Wireless Access

Reply
Occasional Contributor II

How does Aruba handle Vlans?

setup is 10 IAP-225 with one acting as virtual controller.  all are connected to same switch.

management vlan is 400 with gateway on a firewall also connected to switch.

vlan 400 works fine, and guests use default vlan and default dhcp to connect to the internet.  

 

the problem I am having is vlan 200 is also present on the switch.  the vlan 200 is added to all ports with aruba IAPs.  DHCP and gateway is handled by the firewall.  a user can associate with one AP, but as soon as it transitions to another AP, it can no longer ping gateway and forgets its IP address.

 

if Aruba IAP is acting as layer 2 device, then a user should be able to move to any IAP and ping gateway and internet.  Aruba technical support would like me to route all vlan 200 traffic to the management vlan gateway.  for the life of me I do not understand why?  is it not possible for the IAP to add devices to the vlan 200 at the layer 2?  can someone explain how Aruba processes vlans?  

Guru Elite

Re: How does Aruba handle Vlans?

Is your SSID for vlan 200 configured as network assigned?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: How does Aruba handle Vlans?

yes, network assigned, static vlan.  clients successfully gather an IP address from the first WAP they connect to.  roaming to another AP will immediately break IP connectivity.  Association with other WAPs is successful, just layer 2 and 3 breaks down.

Guru Elite

Re: How does Aruba handle Vlans?

If it is network assigned, the routing infrastructure, and not the way should be providing DHCP.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: How does Aruba handle Vlans?

that is expected and encouraged behavior, the gateway (juniper SRX, on vlan200) processes the DHCP requests and successfully hands an IP address to the end device.  then, when the end device roams to a new WAP, layer 2 breaks.

 

Aruba thinks that DHCP is succeeding because DHCP is broadcast, and they would like me to route vlan200 traffic to the gateway of vlan400.  

 

Im pretty confused on how Aruba defines and uses the vlan 200.  I would like the Arubas to simply extend vlan 200 wireless out to end devices.  

Guru Elite

Re: How does Aruba handle Vlans?

Are you blocking anything in the user role?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: How does Aruba handle Vlans?

I dont believe so.  "allow any to all" is the only rule under that role.

Occasional Contributor II

Re: How does Aruba handle Vlans?

 

 

heres a simple diagram.  this is all I need it to do, extend vlan 200 wirelessly to wireless users. all IAPs are connected to the switch via tagged interface.  a detail not shown is that Aruba technical support advised all IAPs communicate between themselves on the native untagged vlan - this is in effect and in use. a question I have is, when the IAPs have a virtual controller, must all traffic be routed through the management vlan?  currently all guest traffic is sent to the management vlan and apparently the Arubas are natting.  when wireless guest clients connect they get a 172.x.x.x address that is not in use anywhere on this network.  Why would Aruba want me to route all of vlan 200 through the gateway of vlan 400 (mgt)  ?  again, the sympom is a device works fine on the first IAP it connects to, but as soon as it roams to another IAP, layer 2 connectivity breaks.  a test Aruba asked me to perform is to SSH to the IAPs and issue a ping to the gateway of vlan 200 (10.0.0.1)  this of course failed because the Arubas are not currently set up to operate in vlan 200 @ layer3.  I think I am missing a fundamental concept of how Aruba works, does anyone have any technical details I can read?

 

WAP diagram.png

Super Contributor I

Re: How does Aruba handle Vlans?

Hi Askala,

I have seen issues like this, they were related to some type of Samsung Mobile phone in combination with 802.11k. When we switched that off it worked fine

Hope this helps

Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Guru Elite

Re: How does Aruba handle Vlans?


@Aksala wrote:

 

 

heres a simple diagram.  this is all I need it to do, extend vlan 200 wirelessly to wireless users. all IAPs are connected to the switch via tagged interface.  a detail not shown is that Aruba technical support advised all IAPs communicate between themselves on the native untagged vlan - this is in effect and in use. a question I have is, when the IAPs have a virtual controller, must all traffic be routed through the management vlan?  currently all guest traffic is sent to the management vlan and apparently the Arubas are natting.  when wireless guest clients connect they get a 172.x.x.x address that is not in use anywhere on this network.  Why would Aruba want me to route all of vlan 200 through the gateway of vlan 400 (mgt)  ?  again, the sympom is a device works fine on the first IAP it connects to, but as soon as it roams to another IAP, layer 2 connectivity breaks.  a test Aruba asked me to perform is to SSH to the IAPs and issue a ping to the gateway of vlan 200 (10.0.0.1)  this of course failed because the Arubas are not currently set up to operate in vlan 200 @ layer3.  I think I am missing a fundamental concept of how Aruba works, does anyone have any technical details I can read?

 

WAP diagram.png


There are two modes of operation for an SSID:

 

"Network Assigned" bridges traffic to the local network and traffic is tagged.  It is the responsibility of the switch connected to each access point to put that traffic on a VLAN (200) that has a default gateway that routes user traffic to where it should go.  Clients should get an ip address on VLAN 200, the default gateway of those clients should be a router, and the router should have routes to every other network, as well as the internet.

 

"Virtual Controller Assigned" tunnels all traffic to the virtual controller, where DHCP is provided and client traffic is natted out of the ip address of the virtual controller.  Trunking that VLAN to all access points is not necessary, because user traffic is forwarded to the VC, DHCP is provided by the VC and traffic is NATTED out of the VC.  The result is that your wired infrastructure is not involved, but user traffic is "hidden" behind the natted ip address of the VC.  This is most appropriate for guest traffic and it is convenient, because you do not have to configure your switched infrastructure for it to happen.

 

I hope that helps.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: