Wireless Access

Hi.  I’m hoping someone can help me with some configuration issues.

I’m attempting to set up an environment with an Aruba Mobility Controller 3400 running AOS 6.3.0.1 with 18 AC-225 WAPs.  I have a Fortigate 600C serving as my firewall/router and a Windows Server as my DHCP server. 

My issue is that I’ve got my mobility controller hooked up to my network and have all of my WAPs on a single VLAN, which connect to the controller.  I’ve got the WAPs connected to the controller on port 1 (on VLAN 700) and have port 2 set up as a trunk line back to the switch (which has a trunk to the router).  Currently, I’ve got an WLAN set to attach clients to VLAN 100.  I can connect to that WLAN, but don’t receive a DHCP address after connecting.  Manually setting an address that is part of VLAN 100 while connected to the WLAN, I can connect to the mobility controller, but can’t reach anything else.

I know there’s probably a simple solution here, but I’m struggling to find it.  Thanks for any help you can offer!

Please run show ip route  and show ip interface brief

show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 10.0.90.1 to network 0.0.0.0 at cost 10
S*    0.0.0.0/0  [10/0] via 10.0.90.1*
C    10.0.90.0/24 is directly connected, VLAN700
C    10.1.0.0/24 is directly connected, VLAN1
C    10.0.0.0/20 is directly connected, VLAN100
C    10.0.254.0/24 is directly connected, VLAN2000
C    10.0.100.0/22 is directly connected, VLAN1000
C    10.0.120.0/24 is directly connected, VLAN900
C    10.0.50.0/24 is directly connected, VLAN200
C    10.0.60.0/24 is directly connected, VLAN300
C    10.0.80.0/24 is directly connected, VLAN800

show ip interface brief

Interface                   IP Address / IP Netmask        Admin   Protocol
vlan 700                   10.0.90.254 / 255.255.255.0     up      up  
vlan 1                      10.1.0.254 / 255.255.255.0     up      up  
vlan 100                      10.0.0.3 / 255.255.240.0     up      up  
vlan 2000                 10.0.254.254 / 255.255.255.0     up      up  
vlan 1000                 10.0.100.254 / 255.255.252.0     up      up  
vlan 900                  10.0.120.254 / 255.255.255.0     up      up  
vlan 200                   10.0.50.254 / 255.255.255.0     up      up  
vlan 300                   10.0.60.254 / 255.255.255.0     up      up  
vlan 800                   10.0.80.254 / 255.255.255.0     up      up  
loopback                    unassigned / unassigned        up      up  
mgmt                        unassigned / unassigned        down    down

1- What you need to do is create a trunk and add all the VLANs to the same trunk ?

2- Is this your uplink switch 10.0.90.1 ? You may have to change the default gateway if your internal routing doesn't allow you to reach VLAN 100 through VLAN 700 ? right now all your traffic is going through that.

3- Do you have an IP Helper address configured on the Layer 3 VLAN 100 on the uplink side of things? What are you using HSRP or VRRP ?

1. Trunk set up is below, I'm using GE1/2 for the trunk currently.

show trunk

Trunk Port Table
-----------------
Port Vlans Allowed Vlans Active Native Vlan
---- ------------- ------------ -----------
GE1/2 ALL 1,100,200,300,700,800,900,1000,2000 700
GE1/3 ALL 1,100,200,300,700,800,900,1000,2000 700

2. For VLAN 700, the gateway is 10.0.90.1.  Internal routing allows VLAN 700 to talk to VLAN 100.

3. I do have IP Relay set on the Layer 3 device for VLAN 100.  I'm not sure if it is HSRP or VRRP.

Thanks for your assistance so far!

Did you created a port-channel ? Because I see you have two trunks ? if you don't have a port-channel configuration this could a potential issue .

I did not create a port-channel.  I was not using more than one trunk at a time.  Had tried them on different native VLANs (one at a time, not simultaneously).  I've disabled one of the trunks now, and still have the same issues.

Please do a traceroute from the controller to the VLAN 100 Layer 3 on the uplink side

Can you also try to ping it

Make sure that the native VLAN matches on both sides

I can't ping or get a traceroute through to the other side of the L3 device.  

Currently, my trunk connection from the mobility controller goes into a port with the same native VLAN on one of the switches (Aruba S2500) which has its own trunk port to the L3 device.  I realize this is probably where the problem lies.

If so, and I use the following layout, am I still going to be able to properly handle my wired traffic from my switches:

VLANS (Wired switches and Wireless WAPs)  --->  Mobility Controller ----> L3 device?

Thanks.

Correct - it's a stack of 8 S2500s which all provide level 2 switching.

Victor,

Thanks for taking a look.  I ended up getting it to work by taking a trunk line (native VLAN 700) from the switch stack into a trunk port on the 3400 and used a second trunk port (native VLAN 700) on the 3400 to connect to a port on the L3 device, and I'm now getting both DHCP access and access to the internet.

Thanks again for your help.