Extreme Networks

wendland_jm · ‎09-12-2019

We are running 10.0r7a on 98% of our AP250 and AP230. Some Background info, we have most of our building segmented on different subnets but using the same SSID for all buildings and are using an external radius server for authentication. All APs in a building are issuing the same subnet scope and VLAN. We have already tried GRE Tunneling (this made the issue worse). We have done a VLAN Probe test and the AP successfully passes the test for its Building VLAN.

The issue is when a client is connected in building A on VLAN-A and IP address int subnet A and the client moves to building B the clients stays connected but has no access to anything due to the client keeping their IP address form building A. This is happening on all devices (apple,android,windows,chrome) but it does not happen all the time. A client can move from building A to B (no issue) then to building C and have the issue. Suggestions would be a great help.

Thank you.

wendland_jm · ‎09-13-2019

Yes we still have the classic server. I have a ticket open with Aerohive but it is slow coming. How are you handling casting between hardwired vlans to the wireless? And headless devices? To clarify you have your Aerohive AP all broadcast the same ssid. All "students" go into one vlan and you are separating other staff to a different vlan which they keep regardless of what building? If there is a security issue how do you track the user down? Is you firewall policy through Aerohive or a network ACL?

Thank you,

dparsons · ‎09-13-2019

Sorry bout that, end of the day...

Almost all of my students are on one vlan that spans the entire campus. We have a wireless firewall policy that prevents student devices from talking to each other on the wireless. As for the 30 VLANs those serve my other users. We are part of a state wide college system. So here are some of the groups that exist and are each put into separate VLANs but under one SSID.

Our students.

Other schools students.

Faculty and staff in the system wide domain.

Laptop carts in an acad domain.

domain joined devices in our internal domain

IT users

Facilities users

Media users

Campus Police users

Any chance you still have the classic server?

wendland_jm · ‎09-12-2019

This is also a college environment, We thought the issue was coming from being partly NG and partly Classic so we quickly moved all APs to NG before students arrived. We had an Aerohive engineer setup NG as close as Classic as they could. We had a similar issue a few years ago which was fixed by the core router dhcp helper making some overrides. Theses are still in place and were working great until NG came along.

I am confused by you last paragraph. How do you have both one VLAN and also land in different VLANs?

Thank you for your response.

dparsons · ‎09-12-2019

First I understand your frustration. Been there many times. In the world of WiFi the client is in control no matter how hard you try control them. I was just using Windows as an example, we had issue with other clients.

If I understand you still have some APs still on classic. Pull the config from an AP on classic and one on NG and compare them. See if there is any differences that stand out. Do you still have two adjacent buildings on Classic? If so, do clients have any issues between those two buildings? Feel free to sanitize the configs and upload them, be glad to take a peek.

No I don't expect you to ask clients to release renew, just explaining what we had to do.

So I am wondering if there is a chance that the design on classic and the design on NG are actually the same or if something got changed?

I am at a college and our "student" wireless is one VLAN on the entire campus serving 1000+ clients across 14 buildings. I have about 30 VLANs on my APs and segregate my users based on several factors. They all use the same SSID but land in different VLANs depending on their domain as well as thier group membership within the domains. If all else fails, is something like this something you could use to segment your users and shrink you broadcast domains?

wendland_jm · ‎09-12-2019

The scope of client issues is not limited to Windows devices. "(apple,android,windows,chrome)" Yes, building are far enough apart that there is no wireless between. We have not added APs in these areas. Our NG radio profiles are as close to the Classic radio profiles as we can set them with the slider bars. I cannot ask 1000s of clients to "ipconfig /release and ipconfig /renew to force a DHCP request." every time they walk between buildings.

Extreme Networks

After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.