Wireless Access

I am migrating from the internal database to an external database and during the migration I want to use the internal until all the clients have been moved. I have setup a different VLAN for the new server.

Question: Do I put an IP address helper on the controller or on my core switch for the new VLAN?

Hi jcameron,

If the layer3 routing (default gateway IP) is taking place at your controller then you'll have to situate it there as what will happen is:

Host PC sends DHCP request

Hits controllers default gateway IP

Controller converts DHCP request into a unicast packet from it's own source IP (the gateway IP within the VLAN the host PC is inside) and the destination of the helper (external DHCP server).

DHCP server in different VLAN responds to the unicast request with a Offer and controller forwards it on

Of course, if you have DHCP still enabled and running on the controller locally as well as an external DHCP server, the local, unless it runs out of addresses, should always win the Offer race and so until the controller DHCP scope is disabled I'd imagine the external server won't lease any addresses successfully.

Hopefully this helps? Also this is my first post and I'm somewhat new to Aruba but this is network fundamentals so should be sound ;-)

Please see below problem and advice. Thank you in advance

---

@syedmuradali wrote:

 

Please see below problem and advice. Thank you in advance

 

 

---

Syedmuradali,

From the diagram, I cannot tell exactly what your problem is, or what you have tried to fix it.  Please open a new thread and state what your issue is so we can help.

Thanks for your immediate response. I tried my best but unfortunately didn't find any button to open the new thread. my bad...

What are the details of your problem?

Reference to attached file. We have install MC3600 with AP92 in routed network. AP are attached in VLAN327 and getting IP from external DHCP Server. The MC is attached with Core switch into VLAN105. From the MC we can ping to ip address of AP and all other network devices. from console for AP we can ping to controller and all other network devices. AP is broadcasting SSID, but when client want to connect to SSID it doesn't get the IP address from the DHCP server. 

MC has configure with VLAN. and every VLAN has been assigned with IP address, default gateway and IP Helper address.

Below is the AP Boot Log for your reference

AG7240: enet unit:0 is up...                            
RGMii 1000Mbps full duplex                          
AG7240: done cfg2 0x7215 ifctl 0x0 miictrl                                          
ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready                                                  
10.9.250.11 255.255.255.0 10.9.250.1                                    
Running ADP...Done. Master is 10.202.25.2                                         
ath_hal: module license 'Proprietary' taints kernel.                                                    
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_EEPROM, 11D)                                                                                

ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Right
s Reserved
ath_rate_atheros: Aruba Networks Rate Control Algorithm
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
ath_spectrum: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserve
d
ath_pci: 0.9.4.5 (Atheros/multi-bss)
wifi0: Base BSSID d8:c7:c8:79:3a:40, 16 available BSSID(s)
bond0 address=d8:c7:c8:cf:93:a4
br0 address=d8:c7:c8:cf:93:a4
wifi0: AP type AP-92, radio 0, max_bssids 16
wifi0: Atheros 9280: mem=0x10000000, irq=48 hw_base=0xb0000000

Starting FIPS KAT ... Completed FIPS KAT

shutting down watchdog process (nanny will restart it)...

        <<<<<       Welcome to the Access Point     >>>>>

~ # cert_cap=0
vap aruba000 vlan is 327. not discovering tunnel vlan

Moreover please do let me know how to start new thread.. although its stupid question but i dont fine the way :-( Sorry for inconvinience

In the Virtual AP for that WLAN on the Mobility Controller, there is a VLAN option.  That VLAN must exist on the Mobility Controller for clients to get an ip address.  All client traffic is tunneled back to the controller and they get ip addresses from a VLAN that is either on a trunk or access port on the controller.

In the Virtual AP for that WLAN on the Mobility Controller, there is a VLAN option.  That VLAN must exist on the Mobility Controller for clients to get an ip address.

This is already done!!! but still clients are unable to get the IP address. any other advice please

~ # cert_cap=0
vap aruba000 vlan is 327. not discovering tunnel vlan

Please do let me know what does this error means??

---

@syedmuradali wrote:

~ # cert_cap=0
vap aruba000 vlan is 327. not discovering tunnel vlan

 

Please do let me know what does this error means??

---

That message is cosmetic and can be ignored.

---

@syedmuradali wrote:

In the Virtual AP for that WLAN on the Mobility Controller, there is a VLAN option.  That VLAN must exist on the Mobility Controller for clients to get an ip address.

This is already done!!! but still clients are unable to get the IP address. any other advice please

---

How is that VLAN connected to the controller?  Is it on a trunk?  Is it on an access port?  Can you assign that VLAN to another port on the controller,  plug in a wired device in the port and get an ip address?  If not, the VLAN is not configured correctly.

What is that VLAN number?

What is the router for that VLAN?

