Odd issue with clients behind a wireless bridge.
12-07-2017 05:46 AM - edited 12-07-2017 06:21 AM
Here's the scenario - we've got equipment vending machines in our factories that need to move around a lot, but they only have ethernet ports so we've connected them to wifi bridges. The bridges connect back to a WPA2 SSID that's also doing MACauth to Clearpass to do some simple role derivation. The bridges go into a role called 'vending' which specifies VLAN50 and has a simple guest-like policy of block-internal-networks and allowall. VLAN50 is 192.168.2.1/24, source nat inside, and DHCP is served from the local controller.
In a bubble that works perfectly. The vending machines behind the bridges get an IP, ping the gateway, and access the internet. But if any other role is also using VLAN50 things go sideways and I haven't been able to figure out why. In our config we use this same VLAN for a few different roles that have similar needs.
The bridge gets an IP and seems to work as expected. The vending machine usually gets an IP but can't ping the gateway or get to the internet. It can ping other clients in the same VLAN. Occasionally the vending machine seems to have trouble getting a lease.
If I create a new VLAN/DHCP scope with another subnet and assign it to the vending role, everything works fine.
I'd just run separate VLANs and call it a day but we have at least one 6xx controller that doesn't support multiple /24 dhcp scopes.
Any ideas what I'm missing?
EDIT: I can reproduce this across controllers at multiple sites, and broadcast/multicast filtering options are disabled in the VAP. ArubaOS 188.8.131.52.