Wireless Access

last person joined: 6 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Wired MDNS traffic

This thread has been viewed 50 times
  • 1.  Wired MDNS traffic

    Posted Sep 19, 2021 05:14 PM
    Hello everyone,

    We upgraded from ArubaOS 6.5 (Master-local) to ArubaOS 8.7.1.4 (MM-MD01-MD02) a month ago. Ever since then, wireless users can not see wired MDNS/AirGroup servers. All of our VLANS exist on the controllers. We ported over the settings from the old config including BCMC opt ON for all VLANS. I know this setting being on can affect wired MDNS traffic but it was on before and it worked.

    TAC has no idea after multiple calls. Can anyone point us in the right direction?

    ------------------------------
    Nathan Kuhl
    ------------------------------


  • 2.  RE: Wired MDNS traffic

    Posted 30 days ago
    The way Airgroup works changed significantly between AOS6 and AOS8. Did you read the AirGroup Deployment Guide?
    Also, the documentation on AirGroup in the ArubaOS documentation is pretty good.

    If that is TAC's response, ask them to escalate your case to another engineer that does have an idea.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Wired MDNS traffic

    Posted 30 days ago

    A few questions about how your setup

    Are you running in distributed or Centralized mode?

    How are wired users getting to the MDs? Untrusted VLAN on a port, or are the APs doing Multicast aggregation?

    I assume wireless to wireless airgroup is working as expected?



    ------------------------------
    Chris Wickline | ACCA |
    ------------------------------



  • 4.  RE: Wired MDNS traffic

    Posted 26 days ago
    Just an update on this. TAC escalated me to the next tier. This tech support agent deals mostly with AirGroup. He's unable to determine why we're not seeing any mDNS traffic from wired clients. He said that trusted ports should still be forwarding traffic from wired clients and that making it untrusted is not necessary. We never had untrusted ports before on our controllers running AOS 6.5 in the past so that would seem to be true.

    We're currently running AOS 8.7.1.4. He believes that there could be a bug in this version and advised us to upgrade to 8.7.1.5. I'll update this thread with the results when we can do this.

    BTW, we're only on 8.7 because we plan on installing an AP-575 outdoors shortly. Otherwise, we'd be on the most stable version of 8.6.

    ------------------------------
    Nathan Kuhl
    ------------------------------



  • 5.  RE: Wired MDNS traffic

    Posted 9 days ago
    Just an update on this. Updating to AOS 8.7.1.5 resolved the issue.

    ------------------------------
    Nathan Kuhl
    ------------------------------



  • 6.  RE: Wired MDNS traffic

    Posted 30 days ago
    Hi Chris,
    We're in Centralized mode. 
    No, the MDs are not seeing any wired traffic even though we have the VLANS entered in on each MD. The VLANs are also tagged on the uplink port on the core.
    We're only using one port on each MD, a 10Gig SFP uplink that is trusted. We are not using multicast agg.  TAC told us that the only way this works is if the AP and the client are on the same VLAN.
    Wireless AirGroup is working perfectly.
    Thanks for the assistance.





  • 7.  RE: Wired MDNS traffic

    Posted 30 days ago

    So, if you are tagging the wired VLANs, the VLANs will need to be untrusted, so that way those users enter the user table.

    The other option, is to use AP Multicast aggregation which (I think?) is the recommended option. Essentially, you have APs sit in the same subnet as the wired users, and they forward the mDNS traffic to the controllers over a GRE tunnel. That way you don't need all your wired/wireless VLANs on the controllers, just the wireless ones.

    Multicast aggregation is what we use (2 7240 ~6K Wireless users, ~1K wired users) and it works really well. 

    This is something TAC should definitely be aware of and able to help with. I'd either ask for another engineer or for escalation. 



    ------------------------------
    Chris Wickline | ACCA |
    ------------------------------



  • 8.  RE: Wired MDNS traffic

    Posted 30 days ago
    I don't think we can use AP mulitcast agg. because our APs are on a different VLAN than our wired users. 

    Dumb question but how can we include the VLANs on each controller but make them untrusted? Right now, we have a single 10gig uplink back to our core for each MD.

