Issue with Native and management VLANs

  • 1
  • Question
  • Updated 5 months ago
  • (Edited)
Hi All

We have about 140 AP130's. I never had to replace any of the AP until now, I had to RMA some of the access points and before putting them on the network I've started testing in LAB first but things don't seem to be working well.

I'll try to explain the best I can...

We have two managemnt VLANs dedicated for access points, there are 4 vlans for corp users and 1 vlan for guetsts. Threre are several floors hence 2 management vlans and 4 corp vlans.

All wifi clients connect fine.

We use HP switches running comware and our links to AP's are configures as hybrid ports, taking one of the switches as a example:

 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 320 330 332 tagged
 port hybrid vlan 32 untagged
 port hybrid pvid vlan 32
vlan 320 - mamagement
vlan 330- corp
vlan 332- guest
vlan 32 - data for PC's

The idea is that when AP boots up it gets an IP within vlan 32 and it does. IP range for that vlan then on DHCP server is configured to pass option 43 to AP's which contains ip address of our hive manager on prem.

First issues is that I can see option 43 with value in being passed onto AP's by DHCP but they don't take it in, at this stage AP is stack in vlan 32 when it should be in vlan 320, I can see in debug it cycles through few options to reach HM but never uses details from opt43.

I've checked configuration on hive manager and I'm not sure if things have been configured correctly.

In addition managagent and native vlan settings look like:

VLAN 312 is vlan for PC on one of the floors

MGTVLAN consists of vlan to floor assigments and that looks fine,

I just don't understand the purpose of native vlan here, there is only one vlan it this section, do we need a list of native vlans here?

Would this somehow be related to the issue I'm having?

Strange things are happening when I put HM ip address on AP manually with capwap server name 10.x.x.x. AP starts talking to HM, then I upload config onto ap, it reboots and then its mgt0 interface ends up with 192.168.x.x address not being able to talk to HM anymore

Any help would be much appriciated
Photo of Patryk Szenfeld

Patryk Szenfeld

  • 38 Posts
  • 0 Reply Likes

Posted 5 months ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
The native VLAN configured in Hivemanager is the untagged VLAN APs are using on their Ethernet port. That means: Any untagged traffic coming in is matched by the AP to VLAN 312, and if you would have a user profile matching VLAN 312, that traffic would be sent untagged on the port.

As your management VLAN is configured to be a different VLAN (assuming the the object MGTVLAN resolves into VLAN 320), all AP management traffic is expected to come in as tagged, VLAN 320, and is also sent back out tagged (again, 320).

A new AP has the setting 1 - 1, so Management & Native VLAN are ID 1 AND - important - THE SAME. So management traffic is simply expected and sent untagged. You would get the same if you would configure both Management and Native on 320, for example.

Now, your new AP gets connected, and put on your switch port into the untagged VLAN - 32.
Not being able to reach the Hivemanager via DHCP option:
- maybe the format is not correct. Check that!
- I would also try DNS, easier to setup & troubleshoot. So if your DNS server can resolve hivemanager.your-domain-via-dhcp to your HM's IP address, the AP would use that one to find its Hivemanager.

You then push the config and lose connectivity again... not sure here. Which IP Subnet is it supposed to be in (VLAN 320)? Do you have a DHCP server here?
Photo of Patryk Szenfeld

Patryk Szenfeld

  • 38 Posts
  • 0 Reply Likes
Thanks for reply Carsten

My MGTVLAN doesn't contain vlan 312 at all, it only contains two management vlans 320 and 321 which split all the floors in half so vlan 320 covers AP's between ground floor and the 5th and vlan 321 covers AP's in other half of the building. Then in "matching devices" AP's are assigned correctly to the floors.

Regarding new AP's. On switch they are visible in vlan 32 and get IP address withing that range.

I'm still not clear on native and management vlans, I uderstand taggin etc just don't get the purpose of native vlan from AP's perspective.

Having 10 floors with different VLAN's for PC's which one of them is used as a native vlan for AP's makes me ask the question: why don't we have multiple native vlans - is this even posible?

Imagine this, I plug my AP on second floor, it lands in vlan 32 initially, native vlan on HM is configured as 312 but this particular vlan is not available on this floor. Shouldn't there be another native vlan on HM - 32?

So yes AP's gets plugged into vlan 32 and waiting for DHCP options:

- format, it seems in option 43 we have IP address of HM in hex so it looks something like this xx:xx:xx:xx, I have captured traffic on that switch port and was seeing option 43 being passed onto AP as per above but  without colons , is this correct format?
Either way I've tried changing opt 43 on our DHCP to IP and HEX with no colons still no good.

- opt 225 DNS, I was just going to try it but as far as I can see in my capture AP is not even requesting for this, I maybe misreading the capture, the below is a part of DHCP discovery broadcasted by out of the box AP and I can't see this option available on our infoblox server either so I'm stuck with options 43 and 226

When I push the config after configuring IP address of hive manger manually AP should land in vlan 320 and yes there's DHCP server but instead AP assignes itself its default address and in show mgt0 I can see VLAN ID 321, native vlan 312

312 native configured on HM
321 management for floors 6-10
I'm on second floor

Just noticed something. Can we control DHCP options to be used by AP's in HM? Reason being, on AP's there's a command:
 mgt0 dhcp client option custom hivemanger-ip <number> ?
enter custom DHCP options ID, range 1-255
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Regarding VLANs, rules of thumb:

  • The native VLAN is the untagged VLAN, on switches often called the PVID.
  • If management and native VLANs are the same, AP management traffic is expected and sent untagged
  • If they are different, AP management traffic is expected and sent tagged
  • The VLANs used for user traffic, as defined by the user profiles, are usually sent tagged - unless one of those VLANs is the same ID as the native VLAN, in which case the user traffic is expected and sent untagged.
In many environments, if they are not too big, we see the following settings:

  • Management = native VLAN -> AP management traffic is untagged. Easy to setup, easy to troubleshoot
  • User VLANs are tagged

Honestly, I think you try to create a setup that might be too complicated for what you need. I suggest to simply your setup, and then start adding classification rules one by one.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
How many On-Premise HiveManagers do you have?  If you only have one then I would recommend creating a hivemanager DNS A record, which the access points will use for HiveManager discovery.  Using DHCP is traditionally for wireless LAN controller discovery when you have multiple wireless LAN controllers deployed across sites - access points at site A tunnel to the wireless LAN controller at site A; access points at site B tunnel to the wireless LAN controller at site B and so forth.  Using a DNS entry also has the advantage of HiveManager administrators/User Manager Admins/Operators just having to enter https://hivemanager into a web browser to get to the HiveManager login screen.
Photo of Patryk Szenfeld

Patryk Szenfeld

  • 38 Posts
  • 0 Reply Likes
there are two, for some reason someone decided to have active/standby pair
Photo of Patryk Szenfeld

Patryk Szenfeld

  • 38 Posts
  • 0 Reply Likes
quick update, issues with option 43 has been resolved - it was the DHCP server not configured correctly. Traffic captures 

I still can't figure why some of the AP's would be added to a wrong floor ending up having wrong native vlan, it seem a detail and it only requires extra work in HM when adding/replacing AP's while moving AP's to right floors etc.

New site coming up soon and I'm hoping to get more involved this time, will insist on keeping things simpler.