topic Re: Move Ruckus (unleashed) AP originating traffic from native 1 vlan to 'management' vlan. in Access Points - Indoor and Outdoor

Move Ruckus (unleashed) AP originating traffic from native 1 vlan to 'management' vlan.

joshua_dunham — Sun, 26 Dec 2021 23:17:32 GMT

Hey Folks,

I'm trying to phase out vlan1 from an existing deployment. It currently consists of 4 h510 APs and an ICX6610. Like OP on Dec 16 "Change Unleashed to be able to use VLANS", I'm looking to clean-up.

I've created 6 VLANs to service the separate user roles (10,20,25,30) and some for the management / back-office traffic (40,50). I assigned the VLANs to the WLAN settings in unleashed and they work just fine - clients get routed to the correct DHCP server etc. Since all client originating traffic goes to a specific VLAN I'm OK to treat untagged traffic (AP dhcp / heartbeat / ssh). The issue comes when I move the 'native' vlan from 1 to 40 by using dual-mode in vlan 40. DHCP to the AP works and it grabs the correct reserved IP but the cluster breaks (recover.me is seen as an ssid) and all but the master drops out.

I've factory-reset the APs and set one up as a test but still the other APs do not join. I've SSH'd into the master and can ping the other APs just fine.

Here is vlan40 config from switch,

PORT-VLAN 40, Name mgmt-fe, Priority level0, Spanning tree OnUntagged Ports: NoneTagged Ports: (U1/M1)   3   4Tagged Ports: (U1/M3)   3Uplink Ports: (U1/M1)   3   4DualMode Ports: (U1/M1)  21  22  23  24Mac-Vlan Ports: NoneMonitoring: Disabled

The APs are driven from 4 POE enabled ports (1/121,22,23,24) and upstream to WAN is a Lagg on 1/1/3,4

Does anyone have tips to get the cluster to re-form or to test what could be blocking comms b/w the APs? I've read it's just UDP heartbeats which should work?

Re: Move Ruckus (unleashed) AP originating traffic from native 1 vlan to 'management' vlan.

rob_m_istij3wx4 — Mon, 27 Dec 2021 00:16:39 GMT

My understanding is unleached can not use vlans for management traffic. Only for client traffic. You would need a zonedirector if you wanted to have vlans for your management traffic.

Re: Move Ruckus (unleashed) AP originating traffic from native 1 vlan to 'management' vlan.

joshua_dunham — Mon, 27 Dec 2021 00:44:15 GMT

It can not be *configured* to use a specific vlan but on the switch side I should be able to set any/all untagged traffic to one specific vlan. This is a basic basic thing but I must have overlooked something. 😕

Re: Move Ruckus (unleashed) AP originating traffic from native 1 vlan to 'management' vlan.

thomas_fankhaus — Mon, 27 Dec 2021 10:47:32 GMT

hi,

i think it has to do with multicast traffic.

i don't see a reason to eliminate untagged traffic on a network, why you don't use the untagged vlan 1 as the "management network"?

Re: Move Ruckus (unleashed) AP originating traffic from native 1 vlan to 'management' vlan.

joshua_dunham — Mon, 27 Dec 2021 16:05:27 GMT

I'm not eliminating untagged traffic, I'm just trying to place clients on the correct-for-them vlan. Since 1 is default native; I don't want newly onboarded equipment or any misconfigured device to be on my management network. It should be on lowest permission and then put into correct space.

Re: Move Ruckus (unleashed) AP originating traffic from native 1 vlan to 'management' vlan.

joshua_dunham — Tue, 28 Dec 2021 01:10:54 GMT

The issue turned out to be I was blocking some needed traffic in the upstream firewall. I noticed that tracepath was traversing the firewall for queries so I started thinking maybe this config was setup for router-on-a-stick (which I don't want).

I made a blanket deny all rule in the FW which logged everything and then went through line by line to block or pass as needed with no logging above the blanket deny. At some point I had triaged enough that the main AP found the worker APs.

I found that the detection relies on UDP packets to some ports (maybe 22222 or 22223) so I'm still confused on why these went through the upstream firewall from the Ruckus switch or if there is another condition before UDP that wasn't met. If anyone has an answer I'd love to know.

Thanks everyone that took a moment to reply - much appreciated!

Re: Move Ruckus (unleashed) AP originating traffic from native 1 vlan to 'management' vlan.

david_black_594 — Wed, 29 Dec 2021 04:18:40 GMT

@joshua_dunham are all clients wireless? If so there is no way for any client (authenticated or not) to end up on vlan 1 provided that all SSIDs are tagged. You could also assign static address to all devices on vlan 1 (switched, APs, etc) and disable DHCP service.

If you insist on using vlan 40 for management, then you could configure the AP switch ports to have vlan 40 as the native untagged vlan. Leave the APs set to vlan 1 so that management traffic is untagged. The switch will put the untagged traffic is vlan 40. Sure seems like you're going way overboard for a small 4 AP network.

Re: Move Ruckus (unleashed) AP originating traffic from native 1 vlan to 'management' vlan.

joshua_dunham — Wed, 29 Dec 2021 15:07:37 GMT

Hey @david_black_5940365 ; The user clients are on wireless (but I have an h510 so can mark the ports in vlan as well).

The traffic of question is what originates from the AP though (heartbeat, ssh, etc). Your suggestion is what I had originally done but there was an extra step at the upstream router/firewall level. Please see accepted answer for more details.

I have received many such comments "... going way overboard for a small 4 AP network." and I'm not sure why. This is an increased measure of security unrelated to the footprint. I don't want my AP cluster traffic on the native vlan.

Thank you for following up though, I appreciate everyone's time to help out!