Solved

Need help with a VLAN

Posted on 2014-03-05
19
408 Views
Last Modified: 2014-03-14
Hello,

I have a main network closet with a Netgear 12 port fiber switch.  From that switch, I have a fiber connection to 6 cottages.  In each cottage, port 1-4 each has an Aruba AP-105 connected to it.  Port 5 is the trunk port back to the main network closet, ports 6-24 is VLAN 12 which is the guest network, and 25-48 is VLAN 11 which is the private network.  VLAN 1 is the default management VLAN.  VLAN 11 is 192.168.1.0 and VLAN 12 is 192.168.2.0.

Here is the issue: When I originally set this up, All of the Aruba's could find each other and it auto creates a mesh network.  I went onsite today, and the AP's are pulling a 192.168.2.0 IP as they should, but I can only access/ping the AP's if I'm on VLAN 11 with an IP of 192.168.1.0.  And each AP is acting on it's own.  I can login to each of them individually, but they are not finding each other, probably because of my misconfiguration in the VLAN somewhere.

Ports 1-4 are tagged for VLAN 11 and 12 and VLAN 1 is Untagged, which is default and it won't let me change that.
0
Comment
Question by:seanrhudy
  • 11
  • 8
19 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39907360
What do the routing tables on the Netgear look like?

Can the AP's ping each other on VLAN 11?
0
 

Author Comment

by:seanrhudy
ID: 39907387
The Aruba's don't have a ping tool, so I'm not sure... Here is the route table

Default      0.0.0.0                       0.0.0.0                                                          192.168.11.1       1
Static      192.168.1.0      255.255.255.0      Local      VLAN 11      0.0.0.0      1
Static      192.168.2.0      255.255.255.0      Local      VLAN 12      0.0.0.0      1
Static      192.168.11.0      255.255.255.0      Local      VLAN 1      0.0.0.0      1
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39907457
Does the Netgear have IP addersses in each of the VLAN's?

Can you look at the routing tables in the Aruba?  Do they look correct?
0
 

Author Comment

by:seanrhudy
ID: 39907476
It does not, it only has an IP in VLAN 11.

I don't believe I can view the routing table in the Aruba, but I will research that.
0
 

Author Comment

by:seanrhudy
ID: 39907573
I'm trying to figure out if the settings in the AP or the VLAN settings in the switches are the issue.  In the AP, I have the option to change the "Uplink Management VLAN" which is set to default: 0 and in the "wired port profile" I can change the mode to trunk or access and can set the native VLAN.
0
 

Author Comment

by:seanrhudy
ID: 39907586
I have an SSID for VLAN 11 and an SSID for VLAN 12, and both are pulling the correct IP range through DHCP.  The PVID setting on the ports that the AP's are connected to are set to 12, so the AP's themselves are pulling the correct IP's.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39907659
So the switch only has an IP address in VLAN11.

Is there another device that has an IP address in VLAN1 and VLAN11 or in VLAN12 and VLAN11?

What I'm trying to figure out is how is traffic in VLAN1 or VLAN12 would get routed to VLAN11.  Since the switch does not have an IP address in VLAN1 or VLAN12 it can route traffic to/from VLAN11.  Do you understand what I'm saying?
0
 

Author Comment

by:seanrhudy
ID: 39907667
We don't want traffic to be routed between VLAN's.
0
 

Author Comment

by:seanrhudy
ID: 39907763
Can't we Tag VLAN 11 and 12 on port 1-4 on the switches but have a PVID of VLAN 12, then shouldn't they all be able to see each other?
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 

Author Comment

by:seanrhudy
ID: 39907801
For example, If I connect to the SSID for VLAN11, I can ping and access devices across all cottages.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39908213
--> We don't want traffic to be routed between VLAN's.

Then "... but I can only access/ping the AP's if I'm on VLAN 11 with an IP of 192.168.1.0. " make sense.  You should only be able to ping them if you are on the same VLAN if you are not routing.

If you are not routing between VLAN/IP subnets then you can only ping a device when you are on the same VLAN/IP Subnet.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39908217
--> Can't we Tag VLAN 11 and 12 on port 1-4 on the switches but have a PVID of VLAN 12, then shouldn't they all be able to see each other?

No.  To talk to an IP address that is NOT on the same IP subnet as you, you must route the traffic.  Without routing, they can't talk to each other.
0
 

Author Comment

by:seanrhudy
ID: 39908251
"the AP's are pulling a 192.168.2.0 IP as they should, but I can only access/ping the AP's if I'm on VLAN 11 with an IP of 192.168.1.0.  And each AP is acting on it's own"

See above comment.  192.168.2.0 is VLAN 12...which is what the AP's are on.  I CAN access them from VLAN 11, NOT VLAN 12.  

"--> Can't we Tag VLAN 11 and 12 on port 1-4 on the switches but have a PVID of VLAN 12, then shouldn't they all be able to see each other?"

When I say that they should all be able to see each other...I mean all of the AP's that are on VLAN 12.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39908266
Make sure I have this right:

VLAN1 = 192.168.11.0/24 Management -- I will call this ".11"
VLAN11 = 192.168.1.0/24 Private -- I will call this ".1"
VLAN12 = 192.168.2.0/24 Guest -- I will call this ".2"

You said that the AP's are pulling IP address 192.168.2.0/24,.  I am assuming you mean the guests that connect to the AP's wirelessly get addresses within this range.  Not  the actuall AP's.

Since you VLAN11 and VLAN12 being tagged to the AP's and the guests get ".2" I  assumed that the AP's themselves are getting addresses on ".1".  Because you should NEVER assign an AP an address within the same subnet that guests connect on.   It also makes sense that the AP's would be on ".1" since you can only ping them when they are on ".1".

Do the AP's have a cli where you can pull a text config file?  If so can you clean up any private information and post here.
0
 

Author Comment

by:seanrhudy
ID: 39908269
No, the AP's themselves are pulling a .2 address, and the port they are plugged into has a PVID of VLAN12, but I can only access them when my laptop is on VLAN11.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39908335
Things are not making sense to me.  What model Netgear switch do you have?

You stated that Netgear switch ports that the AP are connected to have VLAN 11 and 12  tagged and VLAN 1 untagged.

Then you stated that the ports they are connected to has PVID of VLAN 12.  Typically PVID's are untagged as they are the default VLAN for all untagged frames.   You can't have two untagged VLAN's on a port and you definitely can't have two default VLAN's on a port.
0
 

Accepted Solution

by:
seanrhudy earned 0 total points
ID: 39916059
The issue was that I had the port untagged in the switch side, but tagged in the AP's config.  Once I changed the AP config, everything came up.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39916089
Glad you figured it out.

However

1) A little clearer description of your setup may have help resolve this sooner.

 2) Obviously somebody changed something or this would have never been working.
0
 

Author Closing Comment

by:seanrhudy
ID: 39928703
Solution
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now