cancel
Showing results for 
Search instead for 
Did you mean: 

Move Ruckus (unleashed) AP originating traffic from native 1 vlan to 'management' vlan.

joshua_dunham
New Contributor II

Hey Folks, 

I'm trying to phase out vlan1 from an existing deployment. It currently consists of 4 h510 APs and an ICX6610. Like OP on Dec 16 "Change Unleashed to be able to use VLANS",  I'm looking to clean-up. 

I've created 6 VLANs to service the separate user roles (10,20,25,30) and some for the management / back-office traffic (40,50). I assigned the VLANs to the WLAN settings in unleashed and they work just fine - clients get routed to the correct DHCP server etc. Since all client originating traffic goes to a specific VLAN I'm OK to treat untagged traffic (AP dhcp / heartbeat / ssh). The issue comes when I move the 'native' vlan from 1 to 40 by using dual-mode in vlan 40. DHCP to the AP works and it grabs the correct reserved IP but the cluster breaks (recover.me is seen as an ssid) and all but the master drops out. 

I've factory-reset the APs and set one up as a test but still the other APs do not join. I've SSH'd into the master and can ping the other APs just fine.

Here is vlan40 config from switch, 

PORT-VLAN 40, Name mgmt-fe, Priority level0, Spanning tree OnUntagged Ports: NoneTagged Ports: (U1/M1)   3   4Tagged Ports: (U1/M3)   3Uplink Ports: (U1/M1)   3   4DualMode Ports: (U1/M1)  21  22  23  24Mac-Vlan Ports: NoneMonitoring: Disabled

The APs are driven from 4 POE enabled ports (1/121,22,23,24) and upstream to WAN is a Lagg on 1/1/3,4

Does anyone have tips to get the cluster to re-form or to test what could be blocking comms b/w the APs? I've read it's just UDP heartbeats which should work? 

J

1 ACCEPTED SOLUTION

joshua_dunham
New Contributor II

The issue turned out to be I was blocking some needed traffic in the upstream firewall. I noticed that tracepath was traversing the firewall for queries so I started thinking maybe this config was setup for router-on-a-stick (which I don't want). 

I made a blanket deny all rule in the FW which logged everything and then went through line by line to block or pass as needed with no logging above the blanket deny.  At some point I had triaged enough that the main AP found the worker APs.

I found that the detection relies on UDP packets to some ports (maybe 22222 or 22223) so I'm still confused on why these went through the upstream firewall from the Ruckus switch or if there is another condition before UDP that wasn't met. If anyone has an answer I'd love to know.

Thanks everyone that took a moment to reply - much appreciated!

View solution in original post

7 REPLIES 7

@joshua_dunham are all clients wireless?  If so there is no way for any client (authenticated or not) to end up on vlan 1 provided that all SSIDs are tagged.  You could also assign static address to all devices on vlan 1 (switched, APs, etc) and disable DHCP service. 

If you insist on using vlan 40 for management, then you could configure the AP switch ports to have vlan 40 as the native untagged vlan.  Leave the APs set to vlan 1 so that management traffic is untagged.  The switch will put the untagged traffic is vlan 40.  Sure seems like you're going way overboard for a small 4 AP network.   

Hey @david_black_5940365 ; The user clients are on wireless (but I have an h510 so can mark the ports in vlan as well). 

The traffic of question is what originates from the AP though (heartbeat, ssh, etc). Your suggestion is what I had originally done but there was an extra step at the upstream router/firewall level.  Please see accepted answer for more details.

I have received many such comments "... going way overboard for a small 4 AP network." and I'm not sure why. This is an increased measure of security unrelated to the footprint. I don't want my AP cluster traffic on the native vlan.

Thank you for following up though, I appreciate everyone's time to help out!

joshua_dunham
New Contributor II

The issue turned out to be I was blocking some needed traffic in the upstream firewall. I noticed that tracepath was traversing the firewall for queries so I started thinking maybe this config was setup for router-on-a-stick (which I don't want). 

I made a blanket deny all rule in the FW which logged everything and then went through line by line to block or pass as needed with no logging above the blanket deny.  At some point I had triaged enough that the main AP found the worker APs.

I found that the detection relies on UDP packets to some ports (maybe 22222 or 22223) so I'm still confused on why these went through the upstream firewall from the Ruckus switch or if there is another condition before UDP that wasn't met. If anyone has an answer I'd love to know.

Thanks everyone that took a moment to reply - much appreciated!