ArubaOS and Controllers

Reply
Contributor I
Posts: 32
Registered: ‎06-30-2009

Policy Based Routing using ESI

Hello,

We are testing some of the different "user" VPN features on the Aruba controllers in v5.0.2.1.

One thing we have noticed is that the traffic from the L2TP or VIA clients is routed by the controller. Similar to a RAP we would like traffic to be "passed through" to our internal router (upstream from the controller) and have it make any necessary routing decisions.

Ex. this allows us to filter and optimize traffic to/from internet websites.

I was told that we might be able to use the ESI feature set to do some Policy Based Routing but an not sure if this is possible or how to do it.

It would be nice if the traffic from the clients hit the controller and then was "forwarded" to one of our internal routers. Since our internal network knows the path to the IP addresses used in the pools on the controller for the VPN clients, we should be able to "simply" route the traffic back to the clients without any special ESI processing.

Is this possible?

Thanks

Vinson
Guru Elite
Posts: 20,598
Registered: ‎03-29-2007

Re: Policy Based Routing using ESI

Vinson,

Without ESI, as long as a VPN pool matches a VLAN on the controller, that is trunked layer2 to your infrastructure, your users can end up in that subnet.

For example, if you want your users to end up in 172.16.20.x, you create a VLAN on the controller that has 172.16.20.1 255.255.255.0 as an ip address. Trunk that VLAN to your l3 switch that is the default gateway for that VLAN. Create a VPN pool that gives out addresses in that range. VPN Clients will be able to answer traffic addressed to them on 172.16.20.x external to the controller. Just remember NOT to use an EXTERNAL DHCP server unless the range does not overlap with that pool you created.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 32
Registered: ‎06-30-2009

Re: Policy Based Routing using ESI

thanks for the reply....

I believe i understand what you are saying but I think that only give us the "Any to the VPN client" path.

Since you can not define a default gateway or a IP Helper for the IP Pool used for the VPN or VIA clients, the controller is still routing the packets from the "VPN clients to ANY destination".

Ex. If one of our VPN clients wants to get to www.testsite.com. While the DNS look up would occur against one of our internal (because we define those in the VPN services screen), once the traffic for the site reaches the controller, the controller would send the traffic toward its "0.0.0.0/0" route. In our case that is the directly connection Internet interface. At that point the request would never hit our internal network and therefore bypass all policy filters.

Hopefully this all makes sense...

thanks

Vinson
Guru Elite
Posts: 20,598
Registered: ‎03-29-2007

Re: Policy Based Routing using ESI

I understand now. I did not offer a solution.

One way is to NOT give the controller a real external ip address for VPN termination. Give it a private address that has a 1:1 NAT configured on an external firewall and permit traffic needed for that particular VPN to function inbounds. In that situation, the default gateway for all traffic is internal.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: