Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP - Bridge mode with network DHCP

This thread has been viewed 6 times

  • 1.  RAP - Bridge mode with network DHCP

    Posted Aug 15, 2019 05:20 PM

    Hey guys, I'm trying to get a RAP working with a PSK SSID running bridge mode, using my network DHCP. It is working fine with Tunnel mode. AOS 8.5.0.1

    When I have my SSID set to bridge mode and I use a VLAN ID that matches my Native VLAN, I get an IP address but all my traffic is blocked.

    For my rules, I am using the following:

    any any svc-dhcp permit

    local-subnet local-subnet permit (including default gw IP)

    any any route source nat (as indicated by config guides/VRD).

     

    I am unable to ping even the default gateway. Any ideas what I could be missing? Also, everywhere I checked indicates to use the final source nat rule, but why do I need it if I am using a local network address? Seems like the last rule should just be any any permit.

     

    I can see the user on the controller (show user-table) and see the correct role and bridge mode.

     

    The uplink (ethernet 0) port does not have wired ap on, but is set to trusted. Should I enable wired ap?

     

    Thanks!

    RK

     

     



  • 2.  RE: RAP - Bridge mode with network DHCP

    EMPLOYEE
    Posted Aug 15, 2019 06:15 PM

    You should just be able to use "any any any permit" and have all the traffic pass

     

    You do not need "src-nat" if the VLAN exists on the LAN.  You would only need src-nat if the VLAN only exists within the AP and you are source-natting traffic out of the ip address of the AP.



  • 3.  RE: RAP - Bridge mode with network DHCP

    Posted Aug 15, 2019 07:59 PM
    Thanks for the quick reply!

    Tried using any any permit, no luck. Everything should be untagged (using vlan 1), so I’m not sure what is going on. Might have to wireshark this. The fact that I do get an IP but nothing else is what is driving me crazy...

    Anything I could be missing? Don’t think I need to change the ethernet port profile...


  • 4.  RE: RAP - Bridge mode with network DHCP

    EMPLOYEE
    Posted Aug 15, 2019 10:25 PM
    You should type "show datapath ap-name <name of AP>" to see if traffic is being denied.


  • 5.  RE: RAP - Bridge mode with network DHCP

    Posted Aug 16, 2019 08:50 AM

    Ok. Checked the datapath session and traffic is being denied, but I can't figure out why! Ideas?

     

    CTL-ARUBA-2) #show datapath session ap-name ap2516

     

     

    Datapath Session Table Entries

    ------------------------------

     

    Flags: F - fast age, S - src NAT, N - dest NAT

           D - deny, R - redirect, Y - no syn

           H - high prio, P - set prio, T - set ToS

           C - client, M - mirror, V - VOIP

           Q - Real-Time Quality analysis

           u - Upstream Real-Time Quality analysis

           I - Deep inspect, U - Locally destined

           E - Media Deep Inspect, G - media signal

           r - Route Nexthop, h - High Value

           A - Application Firewall Inspect

           B - Permanent, O - Openflow

           L - Log

     

    AP Flags: 1 - Class 1, 2 - Class 2, 3 - Class 3, w - In hardware

     

    Source IP or MAC  Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags           AP Flags        CPU ID

    ----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- --------------- -------

    (CTL-ARUBA-2) #show datapath session ap-name ap2516 | include .50

    172.20.0.50       8.8.8.8         17   60655 53    0        0    0   0   dev19       2400 --         --         FDYCA                           0

    172.20.0.62       201.54.48.50    17   51757 4500  0        0    0   0   local       81f  --         --         FC                              0

    172.20.0.50       8.8.8.8         17   52649 53    0        0    0   0   dev19       700  --         --         FDYCA                           0

    172.20.0.50       171.20.0.254    1    33    2048  0        0    0   0   dev19       1200 --         --         FDYCA                           0