Is there a helper-address on that VLAN's default gateway that is pointing to the DHCP server?

How is that VLAN connected to the controller?  Is it on a trunk?  Is it on an access port?

It is trunk Port

Can you assign that VLAN to another port on the controller,  plug in a wired device in the port and get an ip address?  If not, the VLAN is not configured correctly.

DHCP is running only to that switch with which AP is connected. MC connected with core switch and doesn't have any DHCP runnning on it. That is why MC is assigned static IP.  Please refer to diagram attached earlier.

AP and controller are in different subnets and conncted with different swtiches but can be reachable from each other

What is that VLAN number?

VLAN number for which AP is connected is 327 and port is access. VLAN number for which MC is connected is 105 and trunk port. Both AP and MC are connected on different switches.

What is the router for that VLAN?

router for AP is 10.10.10.1/24

router for MC is 10.10.20.1x/24

Is there a helper-address on that VLAN's default gateway that is pointing to the DHCP server?

Yes on AP but No on MC

---

@syedmuradali wrote:

How is that VLAN connected to the controller?  Is it on a trunk?  Is it on an access port?

It is trunk Port

 

Can you assign that VLAN to another port on the controller,  plug in a wired device in the port and get an ip address?  If not, the VLAN is not configured correctly.

DHCP is running only to that switch with which AP is connected. MC connected with core switch and doesn't have any DHCP runnning on it. That is why MC is assigned static IP.  Please refer to diagram attached earlier.

AP and controller are in different subnets and conncted with different swtiches but can be reachable from each other

 

 

What is that VLAN number?

VLAN number for which AP is connected is 327 and port is access. VLAN number for which MC is connected is 105 and trunk port. Both AP and MC are connected on different switches.

 

What is the router for that VLAN?

router for AP is 10.10.10.1/24

router for MC is 10.10.20.1x/24

 

Is there a helper-address on that VLAN's default gateway that is pointing to the DHCP server?

Yes on AP but No on MC

---

Okay.

There are two ways to do this:

In Tunnel mode, the user traffic is tunneled back to the controller and that is where the user would get its ip address.

In Bridge mode, the user traffic is bridged out the ethernet port of the access point and that is where the user would get its ip address.

Are you saying that you want the user to be able to get an ip address from the port that the access point is on?

If yes, the virtual AP forwarding mode needs to be bridged, and the access point needs to be physically on a trunk port.  VLAN 327 would need to be tagged on that port.  Since your access point is on an access port, make the VLAN 1, INSTEAD OF 327.

Thank you for the information i think You get the point to fault...

There are two ways to do this:

In Tunnel mode

In Bridge mode

we tried both modes but didn't success.

Are you saying that you want the user to be able to get an ip address from the port that the access point is on?

Yes because in DHCP server many subnets  are defined and each subnet is attached with specific VLAN. Each VLAN is associated with a building. in other words

we have many buildings, each building has local VLAN and corresponing different subnets are defined against each VLAN in DHCP server, so the user of every building gets their IP address on the bases of their VLAN. Now we are deplyoing AP's and want that wireless user of that building get the IP addresses from that specific subnet for which AP is attached.

If yes, the virtual AP forwarding mode needs to be bridged,

we have done it but its didn't worked

the access point needs to be physically on a trunk port

we didn't try this. May be it is the problem. but i am confused about it.. Would it be OK to plug in AP in access Port?? It don't have any issue?

One more thing if we forwarding mode is bridge, please advice how the traffice of wireless user will flow?? i beleive Tunnel is secure way but not sure about bridge.

Thank you so much for your support and sorry my english is not very good.

Make the Virtual AP VLAN 1, since your access point is on an access port.  That way the traffic will be sent out of the access point  without being tagged.

Your traffic is secure either in bridge or tunnel mode.

Last but not least, Control Plane Security needs to be enabled to use bridged mode.  I can see from the access point message "cert_cap=0", that you do not have control plane security is not on.  Turn it on by going to Configuration> Control Plane Security:

Make the Virtual AP VLAN 1, since your access point is on an access port.  That way the traffic will be sent out of the access point  without being tagged

If the traffic is send out without tagged than how DHCP will come to know that IP of which subnet should be assigned ??? . I'm confused.

I shall be thankfull to you if you please add me on skype so that i can clearify the real sceinareo to you..

my skype id is smurad.ali

Thank you for your help. So kind of you ...

---

@syedmuradali wrote:

Make the Virtual AP VLAN 1, since your access point is on an access port.  That way the traffic will be sent out of the access point  without being tagged

If the traffic is send out without tagged than how DHCP will come to know that IP of which subnet should be assigned ??? . I'm confused.

I shall be thankfull to you if you please add me on skype so that i can clearify the real sceinareo to you..

my skype id is smurad.ali

 

Thank you for your help. So kind of you ...

---

If the traffic is send out without tagged than how DHCP will come to know that IP of which subnet should be assigned ??? . I'm confused.

---  When it sends the traffic out untagged, it simply bridges the traffic to the ethernet port of the AP.  When the traffic is sent out that way, it is identical to if the client is just plugged into the same segment as the AP.  It does not need to know the VLAN.  That is why you can just put VLAN1.  At manny different locations, the "VLAN" will be different, but as long as your VLAN is 1, it will just send the user traffic, including DHCP out to the local physical subnet, where the client will get an ip address.

Thank you Friend...To summarize whenever i will go office I will perform the following Step

When Switch port connected with AP is access

• make VLAN 1 on controller
• Assign VLAN 1 to Virtual AP
• Change the fowarding mode to bridge
• Enable the Control Plane Security, Auto Cert Provision and set Address Allowed for Auto Cert All.

When Switch port connected with AP is Trunk

• make VLAN 327 on controller
• Assign VLAN 327 to Virtual AP
• Asssing IP address and IP helper address to the VLAN 327
• Change the fowarding mode to bridge
• Enable the Control Plane Security, Auto Cert Provision and set Address Allowed for Auto Cert All.

---

@syedmuradali wrote:

Thank you Friend...To summarize whenever i will go office I will perform the following Step

 

When Switch port connected with AP is access

• make VLAN 1 on controller
• Assign VLAN 1 to Virtual AP
• Change the fowarding mode to bridge
• Enable the Control Plane Security, Auto Cert Provision and set Address Allowed for Auto Cert All.

 

When Switch port connected with AP is Trunk

• make VLAN 327 on controller
• Assign VLAN 327 to Virtual AP
• Asssing IP address and IP helper address to the VLAN 327
• Change the fowarding mode to bridge
• Enable the Control Plane Security, Auto Cert Provision and set Address Allowed for Auto Cert All.

 

---

That is correct.  In the Virtual AP for that WLAN, you can just type in a 1 for the VLAN.  You don't have to create a VLAN1 on the controller.  You can also ignore the second scenario, because it is rare that you will have an AP on a trunk.  Get the first scenario working and we can see if you even need the second scenario.  Enable control plane security first!  All the APs will have to reboot, so having this done in the background is important.

Thank you so much :-) I hope it will work now. and credit goes to you :-) I'm hopefull and excited now :-)

Can you please refer me some documents which explain how to configure WIPS and Firewall because i have "LIC-PEFNG-64" licenses included in controller.

Please also advice how to start new thread.... Its very awkward to ask but i am unable to find that :-( I am new in this community and need your guidence

---

@syedmuradali wrote:

Please also advice how to start new thread.... Its very awkward to ask but i am unable to find that :-( I am new in this community and need your guidence

---

Go into any Forum that you want to post and click on the "New Message" button.

---

@syedmuradali wrote:

Thank you so much :-) I hope it will work now. and credit goes to you :-) I'm hopefull and excited now :-)

Can you please refer me some documents which explain how to configure WIPS and Firewall because i have "LIC-PEFNG-64" licenses included in controller.

 

---

We can certainly get into WIPS after you get your network up and running, but the defaults work for most people.

OK... I will get back with you once network is UP... Thank you once again...

we have changed the implementation scienario as our management was not ready to move to bridge mode.

Now we have installed the MC at distribution layer  ... Distribution switch is configure with dhcp relay command.. the problem seems to be solved.. but all the clients on same VLAN right now... we are working how to control it.. anyway thanks for your support

Syed,

Most organizations deploy in that manner.  An ip address is simply something that is used to get traffic to an from a device.  Things are simplified because you know when a device is wireless..

Joseph,

You are an amazing guy and master in Wireless.. I really appreciate your technical skill in wireless techonology..

Well, No I am going to implement MAC based authentication with Captive Portal. I have implemented captive portal and its working fine but i dont know how to configure MAC based authentication. I shall be very thankful to you if you provide me any guide to advice to implement MAC based authentication. Thanks in advance..

How would you want it to work?

Sorry Last night I was so much sleepy that is why i typed something foolish... Please accept my apologize...

We have implemented 2 SSID's, one for internal users and other for guest. On guest ssid i have implement captive portal and its working fine. now on the 2nd ssid I want to implement MAC based authentication. So please advice how to implement MAC based authentication on employee SSID.

Are you using encryption or authentication on the employee SSID?

Yes we are using AES with Shared Secret Key...

Aventually we will go to 802.1X security but for we now we don't have servers configured that is why temporarily implementing MAC based security with Encryption

Please see the article here:  http://community.arubanetworks.com/t5/Community-Knowledge-Base/For-the-Beginner-MAC-Authentication-using-the-Controller/ta-p/32188

Thank you Friend. I will check and implement it then i will get back to you...