Wireless Access

Hi all,

 

I've been playing about with this for almost a week now and its time to admit I need help - ha!

I have several VLANs but this particular instance just involves one of them, Voice.

 

Im essentially trying to attach a number of wireless handsets to our Voice VLAN with very little success :smileymad:

 

The setup so far:

 

Controller interface 0/0 is untagged within the main data VLAN and works a charm.

Controller interface 0/1 is untagged within the Voice VLAN with an appropriate IP address, and new SSID setup with a VAP Profile pointing at the correct VLAN.

 

When I join the Voice SSID I can't make contact with any of the devices that I know are there, but if I patch into the port that the controller is patched into I can see everything.

 

From this, I'm pretty confident that the VLAN itself is setup properly, Im just missing something daft on the Aruba side.

 

If anyone can offer a bit of guidence, it would be greatly appreciated.

 

Regards,

Can you please share the user-role you are using for this ?

 

Can you do a show datapath session table <ip address of the client> and see if anything is getting deny from the controller>

 

Do you have an IP address configured under that VLAN on the controller ? if you do can you ping it from the uplink switch/router?

 

Do a show ip interface brief confirm that the interface VLAN <Voice> confirm that is up too 

Hi vf,

 

Thanks for the speedy reply.

 

The user-role is "Authenticated" and shows as such on the dashboard when connected to the SSID

Datapath session table is as follows:

 

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination                                                                                                  TAge UsrIdx UsrVer Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- -----------                                                                                                  ---- ------ ------ -----
10.10.11.255    10.10.11.200    17   138   138    0/0     0 96  1   tunnel 459                                                                                                   f    0      0      FY
10.10.11.255    10.10.11.200    17   137   137    0/0     0 96  2   tunnel 459                                                                                                   15   0      0      FY
10.10.11.200    10.10.11.255    17   138   138    0/0     0 96  1   tunnel 459                                                                                                   f    6d     d67e   FC
10.10.11.200    10.10.11.255    17   137   137    0/0     0 96  0   tunnel 459                                                                                                   15   6d     d67e   FC
10.10.11.200    10.10.11.255    17   53296 30016  0/0     0 96  1   tunnel 459                                                                                                   f    6d     d67e   FC
10.10.11.200    255.255.255.255 17   53297 30016  0/0     0 96  1   tunnel 459  9    6d     d67e   FC
10.10.11.200    239.255.255.250 17   64172 1900   0/0     0 96  1   tunnel 459  14   6d     d67e   FC
255.255.255.255 10.10.11.200    17   30016 53297  0/0     0 96  0   tunnel 459  9    0      0      FY
255.255.255.255 10.10.11.200    17   5151  57384  0/0     0 96  0   tunnel 459  0    0      0      FY
10.10.11.200    255.255.255.255 17   57384 5151   0/0     0 96  0   tunnel 459  0    6d     d67e   FC
10.10.11.255    10.10.11.200    17   30016 53296  0/0     0 96  1   tunnel 459  f    0      0      FY
10.10.11.200    224.0.0.22      2    2     2      0/0     0 0   1   tunnel 459  19   6d     d67e   FCI

 

I do have an ip address configured under the VLAN for the controller, and I can ping it from the voice vlan.

 

The Interface brief returned the following: (VLAN 10)

Interface                   IP Address / IP Netmask        Admin   Protocol
vlan 1                    192.168.80.1 / 255.255.0.0       up      up
vlan 2                      unassigned / unassigned        up      up
vlan 10                    10.10.11.10 / 255.255.255.0     up      up
vlan 3                      unassigned / unassigned        up      up
loopback                    unassigned / unassigned        up      up
mgmt                        unassigned / unassigned        down    down

 

 

 Best Regards,

Are you getting an IP on that VLAN?  If not, where is DHCP setup?

 

If yes, what is your default gateway for that VLAN; the controller or something on your core network?  

Can you access other things on that VLAN? or is just remote networks that are a problem?

 

 

Hi Clembo,

 

The PBX dishes out DHCP on that VLAN, but when trying across the Voice SSID it doesnt issue anything.

If I unpatch the controller and patch a laptop into the same port I get an IP address issued from the PBX.

DHCP is setup on the same VLAN.

 

The default gateway is our core firewall, with seperate interfaces setup across all our VLANs.

Again, if I patch into the same port that the controller is patched into I can ping the default gateway, all the switch interfaces, the desktop handsets, everything on the VLAN.

 

I can ping the controller from the PBX but I cant see anything when connected to the Voice SSID.

 

You probably should check your core firewall to make sure that traffic is not getting blocked 

Hi fv,

 

Quite valid, but the firewall looks good from this end, everything else on that VLAN is using it as the GW and its all working.

 

 

You are probably using some type of QoS setup to prioritize and classified your Voice traffic , make sure that those values match on the wireless side of things.

 

Do you need multicast in order for your voice service to work ?

 

 

Maybe these can help :

http://community.arubanetworks.com/t5/Community-Knowledge-Base/WLAN-Design-for-Voice-and-Video/ta-p/21680

http://community.arubanetworks.com/t5/Voice-and-Video-over-Wi-Fi/QOS-Configuration-on-the-Aruba-Controller/td-p/39120

 

Hi vf,

 

Just reading through the PDF's now.

 

I dont want to get too bogged down in the Voice side of things just yet, because at the moment im just trying to connect a laptop to the VLAN via wireless to proof it all, then ill attempt the handsets.

 

For the minute im tryin go get a DHCP lease across vlan 10 through the wireless with a laptop.

