Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Internet access and Wireless communication within VLAN

This thread has been viewed 6 times

  • 1.  Internet access and Wireless communication within VLAN

    Posted Aug 20, 2020 03:13 PM

    I am new to Aruba as far as configuring things on the controller.  The only thing I’ve done up to this point is provision APs on a system I inherited.  I’ll first describe our current setup, then will explain what I’m trying to accomplish, followed by where I’m currently at.   

     

    Our current setup:

    At our college we have three SSID (employee, student, and guest).  Employee and student are authenticated on a radius server, guest via captive portal.  All AP and client IP address are handed out by our DHCP server.  The 26 wireless VLANS for the three SSIDs are divided equally on the 7210 controller trunk ports 1 and 2 (employee 10.30.0.2-10.30.2.2, guest 10.31.0.2-10.31.3.2, and student 10.32.0.2-10.33.9.2).  The APs are given an IP address from the DHCP server depending on the scope of the building they’re in (In this case, our Health Careers building, wired VLAN 19, 10.1.19.x).  All campus APs are in the same AP group (APGroup-All).  Our wired and wireless are separate.  A student in the Health Careers building will have a wired IP of 10.1.19.x and a wireless IP, campus wide, from in the range of 10.32.0.2-10.33.9.2.

     

    What I need to accomplish:

    I am setting up a wired and wireless network for a Laerdal manikin simulation system in or Health Careers building.  Both the wired and wireless devices on the Laerdal network need to be on the same VLAN and pull from the same DHCP server scope.  Both wired and wireless devices on the Laerdal network need Internet access as well as the ability to communicate with each other (wired to wireless, wireless to wireless, etc.).  The SSID for the Laerdal devices is AnneSim and all the Laerdal simulation devices require WPA2-Personal Encryption.  Also, I do not want the wireless devices on the Laerdal VLAN/SSID communicating with any of the other wireless SSIDs on campus.

     

    What I’ve done and where I’m at:

    I created a DHCP VLAN scope 55 (10.1.55.x) for both wired and wireless Laerdal devices.  I created a 55 VLAN on the Aruba controller and have it on port 2 (trunk mode) by itself.  I have installed five AP-305 APs in the simulation lab that are dedicated to the Laerdal devices.  I created an AP group of APGroup-Laerdal and an SSID of AnneSim as well as a WLAN via the controller wizard.  There is also a VAP set up within the AP group APGroup-AnneSim with a SSID profile (AnneSim-ssid_prof) and AAA profile (AnneSim-aaa_prof).  Forward mode for the WLAN is tunneled. 

     

    Currently, all of the wired and wireless devices and APs are pulling the correct IP addresses (10.1.55.X) from the DHCP server.  I can easily connect all wireless devices to the AnneSim SSID with the WPA2 passkey, but once connected, I do not have Internet nor can I ping or communicate with the other devices connected via wireless.  I’ve tried changing the mode on port 2 from trunk to access but that didn’t help and caused all the APs in the group to start randomly rebooting.  I also tried turning off the “Deny Inter User Traffic” option in the Stateful Firewall/Global Settings and turning it off within the AnneSim VAP profile.

     

    What am I missing?  Any help will be appreciated.  



  • 2.  RE: Internet access and Wireless communication within VLAN

    Posted Aug 20, 2020 03:15 PM

    forgot to mention...

    Aruba7210 controller running OS Version: 6.5.4.16



  • 3.  RE: Internet access and Wireless communication within VLAN

    Posted Aug 21, 2020 12:50 AM

    1. Make sure controller can connect to campus network or internet. Test ping on it. For the connection, you can use this model: 

    [core/switch=trunk port]----<allow all/specific vlan>----[controller = trunk port]

    If you use multiport connection, make sure there are no loop-back connection (same vlan on diff port)

     

    2. Set port => trusted !!

     

    3. Check AAA profile for the said SSID/VAP, what is the initial role. Check it on access controll > user role if this role are allowed to access network/internet. For simplicity purpose, just put "allowall" policy on it first. Then you can change it later. (must have PEFNG License)

     

    4. Check the roles for connected user. Make sure it was the same as mentioned in AAA-Profile.

     

    5.   Test connection (ping) from wireless and wired client. 

     

     

    Best Regards

    Yopianus Linga



  • 4.  RE: Internet access and Wireless communication within VLAN

    Posted Aug 21, 2020 12:35 PM

    I solved the Interent issue.  The wrong DNS servers were listed on the DHCP scope.

     

    Still cannot communicate between devices.

     

    Port is trusted

     

    Initial role is authenticated

     

    connected user is showing up with role of authenticated

     

    Can ping from wired device to wired device, but not wired to wireless or wireless to wireless.

     

    I have PEF licenses



  • 5.  RE: Internet access and Wireless communication within VLAN

    Posted Aug 21, 2020 01:12 PM

    If you create access port on controller, and connect wired client to it. can they communicate with wireless client?

    Based on the output that client can connect - get correct ip - get correct role, the setup should be working fine.

    Check again inside authenticated role.. make sure it doesnt have any policy that block the connection.

     

    I once have this kind of problem, and it is because the gateway/dhcp server (mkrtik) assign "no-allow-access role" for all dhcp client, until they are moved manually to "allow-network role" on the mkrtk system. Not sure  if is it the same or not..

     

     

    Best Regards

    Yopianus Linga