Wireless Access

Reply
Contributor I

RAP - Bridge mode with network DHCP

Hey guys, I'm trying to get a RAP working with a PSK SSID running bridge mode, using my network DHCP. It is working fine with Tunnel mode. AOS 8.5.0.1

When I have my SSID set to bridge mode and I use a VLAN ID that matches my Native VLAN, I get an IP address but all my traffic is blocked.

For my rules, I am using the following:

any any svc-dhcp permit

local-subnet local-subnet permit (including default gw IP)

any any route source nat (as indicated by config guides/VRD).

 

I am unable to ping even the default gateway. Any ideas what I could be missing? Also, everywhere I checked indicates to use the final source nat rule, but why do I need it if I am using a local network address? Seems like the last rule should just be any any permit.

 

I can see the user on the controller (show user-table) and see the correct role and bridge mode.

 

The uplink (ethernet 0) port does not have wired ap on, but is set to trusted. Should I enable wired ap?

 

Thanks!

RK

 

 

Guru Elite

Re: RAP - Bridge mode with network DHCP

You should just be able to use "any any any permit" and have all the traffic pass

 

You do not need "src-nat" if the VLAN exists on the LAN.  You would only need src-nat if the VLAN only exists within the AP and you are source-natting traffic out of the ip address of the AP.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: RAP - Bridge mode with network DHCP

Thanks for the quick reply!

Tried using any any permit, no luck. Everything should be untagged (using vlan 1), so I’m not sure what is going on. Might have to wireshark this. The fact that I do get an IP but nothing else is what is driving me crazy...

Anything I could be missing? Don’t think I need to change the ethernet port profile...
Guru Elite

Re: RAP - Bridge mode with network DHCP

You should type "show datapath ap-name <name of AP>" to see if traffic is being denied.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: RAP - Bridge mode with network DHCP

Ok. Checked the datapath session and traffic is being denied, but I can't figure out why! Ideas?

 

CTL-ARUBA-2) #show datapath session ap-name ap2516

 

 

Datapath Session Table Entries

------------------------------

 

Flags: F - fast age, S - src NAT, N - dest NAT

       D - deny, R - redirect, Y - no syn

       H - high prio, P - set prio, T - set ToS

       C - client, M - mirror, V - VOIP

       Q - Real-Time Quality analysis

       u - Upstream Real-Time Quality analysis

       I - Deep inspect, U - Locally destined

       E - Media Deep Inspect, G - media signal

       r - Route Nexthop, h - High Value

       A - Application Firewall Inspect

       B - Permanent, O - Openflow

       L - Log

 

AP Flags: 1 - Class 1, 2 - Class 2, 3 - Class 3, w - In hardware

 

Source IP or MAC  Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags           AP Flags        CPU ID

----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- --------------- -------

(CTL-ARUBA-2) #show datapath session ap-name ap2516 | include .50

172.20.0.50       8.8.8.8         17   60655 53    0        0    0   0   dev19       2400 --         --         FDYCA                           0

172.20.0.62       201.54.48.50    17   51757 4500  0        0    0   0   local       81f  --         --         FC                              0

172.20.0.50       8.8.8.8         17   52649 53    0        0    0   0   dev19       700  --         --         FDYCA                           0

172.20.0.50       171.20.0.254    1    33    2048  0        0    0   0   dev19       1200 --         --         FDYCA                           0

172.20.0.50       171.20.0.254    1    32    2048  0        0    0   0   dev19       1700 --         --         FDYCA                           0

172.20.0.50       171.20.0.254    1    35    2048  0        0    0   0   dev19       800  --         --         FDYCA                           0

172.20.0.50       171.20.0.254    1    34    2048  0        0    0   0   dev19       d00  --         --         FDYCA                           0

172.20.0.50       171.20.0.254    1    36    2048  0        0    0   0   dev19       300  --         --         FDYCA                           0

201.54.48.50      172.20.0.62     17   4500  51757 0        0    0   0   local       91f  --         --         F                               0

172.20.0.50       192.168.96.1    1    0     2048  0        0    0   0   dev19       4400 --         --         FDYCA                           0

 

(CTL-ARUBA-2) #show user-table | include 97:05

fe80::1c22:ade1:f018:eb49  14:99:e2:bf:97:05                             local-inicial    00:00:15                                                                          AP2516   Associated(Remote)  SF-Local/9c:8c:d8:4d:0b:53/a-HT         AAA-Local               bridge                                                                                WIRELESS

(CTL-ARUBA-2) #show rights local-inicial

 

Valid = 'Yes'

CleanedUp = 'No'

Derived Role = 'local-inicial'

Up BW:No Limit   Down BW:No Limit

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Number of users referencing it = 2

Periodic reauthentication: Disabled

DPI Classification: Enabled

Youtube education: Disabled

Web Content Classification: Enabled

IP-Classification Enforcement: Enabled

ACL Number = 217/0

Openflow: Enabled

Max Sessions = 65535

 

Check CP Profile for Accounting = TRUE

 

Application Exception List

--------------------------

Name  Type

----  ----

 

Application BW-Contract List

----------------------------

Name  Type  BW Contract  Id  Direction

----  ----  -----------  --  ---------

 

access-list List

----------------

Position  Name                      Type     Location

--------  ----                      ----     --------

1         global-sacl               session

2         apprf-local-inicial-sacl  session

3         local-inicial             session

 

global-sacl

-----------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------

apprf-local-inicial-sacl

------------------------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  ------  --------

local-inicial

-------------

Priority  Source                    Destination               Service   Application  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror            DisScan  IPv4/6  Contract

--------  ------                    -----------               -------   -----------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------            -------  ------  --------

1         any                       any                       svc-dhcp               permit                                  Low                                                      4

2         172.20.0.0 255.255.255.0  172.20.0.0 255.255.255.0  any                    permit                                  Low                                                      4

3         user                      any                       any                    route src-nat                           Low                                                      4

 

Guru Elite

Re: RAP - Bridge mode with network DHCP

EDIT  Please just use permit, instead of route src-nat.  That might not be your issue, but you should just allow all.  See if you can ping devices in the subnet 172.20.0.0 255.255.255.0 since that is being allowed.

 

 

Okay, I see from the datapath session table, you are trying to ping and it is not working.  Check to see if you have an ap-uplink-acl configured in your ap system profile:

Screenshot 2019-08-16 at 07.58.15.png

 

If you do, make sure that ap-uplink-acl is configured to "allowall"


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: RAP - Bridge mode with network DHCP

Ok, found the issue! We noticed that the IPv4 address was not being added to the firewall table, only IPv6. Turns out the validuseracl was previously editted to allow only the corp subnet ranges, so what was actually happening is that the user was not being included into the tables at all! So all his traffic was being blocked.

 

anyways, thanks for all the help!

 

sincerely,

RK

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: