ArubaOS and Controllers

Reply
Contributor II
Posts: 59
Registered: ‎02-17-2012

Controller inside tunneling traffic to the one in the DMZ.

I have seen a number of topics covering controllers between different security domains but I am not quite clear how would I accomplish the following setup:

 

- Internal controller that terminates all of my APs.

- Internal controller hosts captive portal and authenticates the users.

- Once authenticated, all user traffic including DHCP requests are tunnelled (via GRE) to the controller in the DMZ.

- The controller in the DMZ gives out IP addresses to anyone who comes via the GRE tunnel from the inside.

 

I tried setting this up but my clients never recieve DHCP from the DMZ.

 

Inside controller:

vlan 200 "Guest WiFi"

!

interface tunnel 1
description "Tunnel to DMZ"
tunnel source vlan 1
tunnel mode gre 0
tunnel destination <DMZ IP>
tunnel keepalive 5 3
mtu 1350
no inter-tunnel-flooding
tunnel vlan 200
!
wlan virtual-ap "guest"

  aaa-profile "default-dot1x-psk"
  vlan 200
!

 

In the DMZ:

vlan 200 "Guest WiFi" 

!

interface vlan 200
ip address 172.31.100.1 255.255.252.0
ip nat inside
operstate up
!

interface tunnel 1
description "Tunnel to Inside"
tunnel source vlan 1
tunnel mode gre 0
tunnel destination <inside controller IP>
tunnel keepalive 5 3
trusted
mtu 1350
no inter-tunnel-flooding
tunnel vlan 200
!

ip dhcp pool wifi-guest-pool
default-router 172.31.100.1
dns-server 8.8.8.8 8.8.4.4
lease 0 4 0 0
network 172.31.100.0 255.255.252.0
authoritative
!

 

Thanks!

 

 

Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: Controller inside tunneling traffic to the one in the DMZ.

The non-dmz side of the tunnel is not trusted.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 59
Registered: ‎02-17-2012

Re: Controller inside tunneling traffic to the one in the DMZ.

Setting both sides of the tunnel to trusted doesn't seem to help.  I see user successfully being assigned to an l2 role, but yet I don't see him getting any IP from the dhcp.

Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: Controller inside tunneling traffic to the one in the DMZ.


garryshtern wrote:

Setting both sides of the tunnel to trusted doesn't seem to help.  I see user successfully being assigned to an l2 role, but yet I don't see him getting any IP from the dhcp.


Type "show datapath tunnel table" and see if the encaps and decaps are going up on each side when you ping from one interface of VLAN 200 to another.  If not, check your source/destination addresses in your tunnel statement..  They must be both reachable ip addresses between each controller.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 59
Registered: ‎02-17-2012

Re: Controller inside tunneling traffic to the one in the DMZ.

I figured out the issue was permissions on the acl assigned to the role given to the user.  This works now, so thanks a lot for that!

 

However, the actual captive portal functionality is not working.  That is, a user is assigned to the custom guest role, and he is able to resolve dns, ping remote sites as per rules.  However, whenever he tries to go to google.com which should force an automatic redirect to a captive portal page, it just hangs there.

 

Any hints?

 

Thanks!

Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: Controller inside tunneling traffic to the one in the DMZ.

Use the "ip cp-redirect-address <ip address of vlan 200>" command.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 59
Registered: ‎02-17-2012

Re: Controller inside tunneling traffic to the one in the DMZ.

Will this work even if the local controller doesn't host this interface?  Meaning, do I specify the IP of the <interface vlan 200> of the DMZ controller?

Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: Controller inside tunneling traffic to the one in the DMZ.

Give the non-dmz controller an IP address on Vlan 200 and point it at that.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 59
Registered: ‎02-17-2012

Re: Controller inside tunneling traffic to the one in the DMZ.

Thanks!  That worked, without ip cp-redirect, actually.  Do you know if there is a way to do this without explicitely defining the IP on the Vlan.  I want to avoid having the local controller route this traffic locally.

Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: Controller inside tunneling traffic to the one in the DMZ.

just put no ip routing on VLAN 200.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: