Wireless Access

last person joined: 9 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

VLAN tagging with IAP-305

This thread has been viewed 0 times

  • 1.  VLAN tagging with IAP-305

    Posted Nov 06, 2018 06:13 PM

    I'm hoping someone can help me here.  This looks to be very straight forward, but it's just not working right now.

     

    We've just replaced an old HP WAP with an IAP-305.  Networking on this drop has our data/management network untagged and a Guest network tagged with vlan 70.  This has been working for years and through a couple of different WAPs, so we know the switch is configured properly.

     

    We've installed a new IAP-305 and configured two SSIDs .. Staff (untagged) and Guest (tagged vlan 70).  The Staff network is working fine, but Guest is not.  There's some partical communication working as DHCP is being pulled properly from our internal DHCP servers, but from there clients on the Guest network can't ping their gateway.  Here's what we do see...

     

    - DHCP requests from clients are hitting firewall Guest interface which is configured for DHCP relay to internal servers 

    - DHCP servers are responding as client picks up appropriate IP configuration (IP, GW, DNS, etc) and are registered in active leases

    - Client, with IP in proper range for Guest network, cannot ping gateway

     

    So we know that the IAP-305 is able to communicate with Guest network / vlan 70 as the DHCP request is being sent and received properly.  What we can't figure out is why the clients can't communicate on that vlan.

     

    Given that this works fine when we plug the old HP WAP back in, we know it's not an issue on the switch side of things.  Thoughts?

     

    Here's what I see in the way of configuration summary on the Guest network:

    Name:Guest
    Status:Enabled
    Type:Employee
    Passphrase Size:13
    VLAN:70
    Access:Unrestricted
    CALEA:Disabled
    Redirect Blocked HTTPS Traffic:disable
    Security level: Personal

     

    Any input would be appreciated!

     



  • 2.  RE: VLAN tagging with IAP-305

    EMPLOYEE
    Posted Nov 06, 2018 07:24 PM

    I would type "arp -a" on a windows client connected to the guest network to see if it has anything in its ARP table.



  • 3.  RE: VLAN tagging with IAP-305

    EMPLOYEE
    Posted Nov 06, 2018 07:25 PM

    Actually, do you have any port security configured on those switch interfaces?



  • 4.  RE: VLAN tagging with IAP-305

    Posted Nov 06, 2018 07:50 PM

    Nothing specific on the port itself, no.  There is a generic "spanning-tree bpdu-protection-timeout" command in the switch configuration, but nothing specific on the port in question.   That general statement wouldn't be throwing this off, would it?  Given that the previous WAPs would work in this configuation, could this IAP-305 be causing the switch port to behave differently?



  • 5.  RE: VLAN tagging with IAP-305

    EMPLOYEE
    Posted Nov 06, 2018 07:55 PM

    Change the Guest VLAN number in the wireless AP to the same VLAN as the Employee VLAN and see if that works.  It is hard to compare two systems.



  • 6.  RE: VLAN tagging with IAP-305

    Posted Nov 06, 2018 08:58 PM

    Actaully, after thinking about this a bit it hit me that it couldn't be related to protection on the switch port.   That would shut down the entire port, but I'm still able to manage the WAP via the native/untagged vlan and clients on the internal SSID are fully functional.  It's only communication on the tagged vlan that doesn't appear to be working beyond the initial DHCP process.



  • 7.  RE: VLAN tagging with IAP-305

    Posted Nov 06, 2018 09:20 PM

    Are you able to use the IAP CLI and ping the guest network default gateway?

    Have you set anything like captive portal up or is its a preshared key?

    Is this being set up via Aruba Instant or has the IAP been changed to a CAP?



  • 8.  RE: VLAN tagging with IAP-305

    Posted Nov 07, 2018 03:25 PM

    Surprisingly, the ping did work from the WAP to the Guest gateway.  I didn't think this would work as the WAP itself isn't assigned an IP on that network, only on the data/management network.  It was successful in pinging the gateway on vlan 70, though, so the communication from the WAP to the gateway appears to be OK.   This is supported with the IP addresses being picked up from our DHCP server.

     

    The network is using a preshared key (WPA-2 Personal) and not a capture portal.  Not sure how to answer your question about the Aruba Instant vs a CAP.  How would I check that?  I will say that the unit is a standalone device at the moment, acting as its own virtual controller.



  • 9.  RE: VLAN tagging with IAP-305
    Best Answer

    Posted Nov 12, 2018 02:11 PM

    So after spending several hours on the phone with support, including the use of Wireshark to capture packets coming from the WAP, we finally got to the point of doing a factory reset.  After rebuilding with the same configuration (a compare of the two config files is near identical), all is working fine.   No idea what the issue was, but posting this as a possible solution for anyone experiencing the same issue of tagged packets being dropped.  If your tagged SSID isn't communicating, try a factory reset before pulling your hair out as I did.