Wireless Access

Hi community 

In one of our locations we have some Aruba 503H as RAPs. They work under cluster of controllers and Mobility Controller in our central location.
The idea was to use them for wireless and wired access. We have setup 3 wireless networks, mainly in split-tunnel mode. In wireless is seems work fine.
We have set up also wired access by enabling wired AP and split tunnel also on wired AP, and it seems working fine when connecting laptops direclty to E1 and E2 ports of Aruba 503s. 
What more what I would like to do is to use additional switch (Aruba 503H has only 2 built-in ports) connected to E1/E2 to connect additional devices: I would like that those additional devices also split-tunneled like othere device. 
Problem is that when connecting devices via additional switch (Aruba 1930 Instant on switch) they don't get Ip address and have no connectivity. 

Is this architecture possible at all, If possible what more config should I set up ? 

In aaa profile I use the same role like for wireless useres (with source nat), but with no 802.1x auth like on our wireless access. 
In wired AP I have split tunnel enabled, access mode and trust unchecked (it seems not possible to enable trust in this mode).

Best regards 
I appreciate any help 

Karol




------------------------------
Karol Karkowski
------------------------------

Hey Karol!

Yes this is indeed possible. You would not want the port to be trusted since that would not place any of the incoming users into a user role and it´s in the user role you define your preference for split-tunneling. So part 1 of this answer is about the access when directly connecting to the RAP port, do you get the proper user-role, ip-address and access that you expect? I guess that the port is configured with one untagged VLAN only and no authentication?

If so, you could connect the switch directly to the port of the RAP and make sure that all the ports on the switch are configured for "untagged" access ports. Also make sure that the port going to the RAP doesn´t get blocked for any reasons such as STP/BPDU guard or similar. You might also want to check on the port of the AP so that it remains up and unblocked when the switch is connected. Then connect your clients to the switch, they should be forwarded on the untagged VLAN up to the untagged VLAN on the RAP and get the initial role configured in your AAA profile and work in the same way as when you´re directly connected to the RAP port.

Good luck!
Chris

Hi Chris 

Thank You for your post, it gives me hope :)

Ad. 1 Yes, when connected directly to E1/E2 port with laptop I've got right user-role, ip address and access. You are right, E1/E2 ports are configured as access and vlan 1 untagged (Generaly in this location there is only one vlan, but second vlan was created to separate local access and access for split-tunneled users. 
Ad.2 Yes, I have supposed the same, I have disabled STP on switch and AP to be sure it won't be blocked. But probably there is something which blocks. I will try with different switch like Aruba 2930, maybe this is problem with 1930. 

Do You think that I should check any other settings on RAP ?

Regards

Karol

-------------------------------
ACDX #1256, ACMP, ACCP, ACSP​

------------------------------
Karol Karkowski
------------------------------

Original Message:
Sent: Mar 23, 2022 02:29 AM
From: Christoffer Jacobsson
Subject: Extending wired access to additional switch from Aruba RAP 503H wired E1/E2 ports

Hey Karol!

Yes this is indeed possible. You would not want the port to be trusted since that would not place any of the incoming users into a user role and it´s in the user role you define your preference for split-tunneling. So part 1 of this answer is about the access when directly connecting to the RAP port, do you get the proper user-role, ip-address and access that you expect? I guess that the port is configured with one untagged VLAN only and no authentication?

If so, you could connect the switch directly to the port of the RAP and make sure that all the ports on the switch are configured for "untagged" access ports. Also make sure that the port going to the RAP doesn´t get blocked for any reasons such as STP/BPDU guard or similar. You might also want to check on the port of the AP so that it remains up and unblocked when the switch is connected. Then connect your clients to the switch, they should be forwarded on the untagged VLAN up to the untagged VLAN on the RAP and get the initial role configured in your AAA profile and work in the same way as when you´re directly connected to the RAP port.

Good luck!
Chris

------------------------------
Network Architect @ Aranya AB
CWNE #306 ACMX #537

Original Message:
Sent: Mar 22, 2022 06:56 AM
From: Karol Karkowski
Subject: Extending wired access to additional switch from Aruba RAP 503H wired E1/E2 ports

Hi community 

In one of our locations we have some Aruba 503H as RAPs. They work under cluster of controllers and Mobility Controller in our central location.
The idea was to use them for wireless and wired access. We have setup 3 wireless networks, mainly in split-tunnel mode. In wireless is seems work fine.
We have set up also wired access by enabling wired AP and split tunnel also on wired AP, and it seems working fine when connecting laptops direclty to E1 and E2 ports of Aruba 503s. 
What more what I would like to do is to use additional switch (Aruba 503H has only 2 built-in ports) connected to E1/E2 to connect additional devices: I would like that those additional devices also split-tunneled like othere device. 
Problem is that when connecting devices via additional switch (Aruba 1930 Instant on switch) they don't get Ip address and have no connectivity. 

Is this architecture possible at all, If possible what more config should I set up ? 

In aaa profile I use the same role like for wireless useres (with source nat), but with no 802.1x auth like on our wireless access. 
In wired AP I have split tunnel enabled, access mode and trust unchecked (it seems not possible to enable trust in this mode).

Best regards 
I appreciate any help 

Karol




------------------------------
Karol Karkowski
------------------------------

Hi Karol!

Not that I can think of at this moment, perhaps try it and validate with show user and show ap debug port status ap-name <RAP-name>

Get back on the thread with your findings if you need more help!

Cheers,
Chris