I'm trying to phase out vlan1 from an existing deployment. It currently consists of 4 h510 APs and an ICX6610. Like OP on Dec 16 "Change Unleashed to be able to use VLANS", I'm looking to clean-up.
I've created 6 VLANs to service the separate user roles (10,20,25,30) and some for the management / back-office traffic (40,50). I assigned the VLANs to the WLAN settings in unleashed and they work just fine - clients get routed to the correct DHCP server etc. Since all client originating traffic goes to a specific VLAN I'm OK to treat untagged traffic (AP dhcp / heartbeat / ssh). The issue comes when I move the 'native' vlan from 1 to 40 by using dual-mode in vlan 40. DHCP to the AP works and it grabs the correct reserved IP but the cluster breaks (recover.me is seen as an ssid) and all but the master drops out.
I've factory-reset the APs and set one up as a test but still the other APs do not join. I've SSH'd into the master and can ping the other APs just fine.
Here is vlan40 config from switch,
PORT-VLAN 40, Name mgmt-fe, Priority level0, Spanning tree OnUntagged Ports: NoneTagged Ports: (U1/M1) 3 4Tagged Ports: (U1/M3) 3Uplink Ports: (U1/M1) 3 4DualMode Ports: (U1/M1) 21 22 23 24Mac-Vlan Ports: NoneMonitoring: Disabled
The APs are driven from 4 POE enabled ports (1/121,22,23,24) and upstream to WAN is a Lagg on 1/1/3,4
Does anyone have tips to get the cluster to re-form or to test what could be blocking comms b/w the APs? I've read it's just UDP heartbeats which should work?
Solved! Go to Solution.
The issue turned out to be I was blocking some needed traffic in the upstream firewall. I noticed that tracepath was traversing the firewall for queries so I started thinking maybe this config was setup for router-on-a-stick (which I don't want).
I made a blanket deny all rule in the FW which logged everything and then went through line by line to block or pass as needed with no logging above the blanket deny. At some point I had triaged enough that the main AP found the worker APs.
I found that the detection relies on UDP packets to some ports (maybe 22222 or 22223) so I'm still confused on why these went through the upstream firewall from the Ruckus switch or if there is another condition before UDP that wasn't met. If anyone has an answer I'd love to know.
Thanks everyone that took a moment to reply - much appreciated!
It can not be *configured* to use a specific vlan but on the switch side I should be able to set any/all untagged traffic to one specific vlan. This is a basic basic thing but I must have overlooked something. 😕
I'm not eliminating untagged traffic, I'm just trying to place clients on the correct-for-them vlan. Since 1 is default native; I don't want newly onboarded equipment or any misconfigured device to be on my management network. It should be on lowest permission and then put into correct space.