    172.20.0.50       171.20.0.254    1    32    2048  0        0    0   0   dev19       1700 --         --         FDYCA                           0

    172.20.0.50       171.20.0.254    1    35    2048  0        0    0   0   dev19       800  --         --         FDYCA                           0

    172.20.0.50       171.20.0.254    1    34    2048  0        0    0   0   dev19       d00  --         --         FDYCA                           0

    172.20.0.50       171.20.0.254    1    36    2048  0        0    0   0   dev19       300  --         --         FDYCA                           0

    201.54.48.50      172.20.0.62     17   4500  51757 0        0    0   0   local       91f  --         --         F                               0

    172.20.0.50       192.168.96.1    1    0     2048  0        0    0   0   dev19       4400 --         --         FDYCA                           0

     

    (CTL-ARUBA-2) #show user-table | include 97:05

    fe80::1c22:ade1:f018:eb49  14:99:e2:bf:97:05                             local-inicial    00:00:15                                                                          AP2516   Associated(Remote)  SF-Local/9c:8c:d8:4d:0b:53/a-HT         AAA-Local               bridge                                                                                WIRELESS

    (CTL-ARUBA-2) #show rights local-inicial

     

    Valid = 'Yes'

    CleanedUp = 'No'

    Derived Role = 'local-inicial'

    Up BW:No Limit   Down BW:No Limit

    L2TP Pool = default-l2tp-pool

    PPTP Pool = default-pptp-pool

    Number of users referencing it = 2

    Periodic reauthentication: Disabled

    DPI Classification: Enabled

    Youtube education: Disabled

    Web Content Classification: Enabled

    IP-Classification Enforcement: Enabled

    ACL Number = 217/0

    Openflow: Enabled

    Max Sessions = 65535

     

    Check CP Profile for Accounting = TRUE

     

    Application Exception List

    --------------------------

    Name  Type

    ----  ----

     

    Application BW-Contract List

    ----------------------------

    Name  Type  BW Contract  Id  Direction

    ----  ----  -----------  --  ---------

     

    access-list List

    ----------------

    Position  Name                      Type     Location

    --------  ----                      ----     --------

    1         global-sacl               session

    2         apprf-local-inicial-sacl  session

    3         local-inicial             session

     

    global-sacl

    -----------

    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract

    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------

    apprf-local-inicial-sacl

    ------------------------

    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract

    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------

    local-inicial

    -------------

    Priority  Source                    Destination               Service   Application  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror            DisScan  IPv4/6  Contract

    --------  ------                    -----------               -------   -----------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------            -------  ------  --------

    1         any                       any                       svc-dhcp               permit                                  Low                                                      4

    2         172.20.0.0 255.255.255.0  172.20.0.0 255.255.255.0  any                    permit                                  Low                                                      4

    3         user                      any                       any                    route src-nat                           Low                                                      4

     



  • 6.  RE: RAP - Bridge mode with network DHCP

    EMPLOYEE
    Posted Aug 16, 2019 08:55 AM

    EDIT  Please just use permit, instead of route src-nat.  That might not be your issue, but you should just allow all.  See if you can ping devices in the subnet 172.20.0.0 255.255.255.0 since that is being allowed.

     

     

    Okay, I see from the datapath session table, you are trying to ping and it is not working.  Check to see if you have an ap-uplink-acl configured in your ap system profile:

    Screenshot 2019-08-16 at 07.58.15.png

     

    If you do, make sure that ap-uplink-acl is configured to "allowall"



  • 7.  RE: RAP - Bridge mode with network DHCP
    Best Answer

    Posted Aug 16, 2019 11:08 AM

    Ok, found the issue! We noticed that the IPv4 address was not being added to the firewall table, only IPv6. Turns out the validuseracl was previously editted to allow only the corp subnet ranges, so what was actually happening is that the user was not being included into the tables at all! So all his traffic was being blocked.

     

    anyways, thanks for all the help!

     

    sincerely,

    RK