Wireless Aruba through Cisco gear not communicating: Wired works!

[wuJoe]

Our problem is our wireless clients can't communicate properly over the Aruba WLan while ports on our two "core" layer 3 switches are in routed port (no switchport mode) mode. Place these two connecting ports in trunked mode with encapsulation and all, and wireless works without problem. To add to my confusion, when those two "core" L3 switches are in routed port mode, wired devices communicate across the same them without problem? I tried statically assigning an IP address also to the WiFi client with no success.

AP1 is Aruba AP61
L2A is Layer 2 Cisco 3548
L3A is Layer 3 Cisco 3750
L3B is Layer 3 Cisco 3750
L2B is Layer 2 Cisco 3548
Controller is an Aruba 3400

L2A is where the wired client also connects to
L2B is where our servers are located.

WiFi Client---AP1----L2A----L3A----L3B---L2B----Controller

VLANs are implemented here... The ESSID available to wifi clients sits in VLAN126. The wired client also connects using the same VLAN. The access point itself sits in a different VLAN. VLAN120. Between the 2 L3 "core" switches, there is a VLAN2 which, since there are only the two devices on this network segment, I'd like to simply create a /30 network using routed ports if possible. The controller is connected to a trunked port. There are several VLANs on that trunk including a VLAN also numbered 126, and the servers that hang off of L2B are in vlan 95.

I just finished doing a test where I "switchport trunk allowed vlan 2" on the ports connecting the core switches which caused dhcp traffic to fail when I tried to connect wirelessly. Remove that statement and DHCP traffic passes, thereby giving access to the network to my wifi client.

 

[wuJoe]

I also forgot to mention, the AP and controller create a GRE tunnel through which all client traffic passes. So, as I understand it, it's much like the wifi client is plugged directly into the controller.

WiFi Client--AP1====Controller


I did just notice that I don't have a dhcp-relay/helper for vlan 126 on the controller side of the network (to the right of L3B) for when that tunneled traffic become "untunneled". But that still doesn't help clarify the routed port vs SVI port problem between the core switches. Or maybe it does. Since my wired client DHCP requests are heard by L3A, and L3A has relay/helper info in it, so it is able to assist the wired client. The wireless client, however, has to traverse to the controller to become "untunneled" and over there, there is no helper...


your thoughts?
:/

 

[PScottC]

How does the AP discover the controller? Typically a lightweight AP is a doorstop until it can connect to a controller and obtain it's configuration. Since you're using Layer 3 (IP) as the transport mechanism between the controller and the AP, this is your first concern. In Cisco wireless, if the controllers and APs are on separate subnets, you need to set specific DHCP options so that the APs can discover the controllers and obtain their configurations.

Are your APs capable of Layer 3 LWAPP or CAPWAP?

After the AP is connected to the controller, then you can look at client connectivity issues.

PSC
[—] CCNP [•] CCSP [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[PScottC]

Mostly disregard last post... I re-read your request and have a different interpretation now...

Alright, you want to route traffic between switch group A and switch group B. Basically, we can look at this as a routing issue. Let's treat your L3 switches as routers to make the discussion easier....

Client<...>AP--SwitchA--RouterA--RouterB--SwitchB--Controller

[ul][li]Between the AP and the Controller there is (or should be) a GRE tunnel encapsulating all data and control traffic. (I just looked it up)[/li]
[li]Client traffic will ingress (encapsulated) at the controller on VLanX and egress (unencapsulated) on VLanZ based on the BSSID on which the client is connected[/li]
[li]AP must receive its configuration over a routed link[/li]
[li]Client will receive DHCP from VLanZ[/li]
[li]VLans on SwitchA are independent from SwitchB[/li][/ul]

Ok... Here's what's going to happen:
[ol][li]AP boots[/li]
[ol][li]attempts to get controller IP via broadcast[/li]
[li]attempts to get controller IP via DHCP[/li]
[li]attempts to get controller IP via DNS[/li][/ol]
[li]If discovery completes successfully, AP establishes GRE tunnel and downloads configuration[/li]
[li]Client system connects[/li]
[ol][li]Associates with AP[/li]
[li]Requests IP via DHCP[/li]
[ol][li]Packet encapsulated by AP and forwarded to controller[/li]
[li]Controller de-encapsulates packet and places it on VLan associated with BSSID[/li]
[li]DHCP server responds and packet is delivered to controller[/li]
[li]Controller encapsulates packet and sends it to AP[/li]
[li]AP de-encapsulates packet and transmits it to client[/li][/ol][/ol][/ol]

So... Do you have DHCP set up for the AP in the subnet in which it resides? Can the controller get its configuration over the L3 connection? Do you have DHCP set up for client traffic where it egresses from the controller?


Moving on to the switch configuration you have a couple of choices for the connection between the L3 switches... You can use a trunk and build what amounts to an L2 connection or you can route. To route, you're not required to build "routed" ports, but if you don't, you must ensure that BPDUs and VTP are not passed between the switches...

[green]Routing Config (option 1)[/green]
L3SwitchA
ip routing

Interface GigabitEthernet1/0/1
Description Connection to L3SwitchB
switchport mode access
switchport access vlan 2
no vtp
spanning-tree bpdufilter enable

Interface Vlan2
ip address 192.168.1.1 255.255.255.252

router rip
network <your networks>
network 192.168.1.0
version 2
no auto-summary

L3SwitchB
ip routing

Interface GigabitEthernet1/0/1
Description Connection to L3SwitchA
switchport mode access
switchport access vlan 2
no vtp
spanning-tree bpdufilter enable

Interface Vlan2
ip address 192.168.1.2 255.255.255.252

router rip
network <your networks>
network 192.168.1.0
version 2
no auto-summary

[green]Routing Config (option 2)[/green]
L3SwitchA
ip routing

Interface GigabitEthernet1/0/1
Description Connection to L3SwitchB
no switchport
ip address 192.168.1.1 255.255.255.252

router rip
network <your networks>
network 192.168.1.0
version 2
no auto-summary

L3SwitchB
ip routing

Interface GigabitEthernet1/0/1
Description Connection to L3SwitchA
ip address 192.168.1.2 255.255.255.252

router rip
network <your networks>
network 192.168.1.0
version 2
no auto-summary



Now of course you don't have to use RIP... You can use any routing protocol you want.

PSC
[&mdash;] CCNP [&bull;] CCSP [&bull;] MCITP: Enterprise Admin [&bull;] MCSE [&mdash;]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers