Wireless Access

We've just set up our first stack of S1500-48ps, and are having some difficulty. This stack replaced a work stack, and was uplinked into an existing network that's been chugging away for a decade or so.

At first, we couldn't get the voip-profile to work consistently with our Avaya IP phones. Configuring a set of ports to trunk mode made those work - though I don't know why they didn't work in the first place.

Then our network printers were failing to get DHCP assigned IPs.

I can see the requests in the server's logs - but when I ping the management IP on the S1500, I get no reply. Other switches, other machines are able to ping the management IP - though not from the same switch. Other clients on the stack can get DHCP assigned addresses without issue.

To make matters stranger, if I ping from the switch to the server - it can then ping the switch for a short time. It's almost as if some sort of arp filtering is happening, but I can't figure out why.

I have disabled mstp completely on the switch, tried moving the printers to trunk ports, verified that their MACs are being learned all the way to the server... 

Seems like there's some failure to broadcast somewhere along the line. I've tried disabling all the storm-control options I could find, but that didn't have a visible effect.

Edit: I still have no idea what's going on with pinging the S1500, or DHCP failures, but putting in a static IP address on the printers didn't work until I also put in a default gateway. Which is ludicrous!

I feel like there's a critical piece here, but not sure what it is.

Further edit:

I disabled stp on the Extreme switch this stack is uplinked to, and the printers started working perfectly.

Now the IP phones refuse to get an IP address, though... What a mess.

Because I have been flailing around trying to fix this, it's a mess, but here is the current config:

#
# Configuration file for ArubaOS
version 7.4
enable secret XXX
hostname "mhsidf2-1"
clock timezone MDT -6
location "Building1.floor1"
controller config 33
ip access-list eth validuserethacl
permit any
!
netservice svc-dhcp udp 67 68
netservice svc-dns udp 53
netservice svc-ftp tcp 21
netservice svc-h323-tcp tcp 1720
netservice svc-h323-udp udp 1718 1719
netservice svc-http tcp 80
netservice svc-https tcp 443
netservice svc-icmp 1
netservice svc-kerberos udp 88
netservice svc-natt udp 4500
netservice svc-ntp udp 123
netservice svc-sip-tcp tcp 5060
netservice svc-sip-udp udp 5060
netservice svc-sips tcp 5061
netservice svc-smtp tcp 25
netservice svc-ssh tcp 22
netservice svc-telnet tcp 23
netservice svc-tftp udp 69
netservice svc-vocera udp 5002
ip access-list stateless allowall-stateless
any any any permit
!
ip access-list session cplogout
user alias controller svc-https dst-nat 8081
!
ip access-list stateless cplogout-stateless
user alias controller sys-svc-https dst-nat 8081
!
ip access-list stateless dhcp-acl-stateless
any any svc-dhcp permit
!
ip access-list stateless dns-acl-stateless
any any svc-dns permit
!
ip access-list stateless http-acl-stateless
any any svc-http permit
!
ip access-list stateless https-acl-stateless
any any svc-https permit
!
ip access-list stateless icmp-acl-stateless
any any svc-icmp permit
!
ip access-list stateless logon-control-stateless
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
!
ip access-list session validuser
network 169.254.0.0 255.255.0.0 any any deny
any any any permit
!
user-role authenticated
access-list stateless allowall-stateless
!
user-role denyall
!
user-role denydhcp
!
user-role guest
access-list stateless http-acl-stateless
access-list stateless https-acl-stateless
access-list stateless dhcp-acl-stateless
access-list stateless icmp-acl-stateless
access-list stateless dns-acl-stateless
!
user-role logon
access-list stateless logon-control-stateless
!
user-role preauth
!
!

crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac

mgmt-user admin root XXX

ntp server 172.16.1.18

firewall disable-stateful-h323-processing
!
ip domain lookup
!
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa server-group "default"
auth-server Internal
set role condition role value-of
!
aaa profile "default"
!
aaa authentication captive-portal "default"
!
aaa authentication vpn "default"
!
aaa authentication mgmt
!
aaa authentication wired
!
web-server
!
aaa password-policy mgmt
!
traceoptions
!
probe-profile "default"
protocol icmp
!
qos-profile "default"
!
policer-profile "default"
!
ip-profile
default-gateway 172.16.16.1
!
mode-button
!
interface-profile ospf-profile "default"
area 172.16.16.6
!
interface-profile pim-profile "default"
!
interface-profile igmp-profile "default"
!
stack-profile
!
ipv6-profile
!
activate-service-firmware
!
aruba-central
!
rogue-ap-containment
!
interface-profile switching-profile "default"
!
interface-profile switching-profile "phone"
switchport-mode trunk
trunk allowed vlan 3
!
interface-profile switching-profile "uplink"
switchport-mode trunk
no storm-control-broadcast
no storm-control-unknown-unicast
!
interface-profile voip-profile "voice"
voip-vlan 3
voip-mode auto-discover
!
interface-profile tunneled-node-profile "default"
!
interface-profile poe-profile "default"
!
interface-profile poe-profile "poe-factory-initial"
enable
!
interface-profile enet-link-profile "autooff"
speed 100
duplex full
no autonegotiation
!
interface-profile enet-link-profile "default"
!
interface-profile lldp-profile "default"
lldp transmit
lldp receive
no lldp med-tlv-select network-policy
med enable
proprietary-neighbor-discovery
!
interface-profile lldp-profile "lldp-factory-initial"
lldp transmit
lldp receive
med enable
proprietary-neighbor-discovery
!
interface-profile gvrp-profile "gvrp-on"
enable
!
interface-profile gvrp-profile "iaps"
!
interface-profile mstp-profile "default"
!
interface-profile mstp-profile "edge"
portfast
!
interface-profile pvst-port-profile "default"
!
interface-profile port-security-profile "default"
loop-protect auto-recovery-time 60
!
vlan-profile dhcp-snooping-profile "default"
!
vlan-profile mld-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "igmp-snooping-factory-initial"
snooping
!
spanning-tree
!
gvrp
!
mstp
!
lacp
!
vlan "1"
igmp-snooping-profile "igmp-snooping-factory-initial"
!
vlan "3"
description "VoiceVlan"
!
vlan "6"
description "CaptivePortal"
!
interface gigabitethernet "0/0/0"
!
interface gigabitethernet "0/0/1"
!
interface gigabitethernet "0/0/2"
!
interface gigabitethernet "0/0/3"
!
interface gigabitethernet "0/0/4"
!
interface gigabitethernet "0/0/5"
!
interface gigabitethernet "0/0/6"
!
interface gigabitethernet "0/0/7"
!
interface gigabitethernet "0/0/8"
!
interface gigabitethernet "0/0/9"
!
interface gigabitethernet "0/0/10"
!
interface gigabitethernet "0/0/11"
!
interface gigabitethernet "0/0/12"
!
interface gigabitethernet "0/0/13"
!
interface gigabitethernet "0/0/14"
!
interface gigabitethernet "0/0/15"
!
interface gigabitethernet "0/0/16"
!
interface gigabitethernet "0/0/17"
!
interface gigabitethernet "0/0/18"
!
interface gigabitethernet "0/0/19"
!
interface gigabitethernet "0/0/20"
!
interface gigabitethernet "0/0/21"
!
interface gigabitethernet "0/0/22"
!
interface gigabitethernet "0/0/23"
!
interface gigabitethernet "0/1/0"
switching-profile "uplink"
!
interface gigabitethernet "0/1/1"
switching-profile "uplink"
!
interface gigabitethernet "1/0/0"
voip-profile "voice"
!
interface gigabitethernet "1/0/15"
!
interface gigabitethernet "1/0/46"
!
interface gigabitethernet "1/0/47"
!
interface gigabitethernet "2/0/1"
!
interface gigabitethernet "2/0/2"
!
interface vlan "1"
ip directed-broadcast
ip address 172.16.16.6 255.255.240.0
!
device-group ap
!
interface-group gigabitethernet "default"
apply-to ALL
!
interface-group gigabitethernet "phones"
apply-to 1/0/46
voip-profile "voice"
lldp-profile "lldp-factory-initial"
poe-profile "poe-factory-initial"
!
interface-group gigabitethernet "ports"
apply-to 0/0/0-0/0/43,1/0/0-1/0/41,2/0/0-2/0/43
voip-profile "voice"
lldp-profile "lldp-factory-initial"
poe-profile "poe-factory-initial"
qos trust auto
port-security-profile "default"
!
interface-group gigabitethernet "uplink"
apply-to 0/0/44-0/0/47,1/0/42-1/0/45,1/0/47,2/0/44-2/0/47
lldp-profile "lldp-factory-initial"
poe-profile "poe-factory-initial"
switching-profile "uplink"
!
interface-group gigabitethernet "uplinks"
apply-to 0/1/0-0/1/1,1/1/0-1/1/1,2/1/0-2/1/1
lldp-profile "lldp-factory-initial"
poe-profile "poe-factory-initial"
qos trust auto
switching-profile "uplink"
!

syslocation "XXX Front Offie"
syscontact "netadmin@mesd.us"
snmp-server community Zer0t0uchpr0visi0ning view ALL
snmp-server community public view ALL
snmp-server view ALL oid-tree iso included
snmp-server group public v1 read ALL
snmp-server group public v2c read ALL
snmp-server group ALLPRIV v1 read ALL notify ALL
snmp-server group ALLPRIV v2c read ALL notify ALL
snmp-server group ALLPRIV v3 noauth read ALL notify ALL
snmp-server group AUTHPRIV v3 priv read ALL notify ALL
snmp-server group AUTHNOPRIV v3 auth read ALL notify ALL
snmp-server group Zer0t0uchpr0visi0ning v1 read ALL
snmp-server group Zer0t0uchpr0visi0ning v2c read ALL

snmp-server enable trap

process monitor log
end

So I resorted to a "write erase all".  This is the new current config.

#
# Configuration file for ArubaOS
version 7.4
enable secret "dxxx"
clock timezone PST -8
location "Building1.floor1"
controller config 6

ip access-list eth validuserethacl
permit any
!
netservice svc-dhcp udp 67 68
netservice svc-dns udp 53
netservice svc-ftp tcp 21
netservice svc-h323-tcp tcp 1720
netservice svc-h323-udp udp 1718 1719
netservice svc-http tcp 80
netservice svc-https tcp 443
netservice svc-icmp 1
netservice svc-kerberos udp 88
netservice svc-natt udp 4500
netservice svc-ntp udp 123
netservice svc-sip-tcp tcp 5060
netservice svc-sip-udp udp 5060
netservice svc-sips tcp 5061
netservice svc-smtp tcp 25
netservice svc-ssh tcp 22
netservice svc-telnet tcp 23
netservice svc-tftp udp 69
netservice svc-vocera udp 5002
ip access-list stateless allowall-stateless
any any any permit
!
ip access-list stateless cplogout-stateless
user alias controller sys-svc-https dst-nat 8081
!
ip access-list stateless dhcp-acl-stateless
any any svc-dhcp permit
!
ip access-list stateless dns-acl-stateless
any any svc-dns permit
!
ip access-list stateless http-acl-stateless
any any svc-http permit
!
ip access-list stateless https-acl-stateless
any any svc-https permit
!
ip access-list stateless icmp-acl-stateless
any any svc-icmp permit
!
ip access-list stateless logon-control-stateless
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
!
ip access-list session validuser
network 169.254.0.0 255.255.0.0 any any deny
any any any permit
!
user-role authenticated
access-list stateless allowall-stateless
!
user-role denyall
!
user-role denydhcp
!
user-role guest
access-list stateless http-acl-stateless
access-list stateless https-acl-stateless
access-list stateless dhcp-acl-stateless
access-list stateless icmp-acl-stateless
access-list stateless dns-acl-stateless
!
user-role logon
access-list stateless logon-control-stateless
!
user-role preauth
!
!

crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac

mgmt-user admin root eccc
mgmt-user switchroot root ccc

firewall disable-stateful-h323-processing
!
ip domain lookup
!
!
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa server-group "default"
auth-server Internal
set role condition role value-of
!
aaa profile "default"
!
aaa authentication captive-portal "default"
!
aaa authentication vpn "default"
!
aaa authentication mgmt
!
aaa authentication wired
!
web-server
!
aaa password-policy mgmt
!
traceoptions
!
probe-profile "default"
protocol icmp
!
qos-profile "default"
!
policer-profile "default"
!
ip-profile
default-gateway 172.16.16.1
!
mode-button
enable factory-default
!
interface-profile ospf-profile "default"
area 0.0.0.0
!
interface-profile pim-profile "default"
!
interface-profile igmp-profile "default"
!
stack-profile
!
ipv6-profile
!
activate-service-firmware
!
aruba-central
!
rogue-ap-containment
!
interface-profile switching-profile "default"
!
interface-profile switching-profile "uplink"
switchport-mode trunk
!
interface-profile voip-profile "voice"
voip-vlan 3
voip-dscp 8
voip-dot1p 7
voip-mode auto-discover
!
interface-profile poe-profile "default"
!
interface-profile poe-profile "poe-factory-initial"
enable
!
interface-profile enet-link-profile "default"
!
interface-profile lldp-profile "default"
!
interface-profile lldp-profile "lldp-factory-initial"
lldp transmit
lldp receive
med enable
!
interface-profile mstp-profile "default"
!
interface-profile pvst-port-profile "default"
!
vlan-profile dhcp-snooping-profile "default"
!
vlan-profile mld-snooping-profile "default"
!
vlan-profile igmp-snooping-profile "default"
snooping
!
vlan-profile igmp-snooping-profile "igmp-snooping-factory-initial"
snooping
!
spanning-tree
!
gvrp
!
mstp
!
lacp
!
vlan "1"
igmp-snooping-profile "igmp-snooping-factory-initial"
!
vlan "3"
description "VoiceVlan"
!
vlan "6"
description "CaptivePortal"
!
interface vlan "1"
description "Default"
ip address 172.16.16.6 255.255.240.0
!
interface vlan "3"
description "VoiceVlan"
ip address dhcp-client
!
device-group ap
!
interface-group gigabitethernet "aps"
apply-to 0/0/44-0/0/47,1/0/42-1/0/47,2/0/44-2/0/47
lldp-profile "lldp-factory-initial"
poe-profile "poe-factory-initial"
switching-profile "uplink"
!
interface-group gigabitethernet "default"
apply-to ALL
voip-profile "voice"
lldp-profile "lldp-factory-initial"
poe-profile "poe-factory-initial"
!
interface-group gigabitethernet "uplinks"
apply-to 0/1/0
lldp-profile "lldp-factory-initial"
poe-profile "poe-factory-initial"
switching-profile "uplink"
!

snmp-server community Zer0t0uchpr0visi0ning view ALL
snmp-server view ALL oid-tree iso included
snmp-server group ALLPRIV v1 read ALL notify ALL
snmp-server group ALLPRIV v2c read ALL notify ALL
snmp-server group ALLPRIV v3 noauth read ALL notify ALL
snmp-server group AUTHPRIV v3 priv read ALL notify ALL
snmp-server group AUTHNOPRIV v3 auth read ALL notify ALL
snmp-server group Zer0t0uchpr0visi0ning v1 read ALL
snmp-server group Zer0t0uchpr0visi0ning v2c read ALL

snmp-server enable trap

process monitor log
end

The voip-profile still refuses to work for IP phones, so I had to add the phones to the "aps" interface group (to get them to actual function on VLAN 3).

Even after that, the IP phones come up with "Finding router..." forever, unless I give each phone a static ip address - implying that they cannot reach the router for some reason.

All in all, this has been the worst possible scenario for this equipment. Hoping to find out what's going wrong before I try deploying the other 80 switches. :)

Before you wiped the config, did you verify your VoIP phones are ending up in VLAN 3?  You can use 'show mac-address-table' to confirm. I believe with the Avaya phones you'll need to use static voip mode as they probably use LLDP rather than CDP.  If so, try the following:

interface-profile voip-profile "voice"

  voip-mode static

!

Since you wiped out the switch, you'll need to recreate your 'phones' interface group and apply the voip profile there.

Also, can you please provide the interface configuration of your upstream switch?  Would like to know how the uplink port is configured on that switch.

Yes, I can verify that phones are, according to the switch, being made a member of the tagged vlan 3.

It's strange because I already have, at other locations, S1500s using auto-discover on LLDP capable IP phones.

Setting the voip mode to static causes the IP phone to never be made a member of the tagged vlan specified in the voip profile.

Did you change spanning tree modes and are now running PVST, or is STP turned off?

What network device is the S1500 trunked to?  Is that device using PVST, RSTP, MSTP?

What VLANs are the clients, printers, etc?  What's the mgmt VLAN?

As Tim suggested, a config would be helpful.

I'll post the config when I get to the office this morning, but some easy information to provide:

Relevant ports are on Vlan 1 as their native.  Management Vlan is 1.

My original post does specifiy "I have disabled mstp completely on the switch" in addition to other attempts to solve the problem.

I believe the fix will be with the uplinked switch, though, which is an Extreme SummitX series stack. Making any change to stp on that stack seems to allow things to work normally on the Aruba stack for a brief moment and then (I assume once the topology changes complete on the Extreme stack) they go back to not working.

The weird thing, the stack of cheap Neatgear devices that these S1500s are replacing worked just fine. It's a head scratcher, and more than a little worrying.

Well, as I said, I'll post the S1500 configs from the office.