Controllerless Networks

Hi all,

I have created one SSID with "Client IP Assignment = Virtual Controller assigned" and "Client VLAN Configuration = Custom"; I have assigned the DHCP LOCAL Pool 101 dedicated on VLAN 101 (92.168.101/24).

If a client connect to this SSID it doesn't obtain an IP address; it only works fine if I create the VLAN 101 on the switch and tag it on the interface where my IAP is connected.

 

I would know if this is the normal behaviour or if normally the VLAN doesn't have to propagate on the LAN.

 

The firmware version on my IAP is 6.4.2.3-4.1.1.2_48114

 

Thanks,

Massimo

 

Try using network assign and use a static VLAN assignment of VLAN 101 and see if that works

I have just tried your suggestion, but if i make this change and then watch again the configuration of my SSID, it is not changed: Client IP Assignment = Virtual Controller assigned" and "Client VLAN Configuration = Custom (POOL 101)".

It seems like the IAP doesn't see any difference between the two configurations.

It will do that after you apply the change.

I tried it in my lab and it worked.

Are you allowing DHCP in the access rules ?

EDIT: You already stated the version of IAP

 

I am using the same version

 

 

 

Thanks Victor! Yes, this is my same configuration...... but my clients obtain a correct IP address only if I tag the VLAN101 on the switch interface. I tried this many times.

My IAP is 103.

 

My access rule is PERMIT ALL

Interesting.

You shouldn't have to add that VLAN to your wired profile since this VLAN will be handled internally by the IAP VC

You may need to open a TAC case.

Hello,

I have same issue like Massimo.

Local dhcp and virtual controller  managed IP assigment works after tagging wired port on switch. If you try to connect to access point that is not VC and you don't tag APs wired port it dosn't work.

Without tagging port on switch if client connect to AP that is not VC can't find DHCP server in VLAN 101. Is it correct behaviour?? 

 

Rafal

Same thing here. Just starting to try and start up a group of Instant AP's (ideally want to use zones and VLANs etc) and unless I'm connecting to the AP that is elected as the VC the local DHCP doesn't work (can't obtain an IP). Do I really need to use an outside DHCP for this somehow. I want the SSID's to be on NAT'ed local VLAN's (actually I wish I could do VLAN pools like with the classic controller model) but apparently this doesn't work with Instant even though it sure seems like it is designed that way. I mean, if you are going to setup all that DHCP functionality shouldn't it work on any AP? So, what are we missing? Steve

I spoke with one of colegue and he adviced to use "bulti in" dhcp settings that use magic vlan 3333

 

With that configuration everyhing works fine without tagging port on switch. 

Only limitation of that is that you can't use multiple scope for different SSID and different vlans.

Rafal

thanks although I was hoping to use multiple VLANs since the broadcast domain will get too big (I guess I'll rely on the broadcast mitigation stuff and see how it goes).

Seems like a clear bug to me

Steve

i just did this with a local scope and it worked fine without tagging it on the switch side.

 

if people have this issue, which instant OS version? which AP type?

I'm using 205H AP's in Instant mode with version 6.4.3.0-4.2.0.0_49453 I've tried ever which way to get this to work and no matter what it only works from whichever AP has been elected the Virtual Controller. If I'm connected to any other AP in the group it doesn't work. Are you using just one AP to test (which would make it the VC automatically) or do you happen to be connected to the VC? Steve

interesting, just one AP where i tried this and then it is of course the VC.

I can't tell if I have the same issue but I have three IAPs, the VC is a 215 and the other two are 205s. I can only get IP addresses from the VC, and it times out on all others. I've tried from multiple devices.

 

In order to test I forced each WLAN into Zones to specific IAPs. I can only get connected to the VC (the IAP-215).

 

I'm running 6.4.2.6-4.1.1.8_50989 on all three IAPs, and each WLAN has it's own VLAN assigned as well.

 

Yep, sounds like exactly the same bug to me.
Steve

If anyone has a last-known-good firmware that seems to work that would be great, I'm going into production very soon and this is obviously a blocker if confirmed.

What exactly are you trying to get to work?

 

Do you want the IAP to provide dhcp and the IAP to nat the traffic so that no trunking is done?

Is this a guest network or an internal network?

 

yes, ideally (although I could live without NAT if necessary). I want the IAP's to provide DHCP (all the options are there to do just that and connect them to VLANs and zones etc so you would think ....) but I can set them up many different ways (mostly with no ACL's of any kind to start) and as long as I'm directly connected to the IAP that is the VC at that time all works beautifully. If I move to an IAP that isn't the VC then nothing (no DHCP traffic at all and if I give a static IP in the range still nothing routes anywhere). If I turn off the original VC so that the IAP I'm on becomes the VC (assuming just two IAP's) then voila, all starts to work (so it clearly has nothing to do with the VLAN's or zones or IP ranges or DHCP but is purely about VC or not VC). Steve

Same here. My non-VC IAPs aren't giving out any DHCP addresses. Only the VC is. I would expect all the IAPs to work in harmony by default, especially when they are all setup similarly. The only difference I did was to force my beefiest IAP as the VC in the network. Below are my DHCP scope settings.

