SSID VLAN Subnet Issue - Some users getting wrong IP subnet from the SSID.

  • 2
  • Question
  • Updated 4 years ago
  • Answered
I have a strange problem where my 2 SSIDs are sharing the same VLAN subnet when they have they own VLAN IDs. Some users are getting the correct subnet but some are getting it wrong. This is causing network disruption. Does anyone have an idea why this is happening?
Photo of Dorwin

Dorwin

  • 2 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 2
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
what is your setup like?

I personally have mgmt vlan, a native vlan, then assign vlans per floor per ssid + guest.

A user profile contains a grouping of settings that determine the QoS (Quality of Service), firewall policy permissions, tunnel policy, VLAN, and scheduled activation times for the users to whom you apply the profile. After a user associates with a Aerohive device on an SSID, the device assigns the user to a user profile. The device can make that assignment dynamically from attributes returned by a RADIUS authentication server or statically by using the default user profile set for the SSID.

Default VLAN: Choose the VLAN that you want to assign to traffic from members of this user profile. If you do not see the VLAN that you want to use, simply type it in the field and HiveManager automatically creates a new VLAN ID object. You can also click the New icon, and define a VLAN object, perhaps with additional settings that are not included when HiveManager creates it automatically. The device assigns traffic to this VLAN ID by default. However, if a user's AAA user group—configured on an external authentication server—has a VLAN ID defined, that is the VLAN to which the device assigns traffic from this user. In other words, a VLAN ID defined in an AAA user group supersedes a VLAN ID defined in a user profile.

The Aerohive cooperative control architecture has the concept of three broad planes of communication:

Control traffic refers to the communication among hive members for coordinating their actions.
Management traffic refers to traffic such as CAPWAP, SNMP, and SSH that administrators use to manage devices.
Data traffic refers to traffic generated by wireless and wired users. It is this type of traffic that devices process and forward.

By default, all three types of traffic use the native VLAN (typically VLAN ID 1). It is possible to assign data traffic to various VLANs based on the VLANs that you bind to various user profiles. In addition, you can isolate control and management traffic by defining a separate VLAN for these types of traffic too. To do that, you first define the VLAN object on this page and then assign it to the MGT Interface VLAN in a network policy.
Photo of Dorwin

Dorwin

  • 2 Posts
  • 0 Reply Likes
Hello Andrew! We have the same setup where the AP330s are connected to switchports that are trunks with native VLAN 31 of the MGT. The VLANs 32,33,34,35,36 are allowed on all switchports. The HM is connected to an access port on VLAN 31. The APs are getting their IPs from VLAN 31.

Now the issue is SSID1_VIP is bound to VLAN 32 and SSID2_Staff is to VLAN 36. Both of these are authenticated through the active directory via the RADIUS on an AP330. All users are authenticated and are able to connect to the wireless network but users on SSID2_Staff is getting the DHCP IPs from VLAN 32 which should not be. The VLAN 32 doesn't have internet restrictions and is tunneled directly to the internet firewall meaning it doesn't have access to our corporate LAN. That's where the issue starts because we have applications running on users at SSID2_Staff that requires connectivity to our LAN so when they get an IP from VLAN 32, their apps stop working.

Now this gets worst, not all users in SSID2_Staff is getting the wrong IP, most of them are still getting the correct one. Honestly we have noticed this issue right after the upgrade to 6.1r2a because this was not happening before.
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Sounds strange

How do you have the DHCP setup?

I have not upgraded to 6.1r2a yet, but I can tell you that I have not seen this behavior on 6.1r2 with my setup.

I have external DHCP servers on a different vlan from the users
I use cisco switch ip helper addresses to forward the requests.

Have you used the vlan probe to test your vlans out?

Are you assigning vlan via radius?

if you ssh to AP and do a show interface do you have a "-" for the ssid vlan value or an actual vlan.

Did this not happen with previous code version? If not you may want to open a support ticket. assuming the setup is the same and the only thing that has changed is the code. I heard that 6.1r2a only addresses HM and does not actually make any changes on the 6.1r2 code on the APs. I could be wrong though.

just for reference:

I have an SSID with a user profile set to default vlan 10, inside the user profile I assign vlans via the topology map and 1 vlan via attribute tag

I have another ssid with a different user profile set to default vlan 20, inside the user profile I assign vlans via the topology map and 1 vlan via attribute tag

so users actually get vlan assigned based on the floor they are on and do not use the default vlan.

Cheers
A