Wireless Access

last person joined: 20 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

DHCP / VLAN

Jump to Best Answer
  • 1.  DHCP / VLAN

    Posted Apr 02, 2019 12:53 PM

    Hi,

     

    We set up Aruba 7210 controlers on master/stanby (without mobility master).

    On WLAN config, we want to broadcast a 802.1X network with bridge to let clients make dhcp request and get an IP from externa DHCP server

     

    Now WLAN is configured and we can see client mac address on AP switch port (ie the port on which AP is connected) but no ARP request.

     

    Seems like VLAN used for WLAN config does'nt let ARP request pass.

     

    What could be wrong ?

     

    We found https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-configure-External-DHCP-server-for-a-Network-in-Instant/ta-p/187466 but cannot find such config on our 8.3 system.

     

    Regards,



  • 2.  RE: DHCP / VLAN

    Posted Apr 02, 2019 05:26 PM

    You have to trunk that client VLAN to each access point.



  • 3.  RE: DHCP / VLAN

    Posted Apr 03, 2019 03:06 AM

    Hi,

     

    Do you mean on controller config ? If so, what should be the process ?

    On core switch side, this VLAN is already working with "old" 3600 controllers in the same way. I "just" cannot make it agin with the 7210/8.3...



  • 4.  RE: DHCP / VLAN

    Posted Apr 03, 2019 10:52 AM

    Hi,

     

    After wireshark config analysis, no arp request comes out from physical port of the AP (ie on switch that connects AP).

     

    Souns like ARP request cannot "cross" WLAN.

     

    WLAN is in bridge mode. WLAN's VLAN is basic (no ip address).



  • 5.  RE: DHCP / VLAN

    Posted Apr 03, 2019 11:04 AM

    What is the configuration for the Virtual AP?  Is the VLAN 1?  If it is not, it will tag with that VLAN number.  If it is one, it is bridging with no tag.  You also need to have Control Plane Security Enabled for it to work.  You should set the Virtual AP VLAN number to something to make it predictable.



  • 6.  RE: DHCP / VLAN

    Posted Apr 03, 2019 11:18 AM
      |   view attached

    For virtual-ap :

     

    wlan virtual-ap "WIFI-ACAD-2"
    aaa-profile "WIFI-ACAD-2"
    vlan 151
    forward-mode bridge
    ssid-profile "WIFI-ACAD-2"
    !

     

    CPSec is already enabled (see capture)

     

    It tags with VLAN 151, and i can see client mac address on core switch (where AP is connected). But no arp request.



  • 7.  RE: DHCP / VLAN

    Posted Apr 03, 2019 11:22 AM

    Well, the client has to obtain an ip address before it ARPs for a default gateway.  Also, make sure that the Initial Role in the AAA profile points to a role that has the "allowall"ACL to allow all traffic to go through.



  • 8.  RE: DHCP / VLAN

    Posted Apr 03, 2019 12:43 PM
      |   view attached

    Here is (capture) the roles sequence.

     

    login is the default one.



  • 9.  RE: DHCP / VLAN

    Posted Apr 03, 2019 12:44 PM

    If you are not using 802.1x authentication on that SSID, the initial role should be something like authenticated to allow all traffic to pass.



  • 10.  RE: DHCP / VLAN

    Posted Apr 03, 2019 12:57 PM

    We use 802.1X for auth.

     

    EAP-TTLS+PAP with radius.

     

    Auth works. Then client search for IP address. But no IP found, no ARP request one externa DHCP.

    When mirroring AP port on core switch, we cannot find any arp request for the client mac address.

     

    On the opposite, the same method with our 3600 works.

    Note : Both WLAN (3600 and 7210 infrastructure have the same VLAN ID, but AP and controllers are on different subnet.

     



  • 11.  RE: DHCP / VLAN

    Posted Apr 03, 2019 12:58 PM

    Is there any way to enable debug on AP site to verifiy if it can see ARP requests and what it can do with it ?