    ------------------------------
    Nathan Kuhl
    ------------------------------



  • 9.  RE: Wired MDNS traffic

    Posted 30 days ago

    You can also trunk the VLANs to the AP(s), and do it that way. The first link talks about doing that, the second link shows making trusted and untrusted

    mDNS AP VLAN Aggregation

    Configuring Trusted/Untrusted Ports and VLANs

    .
    (As a side note, I would highly recommend using a unused port when running the untrusted/trusted commands, just to make sure it is doing what you want it to do. We originally did our wired airgroup this way, and it caused us issues, which is why we went with Aggregation route. YMMV)



    ------------------------------
    Chris Wickline | ACCA |
    ------------------------------



  • 10.  RE: Wired MDNS traffic

    Posted 30 days ago
    Thanks. I'll look into both scenarios.

    is the untrusted VLAN scenario new as of OS8? We didn't have to do this in OS6.

    ------------------------------
    Nathan Kuhl
    ------------------------------



  • 11.  RE: Wired MDNS traffic

    Posted 26 days ago

    I must have imagined the untrusted VLAN. Not sure where I got that.

    That being said, I trunked a trusted VLAN  to test and devices in that VLAN started showing up in our list of Airgroup servers, so what you are trying to do should work. We are on 8.7.1.4 as well.

    Just for sanity, do you have the VLANs enabled in the openflow profile? (MD: show openflow-profile)
    The trunked VLANs need to be added to that profile on the MDs for the MM to process them, since you are running in centralized mode.

    If not, I can share a sanitized version of our config and maybe that'll point something out that maybe you are missing.



    ------------------------------
    Chris Wickline | ACCA |
    ------------------------------



  • 12.  RE: Wired MDNS traffic

    Posted 26 days ago
    Openflow was something that TAC was looking at and felt like something was off here. If I run that command on the MM, I get this:

    (ArubaMM) [mynode] #show openflow-profile
    show openflow-profile is not supported on this model!


    (SEM-MD02) #show openflow-profile
    Openflow-profile "default"
    --------------------------
    Parameter Value
    --------- -----
    controller-ip masterip:6633
    State Enabled
    Openflow mode passive
    Openflow version v1.3
    Auxiliary State Disabled
    Auxiliary Channel Port 6633
    VLAN ID or range(s) of VLAN IDs 1-4094
    custom-cert-file none
    custom-key-file none
    ca-certificate-file none
    openflow tls Disabled
    custom cert Disabled
    (SEM-MD02) #

    ------------------------------
    Nathan Kuhl
    ------------------------------



  • 13.  RE: Wired MDNS traffic

    Posted 26 days ago
    Does OpenFlow need to be enabled on our HP core or edge switches? Never heard of it until Aruba OS8.

    ------------------------------
    Nathan Kuhl
    ------------------------------



  • 14.  RE: Wired MDNS traffic

    Posted 26 days ago

    If you run these commands on the MM,

    show openflow-controller
    show openflow-controller switches
    show openflow-controller flow-table app-name AirGroup (AirGroup is case sensitive)

    The first one should show ofc enabled

    the second one should show all your MDs as up, with 4 capabilities (Flow, Table, Port and Queue)

    The third one, at least for me, shows multiple sessions within.


    Just a forewarning, I'm just comparing what I have in these settings and what works for my environment. I'm not saying these are best practice/how it should be.



    ------------------------------
    Chris Wickline | ACCA |
    ------------------------------



  • 15.  RE: Wired MDNS traffic

    Posted 26 days ago
    Thanks. It looks like it all checks out on my end. We have a cluster but only one MD is up at the moment due to another issue:

    (ArubaMM) [mynode] #configure t
    Enter Configuration commands, one per line. End with CNTL/Z

    (ArubaMM) [mynode] (config) #show openflow-controller

    Openflow-controller
    -------------------
    Parameter Value
    --------- -----
    ofc state Enabled
    ofc host-ageout-time 3600 sec
    ofc mode passive
    ofc certificate-file none
    ofc key-file none
    ofc ca-certificate-file none
    ofc tls Disabled
    ofc port 6633
    ofc topology-discovery Disabled
    ofc auxiliary-channel-port 6633
    (ArubaMM) [mynode] (config) #show openflow-controller switches

    Switches
    --------
    Dpid IP Version Status Auxiliary-Status/Id Capabilities Description
    ---- -- ------- ------ ------------------- ------------ -----------
    00:00:00:1a:1e:07:6a:d0 10.0.0.111:44435 v1.3 Up Down/0 Flow stats, Table stats, Port stats, Queue Stats Aruba Networks, Inc. Aruba7210 ArubaOS, 8.7.1.4 SEM-MD02 TV0002322
    Total number of switches: 1

    (ArubaMM) [mynode] (config) #show openflow-controller flow-table app-name AirGroup

    Flow-table
    ----------
    Dpid In Port Src Mac Dst Mac Ether Src IP Dst IP Proto Src Port Dst Port App Name Actions
    ---- ------- ------- ------- ----- ------ ------ ----- -------- -------- -------- -------
    00:00:00:1a:1e:07:6a:d0 * * * 0x86dd * * 17 * 1900 AirGroup output=
    00:00:00:1a:1e:07:6a:d0 * * * 0x800 * * 17 * 5353 AirGroup output=controller
    00:00:00:1a:1e:07:6a:d0 * * * 0x86dd * * 17 * 5353 AirGroup output=
    00:00:00:1a:1e:07:6a:d0 * * * 0x800 10.0.0.111 222.173.190.239 17 60001 60001 AirGroup output=controller
    00:00:00:1a:1e:07:6a:d0 * * * 0x800 * * 17 * 1900 AirGroup output=controller
    Total number of flows: 5
    (ArubaMM) [mynode] (config) #

    ------------------------------
    Nathan Kuhl
    ------------------------------



  • 16.  RE: Wired MDNS traffic

    Posted 8 days ago
    We have the same problem since upgrading to 8.7 (from 8.5, for 503H hardware support). It works OK for a little while after an upgrade/reboot (I don't know if it's the MCR or MD reboot that fixes it) then the Airgroup servers gradually start disappearing after a few days.

    I tried debugging it with TAC and we turned on AP multicast aggregation and promptly broke the network with a flood of traffic, I had to unplug both MDs then revert the config on the MCR and plug them back in, so take care before you enable it.

    I haven't had time to open a new case after my old one (just looked it was in June!) was closed since TAC wanted a packet capture mirror of the MD port and I couldn't get one for some reason.

    ------------------------------
    James Andrewartha
    ------------------------------



  • 17.  RE: Wired MDNS traffic

    Posted 8 days ago
    Ugh, not what I wanted to hear. We're only on 8.7 because of ONE AP-577 that isn't even been installed yet. If this continues to be a problem, then I might just roll back to 8.6 at the expense of the AP-577 until they can fix this.

    The concerning thing is that I told TAC the upgrade to 8.7.1.5 appears to fix the issue but they don't seem to be concerned as to why wired MDNS traffic is showing up again. Is it a bug? No one knows and TAC doesn't seem to want to find out.

    ------------------------------
    Nathan K
    ------------------------------



  • 18.  RE: Wired MDNS traffic

    Posted 8 days ago
    I'd roll back to 8.6 if I were you. Last year I ordered an AP-375 so I could stay on 8.5 which was rock solid, but I couldn't justify buying 11ac hospitality APs this year. Also if you have AP-515s, roll back since I still see several crashes a day.

    ------------------------------
    James Andrewartha
    ------------------------------



  • 19.  RE: Wired MDNS traffic

    Posted 8 days ago
    Agreed. That'll have to be something done over Thanksgiving break.

    We're still rocking AP-315s in classrooms and AP-303Hs in dorm rooms and they're all fine.

    ------------------------------
    Nathan Kuhl
    ------------------------------



  • 20.  RE: Wired MDNS traffic

    Posted 7 days ago
    A used AP-375 or AP-377 can be had on ebay for ~$500. It seems like a pretty cheap insurance policy to allow you to stay on 8.6 until there is an 8.7 conservative release. When the time comes that you can run the 57x on a CR, the 37x can retire to serve as a spare.

    ------------------------------
    Cathy Fasano
    ------------------------------



  • 21.  RE: Wired MDNS traffic

    Posted 6 days ago
    Sure enough, after a few days, all wired MDNS dropped off. TAC suggested a roll back to 8.6 instead of trying to find the bug, which I find odd. I'll be doing this the next chance I get.

    ------------------------------
    Nathan Kuhl
    ------------------------------