Wireless Access

Hello,

I'm sure this is probably trivial for most on here, but I'm struggling enabling other VLANs on my 3600 controller running 6.1.3.1.  Here is a snippet of the config.

vlan 2
vlan 3
vlan 4
vlan 5
vlan 6
vlan 7
vlan 8 "Guest"
vlan 300 "Northside Wireless VLAN Staff"
vlan 301 "Northside Wireless VLAN Student"
vlan 400 "Rockhill Wireless VLAN Staff"
vlan 401 "Rockhill Wireless VLAN Student"
vlan 500 "AELS Wireless VLAN Staff"
vlan 501 "AELS Wireless VLAN Student"
vlan 600 "Parkway Wireless VLAN Staff"
vlan 601 "Parkway Wireless VLAN Student"
vlan 700 "AMS Wireless VLAN Staff"
vlan 701 "AMS Wireless VLAN Student"
vlan 800 "AHS Wireless VLAN Staff"
vlan 801 "AHS Wireless VLAN Student"

interface gigabitethernet 1/0
description "GE1/0"
trusted
trusted vlan 1-4094
!

interface gigabitethernet 1/1
description "GE1/1"
trusted
trusted vlan 1-4094
switchport access vlan 8
!

interface gigabitethernet 1/2
description "GE1/2"
trusted
trusted vlan 1-4094
switchport access vlan 5
!

interface gigabitethernet 1/3
description "GE1/3"
trusted
trusted vlan 300-301,400-401,500-501,600-601,700-701,800-801
switchport mode trunk
switchport trunk allowed vlan 300-301
!

interface vlan 1
ip address 10.110.40.240 255.255.248.0
ip helper-address 10.110.40.154
!

interface vlan 8
ip address 10.110.96.2 255.255.248.0
shutdown
!

interface vlan 5
ip address 10.110.72.47 255.255.248.0
ip helper-address 10.110.40.154
!

interface vlan 2
ip address 10.110.48.16 255.255.248.0
!

interface vlan 300
ip address 10.110.116.2 255.255.254.0
no ip routing
ip helper-address 10.110.40.154
!

ip default-gateway 10.110.40.1
uplink disable

Right now I think all my traffic flows of G 1/0  It is on the default vlan.  What I thought I could do is trunk port G 1/3 to the Cisco switch it is plugged into to get traffic for VLAN 300 if I allowed and trusted the VLANS on that physical port.

Right now I only have access to VLAN 1 for any clients.  How would I configure another port on this controller to deal with traffic for other VLANs like 300, 301, 400 etc?  As I was just sitting here typing this I thought of something....  

Would I have to trunk or allow vlans on the ports the APs are plugged in to as well?

By the way I know the config is right on the Cisco switch because I was able to join to VLAN 300 on the wire with my Mac and a VLAN Interface.

What my goal is, is to have a user sign in to 802.1x and assign them to a VLAN based on Filter-ID which I've got working but just can't get an IP address from the DHCP server which does work with the setup above with the VLAN on my Mac as well.

You need to make sure that your native VLAN on both sides of the trunk match:

Aruba Side:

config t

interface gigabitethernet1/3

switchport trunk native vlan 1

switchport trunk allowed vlan all

Cisco side

config t

interface <whatever>

switchport mode trunk

switchport trunk native vlan 1

switchport allowed vlan 1-4096

Thanks for the quick response!  I will try it out when I get a chance. 

Okay I ran the commands you said and it is still a no go.  When I authenticate and assign the VLAN based on Radius Authentication it does not supply me with an IP address from the DHCP Server.  I continue to get a self assigned IP address.

Any other thoughts?

---

morrisch@alliancecityschools.org wrote:

Okay I ran the commands you said and it is still a no go.  When I authenticate and assign the VLAN based on Radius Authentication it does not supply me with an IP address from the DHCP Server.  I continue to get a self assigned IP address.

 

Any other thoughts?

---

If you can go on the commandline of the controller, type "show user-table verbose".  You should see your failed user in the user table and in parentheses will be the VLAN that the user ends up on when he has the problem.

Then type "show vlan status" and it will tell you what ports that VLAN is on.  Use that to make sure that VLAN is on that port.  Next, type "show trunk" to make sure the trunk configuration is right.  Look at the interface on the opposite site of your Cisco switch, as well.

