Controllerless Networks

We're replacing Aruba model 61 APs managed by a physical controller with IAP105's.  We have two SSIDs, one is an employee wifi that is network assigned, and the second is a guest network that is virtual controller assigned.  We tagged the switch ports with the correct vlan for the employee wifi.  We can connect to both the employee and guest, pull the correct DHCP and surf no problem.  The problem we're having is after the master/virtual controller is up, any add'l IAPs I bring up are not joining.  Each IAP has the same config file uploaded.  Prior to installing the IAPs, I used a PoE switch to configure the master IAP, left it connected and connected the rest one by one to the same switch and there was no problem joining, they all showed up on the virtual controller.

 

The add'l IAPs after the master/virtual controller is connected are coming up with the same virtual controller IP of course, but don't join and see themselves as the master.  That tells me that they're not communicating with eachother.  They are all on the same subnet, the IAPs config have the allow-new-aps command.... Any ideas?  Seems to me it has to be a config/problem on the switch.  Also tried resetting one of the IAPs and connected, just came up as an instant, doesn't get the config.  The switch is an extreme alpine 3808.

 

I can provide any add'l info to help troubleshoot, thanks.

There should be only 1 master AP.  On the UI, in the top middle box...do you see all the APs?

No, the IAPs are not showing up in the UI for the first IAP connected.  I was able to pull up the gui for each add'l IAP by figuring out which IP they were assigned, they are making themselves the master.

OK...is the native VLAN working?  Is there a native VLAN configured?  By default, the IAP for management (the cluster) will send those packets out UNTAGGED on the switch port.  With some vendors...once you set it as a trunk, you must define the access VLAN or native VLAN id.

 

Extreme configs aren't the easiest to decipher...but this is what to check.

Yes, the native vlan is configured, the switch ports the IAPs are on are untagged on the native vlan, we have the ports tagged with the employee wifi vlan (WLAN_WAP, vlan 2002) which is our secure wifi.   For example:

 

ports 2:29 - 2:32 are the IAPs, the IAPs are all being assigned correct IPs from vlan 14 (/16 subnet)

 

Alpine3808:2 # show vlan "vlan_14"  <<<Natve Vlan
VLAN Interface[3-202] with name "vlan_14" created by user
Tagging: 802.1Q Tag 14
Priority: 802.1P Priority 7
IP: 10.x.x.x/255.255.0.0
STPD: None
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: IP = EtherType:0806 EtherType:0800
Loopback: Disable
RateShape: Disable
QosProfile:QP1
QosIngress:None
Ports: 163. (Number of active ports=52)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Untag: *2:29 *2:30 *2:31 *2:32

Tagged: *1:1 *1:3 *1:4

Alpine3808:3 #

 

===================================================

 

Alpine3808:4 # sh vlan "WLAN_WPA"  <<<Employee wifi
VLAN Interface[10-209] with name "WLAN_WPA2" created by user
Tagging: 802.1Q Tag 2002
Priority: 802.1P Priority 7
STPD: None
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
QosIngress:None
Ports: 7. (Number of active ports=7)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Tagged: *1:1 *1:3 *1:4 *2:29 *2:30 *2:31 *2:32

Alpine3808:5 #

Do I need to set the native vlan on the IAP master, the first IAP I bring up to vlan 14 ?  under Wired> default_wired_port_profile?

 

The native vlan on the IAPs is currently set to vlan 1

You should NOT alter that profile.  It shouldn't be needed in your scenario.  Is there anything blocking at the switch level?  Can you paste your config from the IAP?

I don't see anything preventing them from talking on the switch level...but I'm not positive, I'm completely new to the extreme switches, cisco trained.  As mentioned before, the IAPs did join when first configured on the Netgear ProSafe PoE switch I use for configuring, which makes me suspect the issues lies within the switch.  IAPs config is below:

 

version 6.2.1.0-3.4.0
virtual-controller-country US
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name xxxxxxxxxxxxx
organization "xxxxxxxxxxxx"
virtual-controller-ip 10.140.xxx.xxx
terminal-access
ntp-server xxx.xx.xxx.xxx
clock timezone Mountain-Time -07 00
clock summer-time MDT recurring second sunday march 02:00 first sunday november 02:00
rf-band all
dynamic-radius-proxy
ams-ip 10.10.1.xx
ams-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

allow-new-aps

arm
 wide-bands 5ghz
 min-tx-power 18
 max-tx-power 127
 band-steering-mode prefer-5ghz
 air-time-fairness-mode fair-access
 client-aware
 scanning
ip dhcp pool
 subnet 10.222.26.xxx
 subnet-mask 255.255.255.0
 dns-server xxx.xxx.xxx.xxx
 domain-name xxxxxxxxxxx
 lease-time 240

