I am not sure what to make of this, the situation is as follows. I have two AP 105's in two different subnets, one is for employees (vlan1) and the other for guests (vlan2). I was told that I can't put the second AP on the same trunk as the first AP, since the native vlan must match the port vlan it is assigned. So, since I have two different vlans I can't match the native vlan to both vlan1 and vlan2. What I did was I have 3 cisco 2960 gigabit switches connected to an ISA570 and these switches are trunking vlans 1 & 12, so I just put the first AP in a vlan 1 port. For the second AP I went ahead added two access ports in vlan2 on switch 3 where one port goes to the AP and the other the ISA570 firewall. The issues I am having is some machines can't switch between the two AP's sometimes, it seems to connect, but I do not get an ip address or it will keep the ip address assigned from the first network. I have my ISA570 handing out dhcp BTW. I wish there was a way I could put my second AP trunked with the rest of my vlans, is this definitely not possible?
Oh and also, I have set the second AP set to 'default vlan', if I change the SSID to static vlan2, I don't get an ip address on my clients for this AP. Doesn't make any sense to me at all since the port is in vlan2 for this AP.
Why are you trying to accomplish ?
Not sure if this what you are trying to achieve? :
Very simple situation. We have two Aruba 105's. One is for employees (192.168.1.0/24)) and one for guests (192.168.25.0/24). We don't want to be roaming, we have these AP's in standalone mode and are completely separate from one another. I need best practices here on how to setup two of them, as I have been told and it seemed to give me issues, is that you cannot have two AP's on one trunk, because of the native vlan will be a mismatch on one of the AP's. So, I have setup one that trunks through my switches with the rest of my vlans and the other AP that has two access ports setup where one goes to my AP and one goes to a separate port on my firewall, which in turn bypasses the two AP's on one trunk port issue I was having. However, in this scenario it seems that there may be an issue with this setup, I am not sure. I was doing testing connecting machines to one AP and then connecting to the other just to make sure both AP's were working and dhcp from my firewall is okay. Some machines are fine most of the time, some machines can't switch between the two without having an issue where they either don't get an ip address when they go to connect to the second AP or it still shows the ip from the first network the first AP is connected to. Really just trying to find the best way to set these up.
Where are you defining the DHCP pools for these ?
Does VLAN 2 exist on those switches ?
The native VLAN shouldn't matter if you are not trunking to the IAPs.
Do you have a trunk setup between the switche and the Firewall ?
So here is the setup, did a little diagram. So vlan 2 for guest AP is only on switch 3. Yes the switches are trunking to the ISA and the ISA port is set to trunk for vlan 1, which the first AP is connected. The dhcp pools are being defined on the ISA, there are vlans setup and there are dhcp pools for each vlan.
Anybody out there setup two AP's on different vlans?
Why don't you just trunk VLAN 2 back to the firewall / Switch 3 and setup a Native VLAN2 for that trunk ?
What is your expectation when a user connecting to AP/VLAN1 disconnects and then associates to AP/VLAN2 ?
Is your problem that they can't get an IP at all when they do that ?
Having two APs with SSIDs in different segment shouldn't be an issue.
How do you have configured the Guest SSID ? Network assigned or VC assigned ?
I will try it again, but believe that gave me issues because the native vlan on the switch port was different for the second AP. If native vlan doesn't matter and the second AP data can be tagged, then I guess the info I got was wrong. Both vlans are network assigned.
If you configure the APs to be connected to an access port it shouldn't matter .
How do you have configure the wired settings on the IAP ?
Your question above, I can't change the native vlan to vlan 2, because my data traffic is on vlan 1 (I don't want data network tagged) AND my first AP is on vlan 1 already.
Not sure what you mean about the wired settings, they have static ip's outside of the dhcp pool.
How do I configure the SSID's when it asks what the client vlan assignment should be? Do I put static vlan 1 for first AP's SSID and static vlan 2 for the second AP's SSID? Or, set them both to defalut?
SSID Settings :
Wired settings :
That second screenshot, how do I get there, i don't don't see a tab with 'wired'.
My first AP just had an issue, he connected to the first AP in vlan 1 and it didn't issue dhcp, I checked and it looks like
the ip address that was showing was the ip his home router assigned him, because he had connected to his home network
for his last connection. So, it is like it doesn't want to update the ip, but it is hit or miss, sometimes it works on some machines.
Here is my issue, obviously others were or are having the same issue, but there was no answer on it:
UPDATE: I checked under more-->wired and found that the mode was set to 'trunk' I changed it to 'access' and to vlan 2 on the second AP, but it did nothing. I did the same to the other AP in vlan 1 and that did nothing.
At this point I am not even worried about the second access point, because the first one isn't functioning correctly it looks like and that one is setup the way it should be if you check the diagram I posted on the first page. I can't believe how frustrating this is. Time to buy some cisco AP's I think :p
Let's start fresh :
- Can you get an IP through DHCP if you connect your laptop directly to a port on a switch with VLAN 1 or VLAN 2 ?
