07-06-2021 12:05 PM
Hi
setup AP7532, I want to use the AP as a VC, But its not adopting other AP7532, FW 7.6.2.0-18R
DashBoard shows two AP’s one off line, The network switch the AP’s connect to are trunks with VLAN’s 1,10,101 allowed , Native VLAN is 1 management Vlan is 101 and in configuration / virtual controller the AP I want the be the controller for now is showing and the other one, neither as set as the virtual controller , as I would like it the be able to auto move if the one acting as the VC fails.
Is sure its something simple , but I have gone text blind now
If someone could have a scan through and hopefully pick out the error
Thanks in advance
P
This is my config -
!
! Configuration of AP7532 version 7.6.2.0-018R
!
!
version 2.7
!
!
client-identity-group default
load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
permit any
!
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no stateful-packet-inspection-l2
ip tcp adjust-mss 1400
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
wlan VoipT
description Phones
shutdown
ssid VoipT
vlan 10
bridging-mode local
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 Un1fyV0ip
!
wlan wlan1
shutdown
ssid LANTest
vlan 1
bridging-mode local
encryption-type tkip-ccmp
authentication-type none
no protected-mgmt-frames
wpa-wpa2 psk 0 2121Password
ip dhcp trust
!
smart-rf-policy default-smartrf
assignable-power 2.4GHz min 10
channel-list 5GHz 36,40,44,48,149,153,157,161,165
no select-shutdown
no smart-sensor
smart-sensor auto-trigger
smart-sensor band smart-band-5GHz
smart-sensor tri-radio-only
!
auto-provisioning-policy VC
adopt ap7532 precedence 10 profile HQWLAN rf-domain $AUTO-RF-DOMAIN any
!
!
management-policy default
no telnet
no http server
https server
rest-server
ssh
user admin password 1 2086fd56f6f84582f821be658388f0b8c9e23511ae3d2b5dfeb8a9b96d4d668e role superuser access all
user Admin2 password 1 271b548973518da1048f40b478a52331804fca4723c5573905a69e96f47f80df role superuser access web ssh console
snmp-server community 0 public ro
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
!
nsight-policy default
!
profile ap7532 HQWLAN
use enterprise-ui
ip default-gateway 10.10.144.254
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
wlan wlan1 bss 1 primary
wlan VoipT bss 2 primary
interface radio2
wlan wlan1 bss 1 primary
wlan VoipT bss 2 primary
interface ge1
switchport mode trunk
switchport trunk allowed vlan 1,10,101
interface vlan1
ip dhcp client request options all
interface vlan101
ip address 10.10.144.248/22
interface pppoe1
use firewall-policy default
use auto-provisioning-policy VC
use client-identity-group default
virtual-controller management-interface ip address 10.10.144.248/22
controller vlan 1
no auto-learn staging-config
service pm sys-restart
router ospf
adoption-mode controller
!
profile ap7532 default-ap7532
use enterprise-ui
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
interface radio2
interface ge1
interface vlan1
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use firewall-policy default
use client-identity-group default
logging on
service pm sys-restart
router ospf
adoption-mode controller
!
rf-domain default
location HQ
country-code gb
use smart-rf-policy default-smartrf
ad-wips-wireless-mitigation disable
ad-wips-wired-mitigation disable
use nsight-policy default
!
ap7532 84-24-8D-82-BA-F8
radio-count 2
use profile HQWLAN
use rf-domain default
hostname ap7532-82BAF8
license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
model-number AP-7532-67040-EU
adoption-site 84-24-8D-82-BF-10
rf-domain-manager priority 5
!
self
! ap7532 84-24-8D-82-BF-10
radio-count 2
use profile HQWLAN
use rf-domain default
hostname AP-VC-1
license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
no adoption-site
ip default-gateway 10.10.144.254
interface ge1
no shutdown
switchport mode trunk
switchport trunk allowed vlan 1,10,101
switchport trunk native vlan 1
interface vlan101
ip address 10.10.144.248/22
no virtual-controller
virtual-controller auto
virtual-controller management-interface ip address 10.10.144.248/22
virtual-controller management-interface vlan 101
rf-domain-manager capable
rf-domain-manager priority 15
controller vlan 1
auto-learn staging-config
no adoption-mode
!
!
end
07-08-2021 11:55 AM
Hi Douglas
I have checked the switch no IGMP,
VLAN101 is the management VLAN to get to the VC , looks like some time things do not work from the GUI
Should I see other AP’s with the show Mint Neighbours ?
!