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

mas-integration

mgmt-user admin xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile
 index 0
 rule any any match any any any permit

wlan access-rule Employee
 index 1
 rule any any match any any any permit

wlan access-rule Guest
 index 2
 rule any any match udp 67 68 permit
 rule xxx.xxx.xxx.xxx 255.255.255.255 match udp 53 53 permit
 rule xxx.xxx.xxx.xxx 255.255.255.255 match udp 53 53 permit
 rule xxx.xxx.xxx.xxx 255.255.255.255 match udp 53 53 permit
 rule xxx.xxx.xxx.xxx 255.255.255.255 match udp 123 123 permit
 rule any any match tcp 80 80 permit
 rule any any match tcp 443 443 permit
 rule xxx.xxx.xxx.xxx 255.255.255.255 match any any any permit
 rule any any match tcp 3389 3389 permit
 rule any any match udp 4172 4172 permit
 rule any any match tcp 4172 4172 permit
 rule any any match tcp 32111 32111 permit
 rule any any match tcp 8009 8009 permit
 rule any any match tcp 4001 4001 permit

wlan access-rule machine_only
 index 3
 rule any any match any any any permit

wlan access-rule user_only
 index 4
 rule any any match any any any permit

wlan access-rule wired-instant
 index 5
 rule 10.140.xxx.xxx 255.255.255.255 match tcp 80 80 permit
 rule 10.140.xxx.xxx 255.255.255.255 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan ssid-profile Employee
 enable
 index 0
 type employee
 essid Employee
 opmode wpa-tkip,wpa-aes,wpa2-aes,wpa2-tkip
 max-authentication-failures 0
 vlan 1431
 auth-server xxxxxx
 set-role-machine-auth machine_only user_only
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 blacklist
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

wlan ssid-profile Guest
 enable
 index 1
 type guest
 essid Guest
 opmode opensystem
 max-authentication-failures 0
 vlan guest
 auth-server InternalServer
 rf-band all
 captive-portal internal
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 per-user-bandwidth-limit 1200
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

auth-survivability cache-time-out 24

wlan auth-server xxxxxx
 ip 10.10.0.xxx
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 nas-ip 10.140.xxx.xxx
 nas-id xxxxxx

wlan captive-portal
 background-color 13369344
 banner-color 16777215
 banner-text "Welcome to the Guest Network"
 terms-of-use "WARNING: This network is not secure, use it at your own risk. By using the xxxx Guest network, you acknowledge that the service is not secure. xxx is not liable to you or any other party for any lack of privacy while using xxx's Guest network."
 use-policy "Please read the terms and conditions before using the xxx Guest network."

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"

blacklist-time 3600
auth-failure-blacklist-time 3600

ids classification

ids
 wireless-containment none

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x

wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

enet0-port-profile default_wired_port_profile

uplink
 preemption
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180

airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint

You have this line in there..did you configure this from the defaults?

 

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x

I inherited this from the previous person who initially set-up the model 61 APs, they are no longer with the co.  That is in the IAP configs at all of our schools from what I've seen.

Well?this is definitely looking like the switch. If you never altered the wired port profile, this should just come up.

If I were troubleshooting this, I'd look at the MAC or Bridge (or CAM) address table on the switch to make sure that the MAC addresses of all of the iAP are in the correct VLAN.

My expectation with the native vlan 1 in the iAP is that they'd tag their control traffic to 1 reather than 14 -- just a guess, but it wouldn't surprise me.

 

Matthew

 

We're going back for round two tomorrow afternoon... I'll check the mac address table but the config you saw in the IAP, default_wired_port_profile with native vlan 1 is actually "shutdown" so I don't think that applies.

 

 

From what you said earlier "the IAPs are all being assigned correct IPs from vlan 14 (/16 subnet)" if you UNTAG VLAN14 it should work.

ghodgins

 

The ports are untagged on vlan 14, they're only tagged with vlan 2002.  We did try tagging them with the data vlan (14) while troubleshooting, of course that didn't work.

From the config you posted it looks like vlan 1431 is configured?

 

wlan ssid-profile Employee
 enable
 index 0
 type employee
 essid Employee
 opmode wpa-tkip,wpa-aes,wpa2-aes,wpa2-tkip
 max-authentication-failures 0
 vlan 1431
 auth-server xxxxxx
 set-role-machine-auth machine_only user_only
 rf-band all

Apologies, that was corrected prior to attempting the installation.  The config there is actually vlan 2002 which is the vlan for the secure wifi (wlan ssid-profile Employee.)  So that is for the Client IP assignment for the secure wifi, which is network assigned.  We can connect to the wlan ssid Employee with no problem, and we pull dhcp from vlan 2002.  The issue is with the IAPs not joining into one cluster, but instead coming up and thinking they're the only IAP on the network even though they're on the same subnet, the /16 10.140.x.x 255.255.0.0

It's almost as if "private VLAN" is configured?this feature with Cisco eliminates all broadcasts except to the uplink port.

There is no private vlan configuration on the switch, this extreme switch does not support this feature.