Wireless Access

So I'm new to aruba and setting up a lab at home behind a LTE router.

I have a 7005 basically no config other than the following done. What i'm seeing is I can't get internet access from the controller/LAN. I tried doing a ping 8.8.8.8 source 99 and ping 8.8.8.8 source 20, should I be able to get internet access or am i missing something? I can reach the gateway of the LTE router fine which is on VLAN 99, the controller is on VLAN 1. Doesnt seem like I can change the controller to VLAN 99 because it's got DHCP setup.

(Aruba7005) *[mynode] #show vlan

VLAN CONFIGURATION
------------------
VLAN Description Ports AAA Profile Option-82
---- ----------- ----- ----------- ---------
1 Default GE0/0/2-0/3 Pc0-7 N/A Disabled
20 LAN GE0/0/1 N/A Disabled

99 LTE_Router GE0/0/0 N/A Disabled

(Aruba7005) *[mynode] #show ip interface b

Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 172.16.0.254 / 255.255.255.0 up up
vlan 99 192.168.1.24 / 255.255.255.0 up up
vlan 20 192.168.2.1 / 255.255.255.0 up up
loopback unassigned / unassigned up up

sh(Aruba7005) *[mynode] #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
S* 0.0.0.0/0 [10/0] via 192.168.1.1*
C 172.16.0.0/24 is directly connected, VLAN1
C 192.168.1.0/24 is directly connected, VLAN99
C 192.168.2.0/24 is directly connected, VLAN20

Interface gig 0/0/0 connected to LTE router

interface gigabitethernet 0/0/0
trusted
trusted vlan 1-4094
switchport access vlan 99

!

vlan 99

!

interface vlan 99

ip address dhcp-client

!

ip default-gateway import

I also created a seperate VLAN for clients but haven't even really done much with that yet

ip dhcp pool LAN
default-router 192.168.2.1
dns-server import
lease 1 0 0
network 192.168.2.0 255.255.255.0

!

vlan 20

!

interface vlan 20

ip address 192.168.2.1 255.255.255.0

ip nat inside

no shut

Every VLAN interface that you want to be able to go out to the internet should have ip nat inside.

You can give VLAN 99 a static ip address and statically point your default gateway to that gateway's ip address.  Import is only really for if you want it to obtain the WAN ip address.

Whatever the controller's management VLAN is should have ip nat inside (type show controller-ip).

Makes sense since this like you said really isn't connected to any sorta WAN but a router. However I did change the VLAN 99 interface to static IP and also change the default gateway still no love. IP nat inside is also enabled on the interface. Tried pinging google DNS 8.8.8.8 sourcing from VLAN 99 and also just from the controller, gateway is reachable.

interface vlan 99
ip address 192.168.1.24 255.255.255.0
ip nat inside

!

ip default-gateway 192.168.1.1

(Aruba7005) *[mynode] #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 172.16.0.254 / 255.255.255.0 up up
vlan 99 192.168.1.24 / 255.255.255.0 up up
vlan 20 192.168.2.1 / 255.255.255.0 up up
loopback unassigned / unassigned up up

(Aruba7005) *[mynode] #ping 8.8.8.8 source 99

Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 8.8.8.8 from 192.168.1.24, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
(Aruba7005) *[mynode] #ping 8.8.8.8

Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

(Aruba7005) *[mynode] #ping 192.168.1.1

Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.874/1.611/2.216 ms

You shouldn't have to do ip nat inside on VLAN 99, because the router itself should be natting that.  What is the result of "show ip route"?

I tried with and without ip nat inside and the routing table is the same see below.

(Aruba7005) *[mynode] #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 192.168.1.1 to network 0.0.0.0 at cost 1
S* 0.0.0.0/0 [1/0] via 192.168.1.1*
C 172.16.0.0/24 is directly connected, VLAN1
C 192.168.1.0/24 is directly connected, VLAN99
C 192.168.2.0/24 is directly connected, VLAN20

And without it

Ping 8.8.8.8 and then type "show datapath session table 8.8.8.8" to see if any of that traffic is being denied.

I'm not too familiar with this table but it looks like two way traffice but as you can see no success.

(Aruba7005) *[mynode] #ping 8.8.8.8

Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
(Aruba7005) *[mynode] #show datapath session table 8.8.8.8

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
u - Upstream Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop, h - High Value
A - Application Firewall Inspect
B - Permanent, O - Openflow
L - Log

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
192.168.1.24 8.8.8.8 1 70 2048 1/4108 0 0 0 local 9 1 120 FCI
8.8.8.8 192.168.1.24 1 69 0 0/0 0 22 0 local a 1 96 FI
192.168.1.24 8.8.8.8 1 67 2048 1/4108 0 0 1 local c 1 120 FCI
192.168.1.24 8.8.8.8 1 66 2048 1/4108 0 0 1 local c 1 120 FCI
8.8.8.8 192.168.1.24 1 68 0 0/0 0 22 1 local b 1 96 FI

8.8.8.8 192.168.1.24 1 66 0 0/0 0 22 1 local e 0 0 FI
192.168.1.24 8.8.8.8 1 68 2048 1/4108 0 0 1 local d 0 0 FCI
8.8.8.8 192.168.1.24 1 70 0 0/0 0 22 1 local b 0 0 FI
192.168.1.24 8.8.8.8 1 69 2048 1/4108 0 0 1 local c 0 0 FCI
8.8.8.8 192.168.1.24 1 67 0 0/0 0 22 1 local e 0 0 FI

What is the output of "show controller-ip" ?

It's on VLAN 1 with a 172.x address do I need to change this to my VLAN 99 address? If so why wouldn't just doing a "ping 8.8.8.8 source 99" work?

(Aruba7005) *[mynode] #show controller-ip

Switch IP Address: 172.16.0.254

Switch IP is configured to be Vlan Interface: 1

Switch IPv6 address is not configured.

Please change it to VLAN 99.  I have no idea why it wouldn't work, but it could be an issue.

Still no luck there.

(Aruba7005) *[mynode] #show controller-ip

Switch IP Address: 192.168.1.24

Switch IP is configured to be Vlan Interface: 99

Switch IPv6 address is not configured.

(Aruba7005) *[mynode] #ping 192.168.1.1

Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2.126/2.3108/2.725 ms

(Aruba7005) *[mynode] #ping 8.8.8.8

Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
(Aruba7005) *[mynode] #show datapath session table 8.8.8.8

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
u - Upstream Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop, h - High Value
A - Application Firewall Inspect
B - Permanent, O - Openflow
L - Log

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
192.168.1.24 8.8.8.8 1 11 2048 1/4108 0 0 1 local 1a 0 0 FCI
8.8.8.8 192.168.1.24 1 13 0 0/0 0 22 1 local 19 0 0 FI
8.8.8.8 192.168.1.24 1 11 0 0/0 0 22 1 local 1a 0 0 FI
192.168.1.24 8.8.8.8 1 13 2048 1/4108 0 0 1 local 19 0 0 FCI

I would do a traceroute and find another ip address to ping.  It is possible 8.8.8.8 is blocked.