! Configuration of AP7532 version 7.6.2.0-018R
!
!
version 2.7
!
!
client-identity-group default
load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
permit any
!
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no stateful-packet-inspection-l2
ip tcp adjust-mss 1400
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
wlan VoipT
description Phones
shutdown
ssid VoipTTTTT
vlan 10
bridging-mode local
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 Un1fyV0ip
!
wlan wlan1
ssid LANTest
vlan 1
bridging-mode local
encryption-type tkip-ccmp
authentication-type none
no protected-mgmt-frames
wpa-wpa2 psk 0 2121Password
ip dhcp trust
!
smart-rf-policy default-smartrf
assignable-power 2.4GHz min 10
channel-list 5GHz 36,40,44,48,149,153,157,161,165
no select-shutdown
no smart-sensor
smart-sensor auto-trigger
smart-sensor band smart-band-5GHz
smart-sensor tri-radio-only
!
auto-provisioning-policy VC
adopt anyap precedence 10 rf-domain $AUTO-RF-DOMAIN any
!
!
management-policy default
no telnet
no http server
https server
rest-server
ssh
user admin password 1 2086fd56f6f84582f821be658388f0b8c9e23511ae3d2b5dfeb8a9b96d4d668e role superuser access all
user Admin2 password 1 271b548973518da1048f40b478a52331804fca4723c5573905a69e96f47f80df role superuser access web ssh console
snmp-server community 0 public ro
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
!
nsight-policy default
!
profile ap7532 HQWLAN
use enterprise-ui
ip default-gateway 10.10.144.254
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
wlan wlan1 bss 1 primary
interface radio2
wlan wlan1 bss 1 primary
wlan VoipT bss 2 primary
interface ge1
switchport mode trunk
switchport trunk allowed vlan 1,10,101
interface vlan1
ip dhcp client request options all
interface vlan101
ip address 10.10.144.248/22
interface pppoe1
use firewall-policy default
use client-identity-group default
virtual-controller auto
virtual-controller management-interface ip address 10.10.144.248/22
rf-domain-manager capable
no auto-learn staging-config
service pm sys-restart
router ospf
adoption-mode controller
!
profile ap7532 default-ap7532
use enterprise-ui
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
interface radio2
interface ge1
interface vlan1
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use firewall-policy default
use client-identity-group default
logging on
service pm sys-restart
router ospf
adoption-mode controller
!
rf-domain default
location HQ
country-code gb
use smart-rf-policy default-smartrf
ad-wips-wireless-mitigation disable
ad-wips-wired-mitigation disable
use nsight-policy default
!
self
! ap7532 84-24-8D-82-BF-10
radio-count 2
use profile HQWLAN
use rf-domain default
hostname AP-VC-1
license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
no adoption-site
ip default-gateway 10.10.144.254
interface radio2
wlan wlan1 bss 1 primary
interface ge1
no shutdown
switchport mode trunk
switchport trunk allowed vlan 1,10,101
switchport trunk native vlan 1
interface vlan101
ip address 10.10.144.248/22
no virtual-controller
no virtual-controller auto
no virtual-controller management-interface ip address
virtual-controller management-interface vlan 101
rf-domain-manager capable
no rf-domain-manager priority
no controller vlan
auto-learn staging-config
no adoption-mode
!
!
end
07-08-2021 10:32 AM
Hello,
Thank you for the update.
Is IGMP snooping enabled on the L2 switch? If so, please disable and retest.
Also there is still a discrepancy within the configuration between the AP override and AP profile.
In the AP profile the following is configured:
‘ virtual-controller management-interface vlan 101’
While in the AP override for AP ‘AP-VC-1’ has the following configured:
‘ virtual-controller management-interface vlan 1’
07-07-2021 01:11 PM
Hi
thanks for the info, I have done as suggested and checked against the guide, but it still not liking it. If i run show mint neighbours its not finding any, The two AP7532 are in the same switch and both ports have VLAN’s 1,101 against them,
VLAN Display by Port
Port: [ 23 ]
PVID: 101
Port Name: Port 23
VLANs VLAN Name VLANs VLAN Name
--------- ---------------- --------- ----------------
1 VLAN #1
101 VLAN #101
Port: [ 23 ]
Filter Untagged Frames: [ No ]
Filter Unregistered Frames: [ Yes ]
Port Name: [ Port 23 ]
PVID: [ 101 ]
Port Priority: [ 0 ]
Tagging: [ Tag All ]
ConfigControl (global): [ AutoPVID ]
!
! Configuration of AP7532 version 7.6.2.0-018R
!
!
version 2.7
!
!
client-identity-group default
load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
permit any
!
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no stateful-packet-inspection-l2
ip tcp adjust-mss 1400
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
wlan VoipT
description Phones
shutdown
ssid VoipT
vlan 10
bridging-mode local
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 Un1fyV0ip
!
wlan wlan1
shutdown
ssid LANTest
vlan 1
bridging-mode local
encryption-type tkip-ccmp
authentication-type none
no protected-mgmt-frames
wpa-wpa2 psk 0 2121Password
ip dhcp trust
!
smart-rf-policy default-smartrf
assignable-power 2.4GHz min 10
channel-list 5GHz 36,40,44,48,149,153,157,161,165
no select-shutdown
no smart-sensor
smart-sensor auto-trigger
smart-sensor band smart-band-5GHz
smart-sensor tri-radio-only
!
auto-provisioning-policy VC
adopt ap7532 precedence 10 profile HQWLAN rf-domain $AUTO-RF-DOMAIN any
!
!
management-policy default
no telnet
no http server
https server
rest-server
ssh
user admin password 1 2086fd56f6f84582f821be658388f0b8c9e23511ae3d2b5dfeb8a9b96d4d668e role superuser access all
user Admin2 password 1 271b548973518da1048f40b478a52331804fca4723c5573905a69e96f47f80df role superuser access web ssh console
snmp-server community 0 public ro
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
!
nsight-policy default
!
profile ap7532 HQWLAN
use enterprise-ui
ip default-gateway 10.10.144.254
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
wlan wlan1 bss 1 primary
wlan VoipT bss 2 primary
interface radio2
wlan wlan1 bss 1 primary
wlan VoipT bss 2 primary
interface ge1
switchport mode trunk
switchport trunk allowed vlan 1,10,101
interface vlan1
ip dhcp client request options all
interface vlan101
ip address 10.10.144.248/22
interface pppoe1
use firewall-policy default
use auto-provisioning-policy VC
use client-identity-group default
virtual-controller auto
virtual-controller management-interface ip address 10.10.144.248/22
virtual-controller management-interface vlan 101
rf-domain-manager capable
controller vlan 1
no auto-learn staging-config
service pm sys-restart
router ospf
adoption-mode controller
!
profile ap7532 default-ap7532
use enterprise-ui
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
interface radio2
interface ge1
interface vlan1
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use firewall-policy default
use client-identity-group default
logging on
service pm sys-restart
router ospf
adoption-mode controller
!
rf-domain default
location HQ
country-code gb
use smart-rf-policy default-smartrf
ad-wips-wireless-mitigation disable
ad-wips-wired-mitigation disable
use nsight-policy default
!
ap7532 84-24-8D-82-BA-F8
radio-count 2
use profile HQWLAN
use rf-domain default
hostname ap7532-82BAF8
license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
model-number AP-7532-67040-EU
adoption-site 84-24-8D-82-BF-10
no rf-domain-manager priority
no controller vlan
!
self
! ap7532 84-24-8D-82-BF-10
radio-count 2
use profile HQWLAN
use rf-domain default
hostname AP-VC-1
license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
no adoption-site
ip default-gateway 10.10.144.254
interface ge1
no shutdown
switchport mode trunk
switchport trunk allowed vlan 1,10,101
switchport trunk native vlan 1
interface vlan101
ip address 10.10.144.248/22
no virtual-controller
no virtual-controller auto
no virtual-controller management-interface ip address
virtual-controller management-interface vlan 1
rf-domain-manager capable
no rf-domain-manager priority
no controller vlan
auto-learn staging-config
no adoption-mode
!
!
end
07-06-2021 12:19 PM
Hello,
Please reference this article that shows the configuration to Virtual Controller redundancy: https://extremeportal.force.com/ExtrArticleDetail?an=000080546
Remove the following overrides from AP ’AP-VC-1’ :
-virtual-controller auto
-virtual-controller management-interface ip address 10.10.144.248/22
-virtual-controller management-interface vlan 101
- rf-domain-manager priority 15
-controller vlan 1
Remove the following overrides from AP ‘ap7532-82BAF8’
-rf-domain-manager priority 5
Remove the following from AP profile ‘HQWLAN’
-controller vlan 1
Add the following to AP profile ‘HQWLAN’
-virtual-controller auto
-virtual-controller management-interface ip address 10.10.144.248/22
-virtual-controller management-interface vlan 101
If further support is required please contact GTAC and collect a TechSupport from the Virtual Controller AP. Thank you