Problem with ap 225 scenario.

[davidrunciman]

Hello to all, i'm having a problem with an ap deployment.

In this client, i'm having vlan 1 (where i have /23 mask) and several other vlans, one of those is the vlan 50.
On the vlan 1 i'm having my ap controller and the other ap devices (all of them are Alcatel 225). On that vlan, i have the router of the provider which has the internet access, my ap controller has two ssid: one ssid on vlan 1, one on vlan 50. Due to no access to the router of the provider, the ap controller is supposed to give access to the internet to the users in vlan 50 through a NAT (dhcp in vlan 50 is also given by the ap controller). This scenario is working ok when i connect to the ap controller (both ssid on vlan 1 and vlan 50 works ok), but when i connect to any other ap (which are connected in another switch through trunk ports), it fails: ssid on vlan 1 works ok, but ssid on vlan 50 does not work.

I already have checked the connection between the core switches and the border switches, the vlans are passing through the uplinks without any problem.

Any help would be appreciated.

This is the config of the ap controller:

Controller Datacenter# show configuration
version 6.4.2.0-4.1.1
syslocation "Data center"
virtual-controller-country PE
virtual-controller-key e9230b23016a178bd1f22a38ee7dc1d6f8bbc09aa6304a04bb
name WCV-1-Master
virtual-controller-ip 172.20.0.72
virtual-controller-vlan 1 255.255.254.0 172.20.0.1
terminal-access
telnet-server
clock timezone Lima -05 00
rf-band all

allow-new-aps
allowed-ap 18:64:72:ca:f8:6a
allowed-ap 18:64:72:ca:f9:1c
allowed-ap 18:64:72:ca:f8:38
allowed-ap 18:64:72:ca:f8:56
allowed-ap 18:64:72:c8:5d:ba
allowed-ap 18:64:72:c8:5e:94
allowed-ap 18:64:72:ca:fa:34
allowed-ap 18:64:72:ca:fa:1c
allowed-ap 18:64:72:c8:5d:9e
allowed-ap 18:64:72:ca:fa:16
allowed-ap 18:64:72:ca:f8:00
allowed-ap 18:64:72:c8:5e:4c
allowed-ap 18:64:72:ca:fa:0a
allowed-ap 18:64:72:c8:5d:20
allowed-ap 18:64:72:ca:fa:2e
allowed-ap 18:64:72:c8:d7:02
allowed-ap 18:64:72:c8:d5:a0
allowed-ap 18:64:72:c8:d5:66
allowed-ap 18:64:72:c8:d5:64
allowed-ap 18:64:72:c8:d5:ec

routing-profile
route 0.0.0.0 0.0.0.0 172.20.0.1


arm
wide-bands 5ghz
80mhz-support
min-tx-power 18
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode fair-access
client-aware
scanning

internal-domains
domain-name limh1dc.intit.net

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless


extended-ssid

content-filtering



user david 26b7f5f7dffe220a05f2cb76b16a26efacbcf493a17bd987 portal
user felipe 7249cc5a1f0c37cad50b92b7e47e96d4742c8652396843b2 portal


mgmt-user admin 369d20df1cddb5ff1bd0f60a5b787d62

wlan access-rule default_wired_port_profile
index 0
rule any any match any any any permit

wlan access-rule wired-instant
index 1
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule invitados
index 2
rule any any match any any any permit

wlan access-rule wc_eth0
index 3
rule any any match any any any permit

wlan access-rule Ilender-SantaClara
index 4
rule any any match any any any permit

wlan ssid-profile invitados
enable
index 0
type employee
essid invitados
wpa-passphrase c39502d13592df345cc0a0ba72e594372bc4431f26d34b96
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 50
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
content-filtering
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11r

wlan ssid-profile Ilender-SantaClara
enable
index 1
type employee
essid Ilender-SantaClara
wpa-passphrase 3431412ae94ce507d77e6ef992bf12e0101e335d97713a17
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 1
auth-server InternalServer
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11r

auth-survivability cache-time-out 24



dpi

wlan captive-portal
background-color 13421772
banner-color 16750848
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure, and use is at your own risk"
use-policy "Please read terms and conditions before using Guest Network"
authenticated

wlan external-captive-portal
server localhost
port 443
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https


blacklist-time 3600
auth-failure-blacklist-time 3600

ids classification

ids
wireless-containment none

ip dhcp invitados
server-type Local
server-vlan 50
subnet 172.50.0.0
subnet-mask 255.255.255.128
dns-server 208.67.220.220


wired-port-profile wired-instant
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-instant
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x
inactivity-timeout 1000

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x
inactivity-timeout 1000

wired-port-profile wc_eth0
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wc_eth0
speed auto
duplex auto
poe
type employee
auth-server InternalServer
captive-portal disable
no dot1x
inactivity-timeout 1000


enet0-port-profile wc_eth0
enet1-port-profile wc_eth0

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180


airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

[silvio]

did all switch ports to your AP's tagging in vlan 50? The routing will occour always in your virtual controller. So the vlan 50 packets has to find a way...
Best way with R6-OmniSwitches is to use mobile ports with mobile tagging for vlan 50.
regards
Silvio

[davidrunciman]

Thanks for the answer, Silvio.
All ports connected to an AP have the vlan 50 tagged. My core switches are alcatel 6900, that's where i created my vlans and the interfaces related to them. According to your comment, you think the problem is that vlan 50 packets are received by the ap controller, but this ap controller doesn't know what to do with them? One curious behavior though, if i connect to the ssid invitados (which is vlan 50) on the ap controller, the device can surf the internet with no problem, which don't occur with the ssid invitados of the others aps.

Hope you can answer me.

[silvio]

Hi,
if I read it correctly you have an IAP (instant AP). One of your IAP is the virtual Controller. With Hardware Controller all the AP make a tunnel to the Controller and all the wireless traffic will brake out at the Controller. So you need only this port to tag with a vlan. With IAP all traffic will bridged at the AP. In your case the packets from the second ssid are tagged.
You have written, that you use NAT for vlan 50. Where did you activated this?
regards
Silvio

[davidrunciman]

At the end, alcatel support helped us remotely.
Thanks all for your replies.