Wireless Access

Hello.

I've got a new 7210 controller and several AP-175P access points. All devices share the same L2 segment with DHCP on the controller. I thought access point would automatically connect and register with controller without any configuration on them but they are not even getting IP address. Is it possible that access point will automatically connect to controller? Is there something that must be set on them to make it work?

Is the interface(s) and/or VLAN that connects to the APs trusted on the controller?

show port status

Port Status
-----------
Slot-Port  PortType  adminstate  operstate  poe      Trusted  PortMode
---------  --------  ----------  ---------  ---      -------  --------
1/0        GE        Enabled     Down        Enabled  Yes      Access
1/1        GE        Enabled     Down        Enabled  Yes      Access
1/2        GE        Enabled     Up           Enabled  Yes      Trunk
1/3        GE        Enabled     Up           Enabled  Yes      Trunk

What is providing DHCP on those ports?

- Make sure DHCP service has been enabled : "show service dhcp" 

- Verify the information in the DHCP pool : show ip dhcp database , what's the IP default-router ? and make sure it matches the ip address assigned to the VLAN associated with it

Thanks for replies.

Uplink ports are part of LAG. It is trusted.

# show port stat

Port Status
-----------
Slot-Port  PortType  adminstate  operstate  poe      Trusted  SpanningTree  PortMode
---------  --------  ----------  ---------  ---      -------  ------------  --------
0/0/0      GE        Enabled     Down       Enabled  Yes      Disabled      Access
0/0/1      GE        Enabled     Down       Enabled  Yes      Disabled      Access
0/0/2      GE        Enabled     Up         Enabled  Yes      Disabled      Access
0/0/3      GE        Enabled     Up         Enabled  Yes      Disabled      Access
0/0/4      GE        Enabled     Down       Enabled  Yes      Disabled      Access
0/0/5      GE        Enabled     Down       Enabled  Yes      Disabled      Access

interface gigabitethernet 0/0/2
        description "GE0/0/2"
        trusted
        trusted vlan 1-4094
        lacp group 0 mode active
!

interface gigabitethernet 0/0/3
        description "GE0/0/3"
        trusted
        trusted vlan 1-4094
        lacp group 0 mode active
!

interface port-channel 0
        trusted
        trusted vlan 1-4094
        switchport mode trunk
        switchport trunk native vlan 181
        spanning-tree portfast
        spanning-tree cost 2000
!

 DHCP is provided by controller and it is enabled.

# show service dhcp
service dhcp "default" undefined.

#show ip dhcp database
DHCP enabled

# Global scope option declarations
option usr-opt-60-WIFI code 60 = text ;
option usr-opt-43-WIFI code 43 = ip-address ;

# WIFI
subnet 10.10.11.0 netmask 255.255.255.0 {
        default-lease-time 86400;
        max-lease-time 86400;
        option vendor-class-identifier  "ArubaAP";
        option vendor-encapsulated-options  "10.10.11.1"
        option domain-name-servers 8.8.8.8, 8.8.4.4;
        option routers 10.10.11.254;
        option usr-opt-60-WIFI "ArubaAP";
        option usr-opt-43-WIFI 10.10.11.1;
        range 10.10.11.100 10.10.11.253;
        authoritative;
}


ip dhcp excluded-address 10.10.11.1 10.10.11.99
ip dhcp pool WIFI
 default-router 10.10.11.254
 dns-server 8.8.8.8 8.8.4.4
 lease 1 0 0 0
 option 60 text "ArubaAP"
 option 43 ip 10.10.11.1
 network 10.10.11.0 255.255.255.0
 authoritative
!
service dhcp

 sefault-router is IP of router in that VLAN (not the controller).

Should access point by defult get IP address and connect to controller?

Type "show controller-ip".  That will tell you what ip address the access point is redirected to upon controller discovery.  You need to make sure that the controller-ip is reachable from the 10.10.11.x network.

#show controller-ip

Switch IP Address: 10.10.11.1

Switch IP is from Vlan Interface: 11

Switch IPv6 address is not configured.

 Of course controller-ip is reachable because it is the same VLAN.

Type "show ip dhcp binding" to see if the AP actually gets an ip address.  If it does, try to ping it...  If you can ping it, type "show datapath session table <ip address of ap>" repeatedly to see if it is sending traffic to the controller.  If it is sending traffic, type "show ap database" to see if the access point has registered with the controller.  The AP175P has external antennas, so it will not come up unless you put in a gain for both antennas, after it has contacted the controller.

There are no bindings on the controller so I cannot test any access point. Access points have antennas installed. It looks like access points don't even try to get IP address. The link is up but no traffic going from them.

Plug into the link with a laptop and see if you get an ip address.  If you get an ip address, see if you can ping the controller on that 10.x address.  Are you sure the uplink to the controller is trusted?

Seems like the controllers is connected to a switch, try connecting to those switch and diretcly to the controller and see if you are getting any IP address within the same subnet.

Gordon

Just saw the latest reply, POE issue I suppose.

When I plug in laptop, I can get IP address from controller and controller is reachable (ping and SSH work). According to the configuration above, LAG is trusted.

Do access points require any initial configuration?

They do not require initial configuration.  I am more concerned that it is not getting an ip address.  Are you using a power injector for that access point?

PoE is used to power up access points.

Do you have a POE+ or AT power injector?   It is sort of required to power up that access point correctly.  You can sometimes get around that, but you should put it on a POE+ or AT injector if you can to rule that out:  http://www.arubanetworks.com/pdf/products/DS_AP175Series.pdf

Do you have any regular access points instead of the AP175 that you can plug into that port?  

I meant PoE+. There are connected to Dell PowerConnect 7024P switches. Unfortunately we've got only AP-175Ps.

Try a different AP if possible (you probably have already).  If not and you have the AP175 console cable, download the console cable driver here:  http://support.arubanetworks.com/ToolsResources/tabid/76/DMXModule/514/EntryId/7511/Default.aspx and connect the AP to a terminal to see what is going on...

EDIT:

Instructions on how to console into an AP175 are here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/How-to-console-into-an-AP-175

I cannot connect access points to the same switch where controller is connected because it is switch with only 10Gb ports. Access points also cannot be connected directly to controller because there are no PoE+ ports on the controller.

We don't have power injectors so we have to use PoE. Switches indicate that each access point takes about 6400 mW.

I want to avoid connecting to every access point (there are about 20 acess points) because they are placed in hard to reach locations under ceiling.

I took one access point and made a console connection. There were a lot of below information.

DHCP broadcast 1
DHCP broadcast 2
DHCP broadcast 3
DHCP broadcast 4
DHCP broadcast 5

Retry count exceeded; starting again

DHCP broadcast 1
DHCP broadcast 2
DHCP broadcast 3
DHCP broadcast 4
DHCP broadcast 5

Retry count exceeded; starting again

 I set up static IP and other settings like master and server IP and it succeed to connect.

Then from the controller I changed its settings to obtain address automatically and now it is getting address from DHCP.

The problem is I have no access to all access points. Can I somehow force access point to get IP address from DHCP?

I would break the port channel and make it connect with a single link.  If you only have a few access points anyway, what is the harm?

I don't think the problem is with port channel because when I "pushed" one access point through console it is functioning.

It is not few access points but above 20 and to get them we need some kind of platform and that's why I want to run them without console connection.

Well, if you have something that does not work, you need to simplify it until it does.  We are not at your site, so we cannot guess where your problem might lie, but that is the only thing that sticks out.  Maybe you know of something else.

I agree with CJ should try make it work with a simple scenario and then start building up the way you would like step by step , it will allow you to see what's failing too.

For LAG you should verifying the following :

What are you using for uplink switch ?

interface gigabitethernet 0/0
        description "GE0/0"
        trusted
        trusted vlan 1-100
        switchport mode trunk
        switchport trunk allowed vlan 1-100
        lacp group 1 mode active
!

interface gigabitethernet 0/1
        description "GE0/1"
        trusted
        trusted vlan 1-100
        switchport mode trunk
        switchport trunk allowed vlan 1-100
        lacp group 1 mode active

interface port-channel 1
        trusted
        trusted vlan 1-100
        switchport mode trunk allowed

(HOME-MASTER-CONTROLLER) #show  trunk

Trunk Port Table
-----------------
Port  Vlans Allowed  Vlans Active   Native Vlan

(HOME-MASTER-CONTROLLER) #show  lacp 1 neighbor

Flags: S - Device is requesting slow LACPDUs
       F - Device is requesting fast LACPDUs
       A - Device is in Active mode P - Device is in Passive mode
LACP Neighbor Table
-------------------
Port    Flags  Pri    OperKey  State  Num    Dev Id
----    -----  ---    -------  -----  ---    ------

Today I had more time for  troubleshooting. Problem was solved. There was issue with DHCP Snooping which enabled globally but disabled on WiFi VLAN. It must be a bug on the switches that prevented getting IP addresses.

Thanks for your help. I appreciate it.