Wireless Access

We recently bought the Aruba IAP 175.

There are some clients outside (in a guardshack) that need access to our network.

Right now the people on the guardshack are on VLAN 60.

The AP is on VLAN 21.

We set it so when the client connects they get on VLAN 21.

If two wireless clients are connected they can ping each other.

If there is one wireless client and one client connected to the core (on VLAN 21) they cannot ping each other.

It seems that traffic is getting to the AP but the ap gets lost as to where it needs to be routed.

The wireless client cannot access the AP web interface (or ping the AP).

The client wired into the core (on VLAN 21) can ping and access the AP and the web interface.

When I do a ping it shows Destination Host Unreachable.

Any ideas?

Do you have any ACLs tied to the user role or port ?

We do have ACLs set up.

However right now I have the AP set up to a port in the core and the wired client in the port next to it which are both on the same VLAN (21).

ACLs should not effect that because no traffic is being passed anywhere except between the client and the AP.

Is the issue of the wireless user reaching the wired user ?

How do you have your ssid network setup Virtual assigned or network assigned ?

Yes that is our issue. The wireless client cannot reach the wired user and vice versa.

It is network assigned.

*********************************************************************************************************
 11/5/2013 10:56:50 AM    Target: d8:c7:c8:c8:47:ac    Command: show datapath user
*********************************************************************************************************
Datapath User Table Entries
---------------------------
Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM
       R - ProxyARP to User, N - VPN, L - local, I - Intercept
FM(Forward Mode): S - Split, B - Bridge, N - N/A

       IP              MAC           ACLs    Contract   Location  Age    Sessions   Flags     Vlan  FM
---------------  -----------------  -------  ---------  --------  -----  ---------  -----     ----  --
10.20.1.8        D8:C7:C8:C8:47:AC   105/0      0/0     0         0        0/65535  P           1   N
172.31.98.1      D8:C7:C8:C8:47:AC   105/0      0/0     0         413      0/65535  P        3333   B
0.0.0.0          D8:C7:C8:C8:47:AC   105/0      0/0     0         0        0/65535  P           1   N

If you have it configure as network assigned you should then be able to use that same VLAN on your uplink and connect a wired client on the wireless VLAN and see if you can reach a device on the wired VLAN to eliminate the IAP from the equation 

I was able to connect to users to the vlan and they were able to successfully ping each other.

So it looks like something is misconfigured on the IAP...

You should define an ACL that allows those two segments to communicate on your user-role or in the port profile

I set up an ACL in the wired port profile for my new network.

I used the command show access-rule-all and here is my result:

Access Rule Name :GuardShack
In Use           :Yes
Access Rules
------------
Dest IP  Dest Mask  Dest Match  Protocol (id:sport:eport)  Action  Log  TOS  802.1P  Blacklist  Mirror  DisScan  ClassifyMedia
-------  ---------  ----------  -------------------------  ------  ---  ---  ------  ---------  ------  -------  -------------
any      any        match       any                        permit                                                
Vlan Id           :0
ACL Captive Portal:disable
CALEA             :disable

The VLAN ID didn't change to 21 when I typed it in using show access-rule-all but it shows up when I use the web interface.

The wireless client can connect to the AP but cannot ping it.

Both the wired client and wireless cannot talk with each other.

I used the show ip route command and got this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
172.31.98.0     0.0.0.0         255.255.254.0   U         0 0          0 br0
10.20.0.0       0.0.0.0         255.255.0.0     U         0 0          0 br0
0.0.0.0         10.20.1.1       0.0.0.0         UG        0 0          0 br0

I never entered that first line.

I think that my routes are wrong but I can't find out where to change them from the CLI or the web interface nor can I find the documentation for it.

Also, the AP cannot ping the wireless client even though it's in the association table.

Talked with Aruba support and got this issue resolved.

I did not need anything written in the Wired section.

The port was set to switchport access on the router so on the AP I didn't need to set up anything under client VLAN.

If I had the port set to trunk, I would have needed to set that.

I hope this helps anyone else that might have that issue.

Hi,

I'm having the same issue but the APs are connected to the Switch and not on the router. You said that if it is a trunk port for the AP, I need to set something on the client VLAN. Do have any idea what should be done on the client VLAN? 

Thank you

The last post in this thread was 7 years ago.  Please open a new thread.