 

Only a single ap (the vc) will give out iPhone addresses at a time.

Thanks! So shouldn't the non-VC IAPs ping the VC for the DHCP then? Does that need to be configured, and not automatic?

 

Thank you!

Upgraded all three IAPs to 6.4.2.6-4.1.1.9_51442 and now I can't connect to any of the WLANs. I got lucky and connected once to a network on the VC but that was it. No DHCP from any of them now.

Here's the best I can do so far:

• Downgraded all three IAPs to 6.4.2.3-4.1.1.5_49609
• Had to remove all custom local DHCP scopes by VLAN, managed by the VC
• All three networks are now using the default VC-managed DHCP scope, no VLANs

I'm not thrilled about allowing all three WLANs on the same subnet with no VLANs, but I can't get anything connected beyond this. Bah. I give up. I want my 620 back.

 

Having same issue with a simple 2AP network, an IAP-205 and an IAP-215.  Both running 6.4.2.6-4.1.1.11_52666. I really want to like you, Aruba, but you make it so hard. 

Have you tried using the latest 6.4.4.x-4.2.2.x ?

Sent from Outlook for iPhone

Thanks for the reply.  No, not yet.  On the phone with support now.  They claim that  the switches the APs are connected to have to be configured to pass the VLANs, otherwise only the "master" IAP will hand-out IP addresses.

Correct.  All of the VLANs must be trunked to each AP, unless the VLAN configuration in the SSID is "Virtual Controller Assigned".  Network assigned means traffic is sent right onto the network tagged with the VLAN.

That's correct

Sent from Outlook for iPhone

Oy.  This makes engineering AP deployment to several floors of a building with tagging ports on dozens of switches a nightmare.  Does a central controller eliminate this need and maybe provide some sort of "tunnel" between the APs so they can have standalone DHCP scopes?  Maybe the controller could act as a router? 

With the centralized controller you have the option of tunneling it back and trunking it to the controller, or sending it directly out of the AP's interface.

How many local scopes are you using ?

We'd like to have one for each wireless network. The guest network, for example, should be on an "island" with its own scope and only have internet access and a public DNS server (8.8.8.8, for example). Instead if we have to use the default controller scope, it will have to use an internal DNS server which we don't want guests having any access to.

jkettler,

 

Architecturally you can put guest users on a VLAN that does exist in your environment, but in the controller or IAP assign a role that drops all traffic that would be destined to your internal network and allows all other traffic.  You could also supply an external DNS server via a DHCP option.

That may end up being our approach - using roles/access rules.  Not crazy about that, but it looks like controllers are pretty pricey.

I guess expense is relative.  We are here to make you get the most out of whatever you get.

It's appreciated! I think I can make it work, just not quite the way I envisioned. Will experiment with it a bit and see what I find.

Hi,

 

Regarding the IAP DHCP Local Scope not offering VLANs IP address properly.

We are facing the same issue in version 6.4.2.6-4.1.3.1

 

In which version this issue was solved?

Or how did you managed to segment VLANS in IAP (NAT)?

 

Thanks in advance

I configure trunk port (tagged) on to APs even if it was only Local Scope. (if we talk about that same issue that only clients connected through VC has assigned IP addresess).

 

Rafal

Thanks Rafal.

By any chance do you know the IAP firmware version that worked for you?

Despite configuring LocalScope and enabling ports as trunk & tagged in switches, slaves IAP dont offer IPs. Only master IAP (VC) is working as intended...

 

So... Any suggestion?

Carlos

So in my case it was like that:

When I set up Local scope "built-in" - DHCP was working on every APs

When I set up local scope for some differnet VLAN - I have to tag wired port and make sure that APs can see each other through that VLAN.

 

Firmware I think it was 6.4.2.6-4.1    

 

Rafal

Hello ,

 

Thanks for your advices! It's helpful.

 

My IAPs are two 305 and one 315 with firmware 8.6.0.5_75979 released in Y2020.

 

It's still the same situation after three years. Guest wifi network with "Virtual Controller managed" Client IP assignment, and "Custom" Client VLAN assignment with my customized local DHCP scope.

Wifi clients won't get DHCP ip successfully if they connect to non-VirtualController AP. Only AP plays as VC role could assign ip.

If I take your workaround to turn Client VLAN assignment from "custom" to "Default" with settings for "Virtual Controller Assigned Networks - Default DHCP Scope". Then wifi clients can connect to guest Wifi successfully after an IP is assigned.

For Aruba , please take into account this important DHCP feature (or bug). It has been for several but no improvement yet.