In addition, you probably need to have a helper address on the layer-3 interface of your Cisco router/switch on that VLAN to forward traffic to your DHCP server

Okay so I did check and it is showing up as VLAN 300 on my user as I wanted.  Here is the output from show vlan status and show trunk.

Vlan Status
-----------
VlanId IPAddress Adminstate Operstate PortCount Nat Inside Mode Ports AAA Profile
------ --------- ---------- --------- --------- ---------- ---- ----- -----------
1 10.110.40.240/255.255.248.0 Enabled Up 2 Disabled Regular GE1/0 GE1/3 Pc0-7 N/A
2 10.110.48.16/255.255.248.0 Enabled Down 1 Disabled Regular GE1/3 N/A
3 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
4 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
5 10.110.72.47/255.255.248.0 Enabled Down 2 Disabled Regular GE1/2-3 N/A
6 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
7 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
8 10.110.96.2/255.255.248.0 Disabled Down 2 Disabled Regular GE1/1 GE1/3 N/A
300 10.110.116.2/255.255.254.0 Enabled Up 1 Disabled Regular GE1/3 N/A
301 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
400 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
401 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
500 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
501 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
600 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
601 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
700 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
701 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
800 N/A N/A N/A 1 Disabled Regular GE1/3 N/A
801 N/A N/A N/A 1 Disabled Regular GE1/3 N/A

(aruba-master) #show trunk

Trunk Port Table
-----------------
Port Vlans Allowed Vlans Active Native Vlan
---- ------------- ------------ -----------
GE1/3 ALL 1-8,300-301,400-401,500-501,600-601,700-701,800-801 1

Looks like vlan 300 is showing up on g1/3 and also on teh trunk all theose vlans are allowed.

Here is the interface on the Cisco Switch

interface GigabitEthernet1/46
no ip address
switchport
switchport mode trunk
!

Here is the VLAN Interface.

interface Vlan300
description "Northside Wireless VLAN Staff"
ip address 10.110.116.1 255.255.254.0
ip helper-address 10.110.40.154
ip pim sparse-dense-mode
!

On the Cisco side, you need to set a native VLAN and allow all of those VLANs, as well:

interface GigabitEthernet1/46
no ip address
switchport
switchport mode trunk

switchport trun native vlan 1

switchport trunk allowed vlan 1-801

Hmm...

When I run the command to set the native vlan it does not seem to take...

After running those commands this is what I see.

interface GigabitEthernet1/46
no ip address
switchport
switchport trunk allowed vlan 1-801
switchport mode trunk
!

Voice VLAN: none (Inactive)
Appliance trust: none
Name: Gi1/46
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 1-801
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

This shows native VLAN 1 

Looks good to me.

Thanks for your help.  I'm not sure what is going on.  Still not putting me on that VLAN for whatever reason.  Strange for sure.

What VLAN is the user ending up on? "show user-table verbose".  What role is the user ending up in?  What acls are in that role?

Also, can you give vlan 300 on the controller side and IP address and see if your layer 3 switch or router can ping that ip address?  That will validate if you are passing layer 2 traffic correctly.

With this specific user(me)  It is basically an allow all with a high priority set up on it.  

The user-table verbose shows 

1 (300) in the VLAN column

I've set and IP on the controller 

interface vlan 300
ip address 10.110.116.2 255.255.254.0
no ip routing
ip helper-address 10.110.40.154
!

ip default-gateway 10.110.40.1
uplink disable

It does not seem to be passing traffic because my L3 switch will not ping it.  

I can't ping the address I assigned to VLAN 330 from the controller itself either.

I wanted to give everyone one an Update.  I called TAC and we worked through it.  I had a few things off.

We actually ended up disabling spanning tree on the controller and on the port on the switch I was connected it because it was in "Blocking" mode on both the Cisco and the Aruba. 

The Port 3 I didn't really need traffic for Vlan 1-9 so I made them "not allowed" and only allowed the VLANS I wanted to on port 1/3 and on the Cisco Side.  After I did this I got the Cisco switch to start Forwarding packets, but the Aruba controller continued to be blocking  on its port.  I still have spanning tree off on the switch for this reason.

Well this actually didn't work.  After disabling spanning-tree I ran in looping issues.  Spanning-tree was doing it's job by blocking traffic.  I have MSTP running on the Cisco Switch and Aruba doesn't seem to like that.