- Can you please share a screenshot of how do you have the SSID's configured on each IAPs
- Instead of configuring each port on the switch as trunk instead and change the wired settings to trunk on the IAPs on IAP1 setup the native VLAN as 1 and on IAP 2 set the native VLAN as 2
- Make sure that the SSID settings are set to network assigned
- And also that you assign the right wired profile to e0
Both have the correct profile attached to eth0/0. Yes, I can get a dhcp address on both vlans by hooking a computer to them.
Yep, all three switches, see attached. I just went ahead and trunked the second AP through with the rest of the vlans and that didn't do anything.
I can't even access the gui now for the guest AP that I trunked it through with the other vlans.
You can't access the gui because the Native VLAN on that trunk is set to 1
So you can't get an IP on any of the IAPs ?
So I can connect to Aventis, but not the Aventisguest. I can't get to the gui on the second AP, do I need to change the native vlan to vlan 1 to be able to access the gui on the aventisguest?
Are you referring to the trunk that links my switches? I am assuming you are because both AP's are on access ports. I can't change the native vlan on the trunk, because then I wouldn't be able to access the other AP that has a native vlan of 1. Plus, I don't want my vlan 1 to be tagged because it has all my other computers in the network sitting in this vlan.
That IAP serves no users in vlan 1. It is a standalone IAP just for guests. The other IAP is in vlan 1 and is for employess.
I think we are getting confused here, can you see the diagram of how I had it configured, it shows the whole shebang. I need vlan 1 to be native because my computers on my lan are in vlan 1. I don't want my regular data getting tagged, no real reason for it, probably more overhead. Instead, from what I gather the rule of thumb is to tag everything else, correct?
vlan 1 is our data network (all computers)
So, the first AP is in vlan 1 (192.168.1.0/24)
Second AP is in vlan 2 (192.168.25.0/24)
vlan 12 is for IP Phones
All switches are trunk together and the native vlan for each is vlan 1. So, the way I see it, I should be putting both access points on access ports, which they are. I have no idea what it means to set the AP's themselves to access/trunk as they are connected to access ports on the switches.
Please follow these steps , this should get you going :
IAPs side of thingsGuest IAP
Assign a STATIC IP on 192.168.1.0/24 so you can reach it through VLAN 1 and make sure you exclude the IP in the firewall so it doesn't conflict with another device
Configure Guest IAP wired settingsEmployee IAP
Configure it to be network assigned and leave it as default
Configure the wired settings for the employee IAP this way
Cisco side of things
interface GigabitEthernet0/2description EMPLOYEE_IAPswitchport trunk encapsulation dot1qswitchport trunk native vlan 1switchport mode trunkinterface GigabitEthernet0/4description GUEST_IAPswitchport trunk encapsulation dot1qswitchport trunk native vlan 2switchport mode trunk
Appreciate the post, so my trunk right now is native vlan 1 all through my switches, if i put another trunk port on let's say switch 3 for the GUEST AP , do I have to make another trunk link back up my switches to my firewall since it will be on native vlan 2 and my trunk right now is native vlan 1?
The native VLAN is per trunk not per switch so it shouldn't impact whatever you setup going back to your IAP the trunk config I shared was for the ports going to your IAPs not back to your firewall.
No, I get that. But, if I set two more trunks on say switch 3 to both IAP's as you mentioned, will that data from those trunks pass along the main trunk I have connecting my switches and gateway? I have to get back to my gateway for these new trunks I will setup for the IAP's.
It should work.
Will I also be able to access my guest AP's GUI interface if native vlan is vlan 2? I had issues yesterday with that because my computer is in vlan 1.
Great, I will try this.
I haven't made any changes yet.
My first AP is not acting right again, the client isn't updating the ip when connecting to the empoyee ap on vlan 1. I have the wired settings set to Access mode, not trunking and native mode is set to native vlan 1. This should work and now it isn't. I have been reading many other people having issues with Arubas and they enable ip helper, but that shouldn't be needed because it is a layer 2 switch. Once I issue a ip config /release and ipconfig /renew all is well and it gets an ip address. It is like it is timing out from the AP on the intial connect.
So after working with Aruba Tech, it looks like they think it is an issue with the clients not sending a dhcp discover. However, I have two identical machines, one has the issue and one doesn't. So, I have a hard time believing it is a client issue. If anybody else is having issues with these AP105's and dhcp let me know. Anytime I do a ipconfig release/renew on the machines after connecting to either of our AP's, it then gets an dhcp address. I dont' want to have my users type in ipconfig /release/renew when they want to connect to our network.
Let me know if anyone else has any ideas. I thought maybe the intel card was an issue, tried new drivers, rolled back drivers, nothing works. At a loss.
Well, I did get a hold of Tac and we did run a packet capture on the ISA and on the client. It looks like the client is not sending a dhcp discovery for whatever reason on the initial connect when the machine has been connected to a wireless network previously. If the machine is rebooted I can connect to either AP, but one I go to the other AP it has issues and doesn't send the dhcp discovery. I tested this at home to see if I would have the same issue and it did. This points to a client issue from the sound of it, however, I can't explain the issue with the identical machines where one is okay and the other is not.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.