Controllerless Networks

We are one of your distributors and I have seen this in several different networks we've setup, but here is my specific situation internally:

Network:

 - I have wireless and wired clients sitting on a simple 192.168.201.x network

 - These clients frequently use resources from a 192.168.10.x network

Wireless:

 - Single IAP-135, running a single SSID configured as Type: "Employee"

Problem:

 - When a wireless client tries to reach 192.168.10.1, it would occasionally go to the IAP-135's GUI.

 - This does not affect wired clients

My only guess is that at one point, we did have a SSID set up as Type: "Guest" and the VC's randomly selected network happened to be 192.168.10.x. Although that SSID has long been removed, it seems like the IAP / VC is still trying to claim that IP. (And even if the "Guest" SSID is still running, I don't think a randomly created network should be allowed to affect the "Employee" side anyway, right?)

Thanks in advance!

Josh

Here is our current config (with personal info scrubbed)

version 6.1.3.0-3.1.0
virtual-controller-country US
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name user-wireless
organization user
virtual-controller-ip 192.168.201.5
ntp-server 192.5.41.41
clock timezone Pacific-Time -08 00
rf-band all
dynamic-radius-proxy
ams-ip 192.168.168.100
ams-key xxxxxxxxxxxxxxxxxxxxxxx

allow-new-aps
allowed-ap d8:c7:c8:cb:c9:9a

snmp-server community xxxxxxxxx

arm
 wide-bands 5ghz
 a-channels 44,48,149,153,157,161,165,44+,149+,157+
 min-tx-power 127
 max-tx-power 127
 band-steering-mode force-5ghz
 air-time-fairness-mode preferred-access
 client-aware
 scanning
rf dot11g-radio-profile
 spectrum-monitor
 interference-immunity 4

rf dot11a-radio-profile
 spectrum-monitor

ip dhcp pool
 dns-server 4.2.2.2
 domain-name domain.com
 lease-time 480

internal-domains
 domain-name domain.com
 domain-name domain2.com

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

opendns domain2 61661002de7663aa7230bac58c0310a5cb54dd82678557db
device-id 0010D78B763A8693
mas-integration

user guest xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx portal

user josh xxxxxxxxxxxxxxxxxxxxxxxxxx radius
user joe xxxxxxxxxxxxxxxxxxxxxxx radius
user test xxxxxxxxxxxxxxxxxxxxxxx radius

mgmt-user admin xxxxxxxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile
 rule any any match any any any permit

wlan access-rule domain2
 rule any any match any any any permit

wlan access-rule domain2.com
 rule any any match any any any permit

wlan access-rule user
 rule any any match any any any permit

wlan access-rule default_dev_rule
 rule any any match any any any permit

wlan ssid-profile domain2.com
 index 1
 type employee
 essid domain2.com
 wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxx
 opmode wpa2-psk-aes
 max-authentication-failures 0
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 blacklist
 dmo-channel-utilization-threshold 90

enet-vlan guest

wlan auth-server ca-dc2008
 ip 192.168.1.9
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan captive-portal
 background-color 13421823
 banner-color 10066431
 banner-text "Welcome to the Guest Network."
 terms-of-use "Please read and accept terms and conditions and then login."
 use-policy "This network is not secure and use it at your own risk."

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"

blacklist-time 3600
auth-failure-blacklist-time 3600

ids classification
ids rogue-containment

ids
 wireless-containment none
 infrastructure-detection-level high
 client-detection-level high
 infrastructure-protection-level high
 client-protection-level high

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable

enet0-port-profile default_wired_port_profile
enet1-port-profile default_wired_port_profile
enet2-port-profile default_wired_port_profile

uplink
 preemption
 enforce none

l3-mobility

You can select what network will be distrubuted by the IAP, fo rthe guest network

Here is the image you do it in settings, maybe you got an old firmware... you need to update it to the lastest...

It is an internal network not guest... try using not a magic vlan with assigned by the VC... instead tag it to the IAP a vlan specially for wireless and on the switch core put in a interface vlan for that vlan... on the dhcp server well put the dhcp scope for that vlan...

The magic vlan you use it, for guest not really for employee network

Cheers

Carlos

It doesnt matter if you dont have a guest setup... if you put an employ network with a virtual controller assigment ip, then he will use that range you put in there...

But like i said that magic vlan is for guest not really for employee network.

Cheers

Carlos

@NightShade1: Thanks again for your replies. I think I have an extremely good understanding of the Aruba Instant, so that's why I think this is more of a bug. Especially because I have seen this in other Aruba Instant networks before.

It does not let you put a value in there?

or you put another network in there and does not work?

Becuase i just tested it and worsk perfectly here...and i got the same firmware...

Or maybe i m not understanding you what you want to do?

As what i understand you want to change the addressing distrubuited by the VC to another....

@NightShade1: Thank you for trying to replicate the problem :)  

My main problem is that the IAP / VC is responding on an IP (192.168.10.1) that is not even configured on the unit, which is affecting normal traffic destined for the real 192.168.10.1

Try putting another value dont leave it in blank... maybe by default he uses that one if you dont set anything... you said it was in blank those spaces...

If you leave it in blank you see it uses a 255.255.254.0 and it uses as default gateway by default 192.168.10.1

look if i put a vlan on my vc i mean im using my network interface vlan my dhcp and all... im not assigning anythign from the VC....

and the interface of 192.168.10.1 is there... even if you not creating or using it...

Thats your issue...

Put a value in there whatever you not using to solve it..

Hi,

we had the same problem with a customer of us. His Radius was in the 192.168.10.0 subnet and this has always worked untill the last upgrade (last version 6.1.3.4-3.1.0.1), it stopped working, so I also think this is a bug.

We saw that a route was added in the routing table:

172.20.105.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.10.0 0.0.0.0 255.255.254.0 U 0 0 0 br0
0.0.0.0 172.20.105.1 0.0.0.0 UG 0 0 0 br0

We opened a case with Aruba and after searching a few hours they told us the same thing about the magic VLAN. After adding a network (by Aruba), indeed the 192.1168.10.0 in the routing table disappeared, but the new network was added there in the routing table with losing a whole subnet that we could use in the internal network. We then used 1.2.3.4 255.255.255.255 as a dummy network and the line disappeared completly in the routing table and everything worked as normal without losing a subnet.

In my opinion this is a work around for a bug, because before the upgrade this was working without adding the extra network.

Aruba told me that they don't see this as a bug with the following reason:

"informed that it is not a work around; that the reason is that the End Customer is using the same ip scheme as that of the IAP"