sequence.
login is the default one.
If you are not using 802.1x authentication on that SSID, the initial role should be something like authenticated to allow all traffic to pass.
We use 802.1X for auth.
EAP-TTLS+PAP with radius.
Auth works. Then client search for IP address. But no IP found, no ARP request one externa DHCP.
When mirroring AP port on core switch, we cannot find any arp request for the client mac address.
On the opposite, the same method with our 3600 works.
Note : Both WLAN (3600 and 7210 infrastructure have the same VLAN ID, but AP and controllers are on different subnet.
Is there any way to enable debug on AP site to verifiy if it can see ARP requests and what it can do with it ?
Here is what wireshark can capture on the mirrored port of the AP.
When using the old infrastructure that works, the same capture shows ARP request and co.
It may show that something "drop" ARP request before the physical port of the AP (?)
I noticed another thing : as you can see in screen capture, there are many drop frames for the two client that tried to connect (?)
AP is up to 5m of clients.
Here is output from command. I showed the client theat i use for test.
Here is output (is masked internal IPs)
Is that the mac address of the client? You would have to run that command multiple times in a row, to possibly see what is happening.
Yes it is the mac adress of the client.
I've just tried again, running the command all the time of the connexion try.
For all the 1mn the client try to get an adress, wireshark shows only 3 gratuitous arp lines and debug command only the same line
34:F3:9A:BE:0A:23 1 0 0 0 0 dev14 3e00 -- -- F F 0
only the TAge changed.
I'm a little bit lost... I thought about a core switch misconfig, but no arp request is detected on port (by mirroring).
Okay. To be clear, the Virtual AP Vlan is set and the switch is tagged with that VLAN?
If you are talking about the core switch where the AP is connected, yes.
AP mgmt adress is on a native VLAN 200 and core switch conf port is
interface FastEthernet1/0/47switchport trunk native vlan 200switchport trunk allowed vlan 200,151,152switchport mode trunkend
Virtual-AP VLAN is 151
when trying to connect, is can see on core switch
sh mac address-table | i 151
151 d85b.2a1d.8a67 DYNAMIC Fa1/0/47
Okay. Is there a DHCP server on VLAN 151? I hate to ask that.
Yes, ther eis an ip helper on this vlan, which relays arp request on DHCP server.
This VLAN and ip helper are already used by the "old infrastructure based on 3600" on the same core switch.
I finally found what was wrong : actually auth wasn't done. Client said it was searching for IP whereas it was not.
After solving this auth step, all is going well.
Sorry for disturbing.
Try "show datapath session ap-name <name of ap> table" to possibly see the traffic going through that AP during or after authentication. It may show the ARPs getting blocked (the source ip would be the mac of your client).
EDIT: look for protocol 806:
You can try "show datapath bridge ap-name <name of ap> ?" to see some commands that would give you visibility.
Not many people use bridged SSIDs, unfortunately.
Rules eem ok (?)
At minimum, those rules should allow you to get an ip address.
The last thing that I would check is that in your ap-group, the AP system profile has the ap-uplink-acl:
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.