  • 12.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:05 PM
      |   view attached

    It has.



  • 13.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:09 PM
      |   view attached

    Here is what wireshark can capture on the mirrored port of the AP.

    When using the old infrastructure that works, the same capture shows ARP request and co.

     

    It may show that something "drop" ARP request before the physical port of the AP (?)



  • 14.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:11 PM
      |   view attached

    I noticed another thing : as you can see in screen capture, there are many drop frames for the two client that tried to connect (?)

    AP is up to 5m of clients.



  • 15.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:15 PM
      |   view attached

    Here is output from command. I showed the client theat i use for test.



  • 16.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:22 PM
      |   view attached

    Here is output (is masked internal IPs)



  • 17.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:32 PM

    Is that the mac address of the client?  You would have to run that command multiple times in a row, to possibly see what is happening.



  • 18.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:39 PM

    Yes it is the mac adress of the client.

     

    I've just tried again, running the command all the time of the connexion try.

     

    For all the 1mn the client try to get an adress, wireshark shows only 3 gratuitous arp lines and debug command only the same line

     

    34:F3:9A:BE:0A:23 1 0 0 0 0 dev14 3e00 -- -- F F 0

    only the TAge changed.

     

    I'm a little bit lost... I thought about a core switch misconfig, but no arp request is detected on port (by mirroring).



  • 19.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:43 PM

    Okay.  To be clear, the Virtual AP Vlan is set and the switch is tagged with that VLAN?



  • 20.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:48 PM

    If you are talking about the core switch where the AP is connected, yes.

     

    AP mgmt adress is on a native VLAN 200 and core switch conf port is

     

    interface FastEthernet1/0/47
    switchport trunk native vlan 200
    switchport trunk allowed vlan 200,151,152
    switchport mode trunk
    end

     

    Virtual-AP VLAN is 151

     

    wlan virtual-ap "WIFI-ACAD-2"
    aaa-profile "WIFI-ACAD-2"
    vlan 151
    forward-mode bridge
    ssid-profile "WIFI-ACAD-2"
    !

     

    when trying to connect, is can see on core switch

     

    sh mac address-table | i 151

     

    151 d85b.2a1d.8a67 DYNAMIC Fa1/0/47



  • 21.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:49 PM

    Okay.  Is there a DHCP server on VLAN 151?  I hate to ask that.



  • 22.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:51 PM

    Yes, ther eis an ip helper on this vlan, which relays arp request on DHCP server.

    This VLAN and ip helper are already used by the "old infrastructure based on 3600" on the same core switch.



  • 23.  RE: DHCP / VLAN
    Best Answer

    Posted Apr 04, 2019 07:31 AM

    Hi,

     

    I finally found what was wrong : actually auth wasn't done. Client said it was searching for IP whereas it was not.

     

    After solving this auth step, all is going well.

     

    Sorry for disturbing.

     

    Regards,



  • 24.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:13 PM

    Try "show datapath session ap-name <name of ap> table" to possibly see the traffic going through that AP during or after authentication.  It may show the ARPs getting blocked (the source ip would be the mac of your client).

     

    EDIT:  look for protocol 806:

     

     



  • 25.  RE: DHCP / VLAN

    Posted Apr 03, 2019 01:06 PM

    You can try "show datapath bridge ap-name <name of ap> ?" to see some commands that would give you visibility.

     

    Not many people use bridged SSIDs, unfortunately.



  • 26.  RE: DHCP / VLAN

    Posted Apr 03, 2019 12:44 PM
      |   view attached

    Rules eem ok (?)

    See capture.



  • 27.  RE: DHCP / VLAN

    Posted Apr 03, 2019 12:54 PM

    At minimum, those rules should allow you to get  an ip address.  



  • 28.  RE: DHCP / VLAN

    Posted Apr 03, 2019 12:57 PM

    The last thing that I would check is that in your ap-group, the AP system profile has the ap-uplink-acl:

    Screenshot 2019-04-03 at 11.56.23.png