Aruba Instant & Cloud Wi-Fi

Reply
New Contributor
Posts: 2
Registered: ‎09-22-2014

IAP225 controllerless with two SSID's and two VLANS

Hi, so we are looking to deploy some IAP225's in controllerless mode with multiple SSID's.

 

We currently have an internal network 10.201.6.x that is on VLAN 1 of our internal network and have now configured VLAN 2 with the address space of 10.201.5.x which would be our employee personal access network.

 

The 10.201.6.x network provides DHCP to internal clients while the 10.201.5.x is just a gateway to our DMZ so DHCP is being provided by the IAP with an address space of 192.168.2.x

 

Clients can connect to both SSID's and get addresses in the respective DHCP scope and the clients that connect to the 10.201.6.x network get full connectivity to our company network - this is as desired.

 

The issue is that when a client connects to the 192.168.2.x network it gets an address but it looks like traffic ends up back on our internal 10.201.6.x which is not desirable. 

 

I have changes the "default_wired_port_profile" to be on both VLAN's in trunk mode and brought the profile up as it was marked as down but it looks like there is more that we need to do.

 

What I would like is for the AP to behave like this:

 

SSID: Company -> 10.201.6.x with DHCP coming from company network providing full access to corporate network

 

SSID:Personal -> 192.168.2.x with DHCP from access point providing access to internet with gateway address 10.201.5.1 off corporate firewall.

 

Both networks traverse a VLAN trunk - currently with VLAN 1 & 2 and VLAN 1 is the native VLAN.

 

I am attaching our AP config for reference

 

Thanks in advance for the help

 

Jack

 

 

Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

Re: IAP225 controllerless with two SSID's and two VLANS

Hi, 

In your config IAP for VLAN2 acts as default GW and simply provides SNAT for every userin this VLAN. You have two options: 

1. Disable DHCP for VLAN2 at IAP and create it somewhere in your net - then your corporate firewall would filter all the traffic

2. Create firewall policy that disallows any traffic from VLAN2 to your corporate net

HTH

Marek 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
New Contributor
Posts: 2
Registered: ‎09-22-2014

Re: IAP225 controllerless with two SSID's and two VLANS

So there is no way to configure each ssid/vlan as separate address spaces on two networks?

That seems odd if I can trunk the vlans over This e-mail (and any attachments) are subject to terms set forth at http://www.newoak.com/emaildisclaimer.htm Thank-you, http://www.newoak.com
Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

Re: IAP225 controllerless with two SSID's and two VLANS

Absoultely you can do that. Connect IAP to trunk whit external DHCP/router/firewall or use firewall policies in IAP to separate traffic. 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
Search Airheads
Showing results for 
Search instead for 
Did you mean: