Wireless Access

 View Only
last person joined: 20 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Bridge Mode SSID AOS8

This thread has been viewed 73 times
  • 1.  Bridge Mode SSID AOS8

    Posted Jan 25, 2023 04:18 AM

    Hi All,

     

    Does anyone have instructions of how to create an SSID in bridge mode on AOS8 please?

    This is a Mobility master managing two controllers in a cluster.

     

    Thanks,



  • 2.  RE: Bridge Mode SSID AOS8

    Posted Jan 25, 2023 04:56 AM
    In the "Forwarding mode" field, you must enter Bridge. The VLAN must be tagged on the switch port where the AP is connected.


    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Bridge Mode SSID AOS8

    Posted Jan 25, 2023 05:29 AM
    Is that all that is required? Do we need to do anything on the roles ?
    How does the AP know where to send authentication traffic and when to bridge local traffic?


  • 4.  RE: Bridge Mode SSID AOS8

    EMPLOYEE
    Posted Jan 25, 2023 08:33 AM
    Changing the forwarding mode lets the AP know when to bridge traffic.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 5.  RE: Bridge Mode SSID AOS8

    Posted Jan 25, 2023 11:16 AM
    Hi, 

    It is still not clear, this is what I have done:

    The SSID in question is a PSK. 

    set VAP to bridge mode. 
    TAG client VLANs to the AP. Question: does AP MGMT VLAN need to be untagged and the client VLANS tagged?

    When deploying the SSID in bridge mode rather than tunnel, why do users get a message that they are using weak security on their device. Is this expected?

    Do we need to make any changes on the roles or the AAA profile for this bridged SSID?

    Thanks,


  • 6.  RE: Bridge Mode SSID AOS8

    Posted Jan 25, 2023 11:34 AM
    What message do the users get? Can you post it?

    In bridge mode WPA3 is not supported, is that what the message is about?

    In the AAA profile nothing has to be modified for the bridged SSID.

    The AP mgmt VLAN remains untagged, the user VLAN must be tagged.

    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Bridge Mode SSID AOS8

    Posted Feb 01, 2023 06:02 AM

    Hi, 

    I have configured this as the following:

    WP2-PSK 
    VAP profile: VLAN 100
    VAP is in bridge mode. 

    Initial role on the controller is allow all. 
    VLAN 100 is not created on the controller just added in the VAP. 

    APs have VLAN 150 as untagged and VLAN 100 as tagged. 

    We tested this last week and it was working fine, today some sites where this is being used users are reporting they are unable to get a IP address. The DHCP server is located centrally at the main site. IP helper for VLAN 150 is on a firewall at each site. 

    Any ideas what this could be?




  • 8.  RE: Bridge Mode SSID AOS8

    EMPLOYEE
    Posted Feb 01, 2023 02:37 PM
    Type "show station-table" to see if the device is associated.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 9.  RE: Bridge Mode SSID AOS8

    Posted Feb 01, 2023 04:25 PM
    Create the vlan 100 on the controller, but do not tag it on any controller port.

    Check if the client is associated with correct ESSID and is in vlan 100. Use the following command on the mobility controller: show ap remote debug association ap-name <your AP name>.

    In VLAN 100 you need an IP helper because the DHCP server is in the main site.

    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------