Ap Dns Hive-Manager

  • 2
  • Question
  • Updated 5 months ago
Hello, I am testing a new network, however, when I enter the hive manager - monitor - and edit a ap I see that I can pass the dhcp team to use a static ip but I do not see any configuration of dns.

I only see in the creation of the policy for the network but I think this would be for some ssid and not for the team.

You could tell me where I can change the static DNS for the team via hive manager, I refer to the dns that the team would use to resolve the domain and be able to connect to the console.


Another query is if my firewall is performing the dhcp for the users and I assign x vlan for a ssid, I must however create some dhcp relay about the ap? or would not it be necessary?

Thank you





thanks
Photo of Danilo Arias

Danilo Arias

  • 22 Posts
  • 0 Reply Likes

Posted 5 months ago

  • 2
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Honestly, I think you are mixing a few things here...

Access Points are inside a management VLAN, and they either receive their IP address (and then usually DNS server information as well) from the DHCP server for that VLAN, or you configure a static IP (you found the place). In the latter case, you configure DNS servers the APs would use to resolve domain names via Configuration / Network Policy / Additional Settings / Management Server Settings / DNS Server. This one is important, for APs to resolve DNS names of configured NTP servers (same place).

I assume that with "Team" you mean administrators? Well, they would receive their IP & DNS settings from the admin-VLAN's DHCP server. If you don't have a DHCP server, you configure your admin clients statically, IP and DNS. Nothing to do with Aerohive... unless with "Team" you mean something else??


Your other question: You configure your SSID and then link at least one user profile. Inside the user profile you define a VLAN object to be use. Let's say the VLAN-ID is 100 - you then make sure that your switch port is configured with VLAN 100 tagged. And of course you have a router configured with an interface in VLAN 100. And either you have a DHCP server inside that VLAN as well (could be the router!), or you configure the router as DHCP relay. Normally there is nothing to do on the Aerohive side.

Having said that: There are ways to configure DHCP settings on the Aerohive side. But usually this is only recommended in small or very specific environments. Usually you do this in your network infrastructure (Router, Firewall, Windows or Linux Server, ...).


Hope this helps.
Photo of Danilo Arias

Danilo Arias

  • 22 Posts
  • 0 Reply Likes
Hello

to clarify a bit, on my firewall I have 3 subinterfaces

sub x administration  dhcp temporary
sub y Guests with dhcp
sub z wireless with dhcp

in this case I want the ap to have a static address in the vlan of administration x that I can do from the hivemanager (temporarily has ip by dhcp),

In case of making the change to static ip without having any ssid by themes of dns the ap will not go back to upload in the console of the hive manager since it will not be able to solve domain names?

how do you comment the dns can be added by Network Policies, in that case if you just want to leave the manageable AP with static ip by the hive manager without any ssid you would have to leave the dhcp or put the dns via console cli?

In case you deploy the network policy with a dns, will this dns overwrite the dns that the temporary dhcp server sends you?

finally in case you install a policy network (for the dns and an ssid) and configure the static ip along with the administration vlan as I know that the configuration was uploaded in the ap and thus change the port on the switch and do not rollback me the ap?

Thank you
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
In case of making the change to static ip without having any ssid by themes of dns the ap will not go back to upload in the console of the hive manager since it will not be able to solve domain names?
If I am not mistaken, once a Hivemanager was found the AP stores & uses its IP address. You can see this by logging into AP via CLI, and issuing the command "show capwap client":

#show capwap client
CAPWAP client:   Enabled 
CAPWAP transport mode:  UDP
RUN state: Connected securely to the CAPWAP server 
CAPWAP client IP:        192.168.0.249
CAPWAP server IP:        34.240.236.55
HiveManager Primary Name:hm-emea-186.aerohive.com
HiveManager Backup Name: 
CAPWAP Default Server Name: redirector.aerohive.com


You see that the AP is registered with HM hm-emea-186.aerohive.com, and it has resolved it to IP 34.240.236.55.
Again, if I remember right, after reboot the AP will try that IP first, and only if it cannot reach it, it will try to resolve hm-emea-186.aerohive.com via DNS again.

how do you comment the dns can be added by Network Policies, in that case if you just want to leave the manageable AP with static ip by the hive manager without any ssid you would have to leave the dhcp or put the dns via console cli?
Just create an "empty" Network Policy, without any SSID associated, but with the DNS object linked via additional settings.

If you leave it empty, and you still have your DHCP server running in the network, the AP should take the DNS (and NTP) server information from there, even if you had configured it with a static IP. Which can sometimes be an important setup, e.g. when you don't have control over the DNS servers (some other administrators might change their IP addresses without telling you...), but you must fix APs with static IP (AP configured as Radius server or proxy, direct SNMP access for monitoring, ...).

In case you deploy the network policy with a dns, will this dns overwrite the dns that the temporary dhcp server sends you?
Yes.

finally in case you install a policy network (for the dns and an ssid) and configure the static ip along with the administration vlan as I know that the configuration was uploaded in the ap and thus change the port on the switch and do not rollback me the ap?
Hmmm.... if you change the AP's VLAN settings in a way, that it would not have network connectivity with the existing switch port settings, it would roll-back its configuration, yes. So you have to be quick :-)

Anyway, looking at your screenshot, I see that you intend to changed the Management VLAN for 1 AP directly on the AP settings. When you push that, without changing the native VLAN to 100 as well, then yes: The AP is expecting VLAN 100 to be tagged on the Switch port. As your top diagram on the right-hand side.

You can do this, but the better way to do this globally for all VLANs is via Network Policy / Management and Native VLAN Settings.

Change the Management VLAN to 100, keep Native VLAN on 1, and you are done. If you (temporarily) ensure that VLAN 1 works as well, you are done, and are not too much in a hurry to change your switch port settings.

By the way: You are not obliged to do it that way. You can keep the management VLAN untagged on your switch ports, and only tag the user VLANs. For small environments this is often preferred, as easier to handle and to troubleshoot.
Best practice here would be:
  • Switch port: 100 untagged, y + z tagged
  • APs: 100 as management AND 100 as native VLAN -> this receives and sends untagged frames for management.
Photo of Danilo Arias

Danilo Arias

  • 22 Posts
  • 0 Reply Likes
Hello

Thanks for your explanation, in summary it seems the best option to leave the native vlan in 100 and the Management VLAN in 100, this way in addition to the switch vlan 100 as native and it would be ok,

But based on what he explained to me that there is another way to assign vlans on the network policy Management & Native VLAN if I configure the values directly in the ap and then apply some policy network this could overwrite the configuration of vlans? or would it only occur if I change the values of vlans on the network policy that come by default?

Thank you
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
The Nework policy settings are the default for all APs inside that policy. What you then do on the AP overwrites these settings. Usually done when you have just a few APs in a special location where you cannot apply the global VLAN settings (e.g. due to switch limitations, a p2p link in between, ...).

We normally leave both empty (at AP level), which means that the global settings are used. Which basically means, that the management traffic is untagged.