Aruba Instant & Cloud Wi-Fi

Reply
Contributor II
Posts: 53
Registered: ‎10-01-2013

IAP and DHCP, L2 forwarding but no NAT

I have a fairly simple setup, but still I have run into a problem I can't quite figure out.

 

A customer have bought 4 IAP's to replace an old WLAN solution. It's a small office and not many users, but 3 subnets

 

Mgmt

Employee

Guest

 

In the current installation they have the Employee SSID tied to vlan 2, and the AP hands out IP adresses, but the gateway is on a firewall. It is the same for the Guest SSID. The AP hands out DHCP adresses, but the gateway is on the firewall.

 

The customer wants to keep the same setup with the gateway residing on the firewall. 

 

How can I solve this if I want to hand out DHCP from the IAP, but want the gateway to be firewall?

If I use the Local,L3 mode. Then I can do DHCP for the VLAN on the IAP, but the trafficc will be NAT'ed behind the IAP IP, and not forwarded as L2 to the firewall. The IAP would do the firewalling between the clients, and not the firewall as they want.

It would be an easy fix to run DHCP on the firewall, but that is not an option in this case.

I tried deny local routing, but that just stoped the traffic from being routed from the SSID vlan to the uplink for for NAT.

 

With a mobility controller it is very easy.

 

interface vlan 2

IP address 10.1.1.2 255.255.255.0

no ip routing

 

IP dhcp pool employee

network 10.1.1.0 255.255.255.0

default-gateway 10.1.1.1 

 

Is this even possible on a IAP?

 

I am running software 6.2.1.0-3.4.0.3

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: IAP and DHCP, L2 forwarding but no NAT

Can you stand up a DHCP server elsewhere?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite
Posts: 8,451
Registered: ‎09-08-2010

Re: IAP and DHCP, L2 forwarding but no NAT

Is your firewall capable of providing DHCP services?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 53
Registered: ‎10-01-2013

Re: IAP and DHCP, L2 forwarding but no NAT

I am investigating. The firewall I am fairly sure can't do it, but possibly I can get DHCP service running elsewhere.

Does this mean it's not possible?

Would be nice to not be dependant on other 3rd parties.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: IAP and DHCP, L2 forwarding but no NAT

[ Edited ]

No...it isn't.  There are 2 options for doing DHCP from the VC

 

1. Using "virtual controller assigned" in the network settings

2. Using Local,L3 in the DHCP settings

 

Outside of that, we require an external DHCP server or a relay to a corporate DHCP server to accomplish what you require.  Unfortunately, the above 2 options require that the VC is the gateway however, only "virtual controller assigned" does NAT.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 53
Registered: ‎10-01-2013

Re: IAP and DHCP, L2 forwarding but no NAT

Fair enough, I got one follow up question then. In what scenario would you use the Deny local routing feature?

Do you still need to use that to stop routing between different WLAN subnets in a scenario like mine?

If networks are Network assigned, you won't have interfacecs to route between, and if you have a L3 interface it is bound to be a gateway, and then it will basically break the network.

 

On second thought I see that if can be used in a distributed L2 forwarding mode, where you don't want routing between VC mgmt subnett and the distributed L2 corporate subnet.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: IAP and DHCP, L2 forwarding but no NAT

I wouldn't enable "deny local routing".  That feature denies users from communicating connected to the same IAP.  In 4.0, we are adding some additional restrictions to prevent users from accessing the mgmt interfaces.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: IAP and DHCP, L2 forwarding but no NAT

I stand corrected...sorry that I misspoke, in Local, L3 the only requirement is the VC is the gateway.  The client is ROUTED from there but NOT NAT'ed.  

 

So...on the firewall, all you need is a static route pointing at the VC IP address as the next hop.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 53
Registered: ‎10-01-2013

Re: IAP and DHCP, L2 forwarding but no NAT

OK,  so it is not NAT'ed, but need routing. That is handy to know, but won't achieve the L2 forwarding I want :)

It looks like I can have the DHCP scope on a server, so then it will be easy to set it up.

 

Thanks for the help. Have a nice weekend. :)

 

New Contributor
Posts: 2
Registered: ‎01-05-2012

Re: IAP and DHCP, L2 forwarding but no NAT

Seth,

Thanks for the info in this post.  It helped me out of a jam.

Don Demars

(ex-Cabletron)


SethFiermonti wrote:

I stand corrected...sorry that I misspoke, in Local, L3 the only requirement is the VC is the gateway.  The client is ROUTED from there but NOT NAT'ed.  

 

So...on the firewall, all you need is a static route pointing at the VC IP address as the next hop.


 

Search Airheads
Showing results for 
Search instead for 
Did you mean: