Wireless Access

Hello ,

I´ve followed this guide https://community.arubanetworks.com/t5/Wireless-Access/Howto-Point-to-Point-Mesh-on-AOS-8-5/td-p/543621 to configure a point to point mesh and I´m having trouble passing traffic to the Mesh point ethernet port. On the Mesh point, the SSIDs are correcty mapped to the right VLANs, but on the ethernet port I´m unable to see ip traffic.

I´m attaching an image with the setup. Tests performed:

1. SSIDs on the MESH POINT are correct and provides the correct vlan
2. None of the access ports of the switch connected to the MESH POINT using vlans 10, 20 or 30 reach to their GW.
3. When connecting my PC to the ethernet port on MESH POINT, and setting an VLAN 10 IP I cannot ping to MESH POINT or MESH Portal AP, but if I capture packets on it, I can see LLDP packets from Switch Brand A, but no LLDP packets from MESH PORTAL. I cannot ping to the VLAN 10 gateway.

Seeing LLDP packets from the Switch Brand A on the MESH POINT ethernet port means traffic it´s beign forwarded, but I cannot understand why I cannot ping to any of "my" vlan neighbors (MESH POINT, MESH PORTAL o VLAN 10 Gateway) or why clients on the other VLANS cannot discover the DHCP server.

What can I check? All ideas are welcomed. Thanks!

Regards

The Wired AP profile, is that only applied to the mesh point AP?

What is the uplink port on the portal? I see it only has untagged VLAN 10, which might mean that you need to use VLAN1 on the mesh point to make it work as the VLAN10 on your portal is 'untagged' seen from the portal perspective.

To simplify: Do you have VLANs 10,20 and 30 on your controller? If so, can you change the forward mode to tunneled on the mesh point? As the wireless clients probably are similar to that. If you bridge the traffic, the VLANs 20 and 30 should also be tagged on the port to the mesh portal; but I would change the wired AP to tunneled, similar to your wireless to avoid issues and concentrate your break-out for the client VLANs to only your controller.

Hello Herman, many thanks for your help.

Responding your questions:

"The Wired AP profile, is that only applied to the mesh point AP?" The wired AP profile is applied to all the mesh cluster, so it is applied to both the Mesh Portal and the Mesh Point.

"What is the uplink port on the portal?" Im using Eth0 on both Mesh Point and Mesh Portal, which I understand is the only RJ45 port available in this AP model.

"I see it only has untagged VLAN 10, which might mean that you need to use VLAN1 on the mesh point to make it work as the VLAN10 on your portal is 'untagged' seen from the portal perspective" Mmmmm, I don´t quite understand that. What´s the need of using two untagged VLANs? I´m using the untagged VLAN as management for the APs, and the tagged VLANs for the corporate traffic.

Anyway, since I´m using the only RJ45 port on each AP, I think I cannot have a different Wired AP profile as they both are in the same MESH Cluster, am I wrong?

"To simplify: Do you have VLANs 10,20 and 30 on your controller?" Yes, I have all the required VLANs on the controller

"If so, can you change the forward mode to tunneled on the mesh point?" If I do that I´ll change the wired port on both the MESH POINT and MESH PORTAL. Will the switch ports on both sides "understand" the tunneled traffic? My apologies, but this got a bit confusing for me right now. I though after the traffic is beign forwarded wirelessly from the MESH PORTAL to the MESH POINT and keeping the 802.1Q tags, once in the MESH POINT, if I bridge it to the Ethernet port, it would keep the tags, so on a trunk port, the traffic would keep all the required tags.

Anyway, I´ll try your suggestion:

 Thanks and regards

You can have different wired AP profiles on the mesh portal and mesh point, and I would highly recommend that...

The Wired AP is configured on the AP group, as well is the mesh cluster(s) your APs are associated with.

I have a separate AP group for the mesh portals, and two additional for two different types of mesh points. If you assign all to the same mesh cluster, they will work to mesh together, but you still have full control over all other properties. For example, I don't broadcast my guest SSID on the mesh points as their main purpose is to deliver wired connectivity.

You don't want to have Wired AP enabled on your mesh portal uplink port for example...

Note for other readers: The above is for controller based. With Instant, you might need to take another approach.

Thank you Herman

That´s a very smart approach. I definitely had a misconception on how the Mesh cluster work. I never though that two AP group could have the sale Mesh cluster.I´m definetly going to re-configure the AP groups this way.

So, to clarify, once I have two separate AP groups for Portal and Point, on the portal I´ll disable the Wired AP, and on the Mesh Portal, should I keep it in bridge forwarding mode, or tunneled? What about the VLANs, was my approach correct, or should I set the native VLAN as 1 on the Mesh portal?

Regards

Hi,

Haven´t checked it yet , sorry. I´ll update it as soon as I can test it

Regards

Hi,

As per your advice, I´ve setup 2 AP groups both containining the same Mesh Cluster. On the Mesh Portal the wired AP is disabled, and on the Mesh Point I´m using a diferent Wired Ap profile, witch is enabled as per previous attached image.

When I´m connected directly to the Mesh Point I can ping the Mesh Point, the Mesh Portal and the Gateway, but when I connect the Mesh point to the switch, I have no access to any of the VLANs.

Any advice?

Regards

You have changed the wired AP profile to Tunneled?

How do you test if you have access to the other VLANs?

From what I can see, most of the configuration looks good, but there are many things that cannot be seen just from the screenshot.

This is hard to troubleshoot in this way an having a 'live' look at it will probably lead to much faster results. Can you work with your partner or Aruba Support to schedule a live troubleshooting session?

Was that! I configured the Wired AP, but I forgot to set it as tunneled. Thank you!!

EDIT:

Btw, responding to this: "How do you test if you have access to the other VLANs?"

I always carry a small manageable 5 port switch in case I have to port mirror and capture packets or for verifying several VLANs configuring each port with an untagged VLANs and the uplink as a trunk.