 

Essentially I have a DHCP server dishing out addresses at one of the VLAN, and I have a laptop on the other end that cant see the dhcp server.

 

But if I physically cable the laptop to the VLAN using the exact same network details as the controller - hey presto! DHCP.

Im reading other peoples topics as well trying to peice together a solution.

 

If I look at the trunk details on he CLi I get the following:

 

Trunk Port Table
-----------------
Port   Vlans Allowed  Vlans Active  Native Vlan
----   -------------  ------------  -----------
GE1/0  1-3,10         1-3,10        1

 Does this mean that VLAN10 isnt on the interface that im expecting it to be on?

that shows VLAN 10 on the trunk (GE1/0).  If VLAN 10 is the VLAN you want on your other port, try removing it from the trunk.

 

conf t

interface gigabitethernet 1/0

switchport trunk allowed vlan remove 10

show trunk

 

interface gigabitethernet 1/1 (or whatever port)

switchport access vlan 10

 

show vlan

 

Otherwise, have you considered just leaving it trunked over that port (assuming the switch also has that end of it setup)?

Hi Clem,

 

I didnt think there was enough bandwidth to run two data heavy VLAN through the same 1GB  interface, so figured id split them up.

 

 

#show trunk

Trunk Port Table
-----------------
Port   Vlans Allowed  Vlans Active  Native Vlan
----   -------------  ------------  -----------
GE1/0  1-3            1-3           1

 

 #show vlan

VLAN CONFIGURATION
------------------
VLAN  Description  Ports                 AAA Profile
----  -----------  -----                 -----------
1     Default      GE1/0 GE1/2-3 Pc0-7   N/A
2     VLAN0002     GE1/0                 N/A
3     VLAN0003     GE1/0                 N/A
10    VLAN0010     GE1/1                 N/A

 I've re-attached a laptop to the SSID, but still no VLAN access :(

 

How do you have your interfaces configured ? Trunk / Static Port-channel / LACP ?

 

Can you run show running-config | begin interface , and share the giga interfaces config ?

 

 

Hi vf

 

As I understand it;

Interface 0/0 is a trunk while Interface 0/1 is static.

 

#show running-config | begin interface

vlan 2
vlan 3
vlan 10

interface gigabitethernet  1/0
description "GE1/0"
trusted
trusted vlan 1-4094
switchport mode trunk
switchport access vlan 2
switchport trunk allowed vlan 1-3
!

interface gigabitethernet  1/1
description "GE1/1"
trusted
trusted vlan 1-4094
switchport access vlan 10
!

interface gigabitethernet  1/2
description "GE1/2"
trusted
trusted vlan 1-4094
!

interface gigabitethernet  1/3
description "GE1/3"
trusted
trusted vlan 1-4094
!

interface vlan 1
ip address 192.168.80.1 255.255.0.0
!

interface vlan 2
!

interface vlan 10
ip address 10.10.11.10 255.255.255.0
no ip routing
operstate up
!

interface vlan 3
operstate up
!

 

are these interfaces are going to same uplink device ?

If they are then what you need to do is add VLAN 10 to the trunk to be allowed GE1/0

Hi vf,

 

Sorry for the late responce,

I see around 400-450 concurrent wifi users at any one time,

 

The cotroller interfaces patch into the same core switches yes, different ports.

 

I dont want VLAN 10 to go across the same interface as the main data - is this not possible?

 

 

If you split the interfaces like that ,it won't work.

How many wireless users do you usually see total ?

Interestingly,

 

When I unpatch GE1/1 I am still able to access the controller on its VLAN10 address from a machine that is already on the VLAN.

 

How is that possible?

That's probably because you at trusting every VLAN , do you have VLAN 10 define on the uplink trunk ?

450 users is not that many users but it also depends on the amount of data those users are using and the type controller you are using.

Which controller are you using ?

Do you have wired users on that same data VLAN ?

You could possibly consider configuring a port-channel .

Hi vf,

 

VLAN10 isnt defined on the uplink trunk

 

 

 

#show trunk

Trunk Port Table
-----------------
Port   Vlans Allowed  Vlans Active  Native Vlan
----   -------------  ------------  -----------
GE1/0  1-3            1-3           1

 

I have two Mobilty 3600 controllers in master / slave config.

 

All my wired users are currently in the same data VLAN but on a seperate subnet.

 

Since you are concern about max out your 1gig connectiong you could create a port-channel and that will double the amount of bandwidth back to the uplink switch and it will also provide redundancy.

 

Check these documents :

 

http://www.arubanetworks.com/techdocs/ArubaOS_61/ArubaOS_61_UG/LACP.php

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-198

 

But you could also configure as static port-channel :

 

 

interface gigabitethernet 0/2
description "GE0/2"
trusted
trusted vlan 10,11,12
switchport mode trunk
switchport trunk allowed vlan 10,11,12
!

interface gigabitethernet 0/3
description "GE0/3"
trusted
trusted vlan 10,11,12
switchport mode trunk
switchport trunk allowed vlan 10,11,12

!

interface port-channel 0
add gigabitethernet 0/3
add gigabitethernet 0/2
trusted
trusted vlan 10,11,12
switchport trunk allowed vlan 10,11,12

 

But if you don't comfortable doing this you should probably open TAC case  or contact your local SE to assist you with this

Hi Vic,

Just to update, your solution did in fact work, but only after a FW update.

Many apologies for taking so long to acknowledge your solution.

 

 

 

Glad it worked