ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 5
Registered: ‎04-27-2009

Using GRE Tunnels to centralize L3 access

I am trying to workout a design for some Nortel wireless handsets. I want to setup an SSID for the wireless handset in one building who's AP's terminate to an Aruba controller we will call it Aruba Controller B. I would like to then redirect all traffic from these clients through a GRE tunnel that would terminate on another Aruba controller called Aruba controller A. The reason for backhauling these devices is because the infrastructure they need to connect to exists in thebuilding where Aruba controller A exists and extending that infrastructure would require a great deal of time and money which are currently not available. I don't have any problems setting this infrastructure up and making it work but my question arises from the fact that these buildings are infact attached and and some point in time the clients will roam from AP's controlled by Aruba controller A to Aruba Controller B and vica versa. Does anyone have any idea how if the roaming will work between these two buildings without incident? I am not quite sure how the controllers will handle these sessions and have already contacted Aruba for help but thought if someone in the community might have done something similar.

Thanks
Guru Elite
Posts: 19,947
Registered: ‎03-29-2007

Tunnels


. The reason for backhauling these devices is because the infrastructure they need to connect to exists in thebuilding where Aruba controller A exists and extending that infrastructure would require a great deal of time and money which are currently not available. I don't have any problems setting this infrastructure up and making it work but my question arises from the fact that these buildings are infact attached and and some point in time the clients will roam from AP's controlled by Aruba controller A to Aruba Controller B and vica versa. Does anyone have any idea how if the roaming will work between these two buildings without incident? I am not quite sure how the controllers will handle these sessions and have already contacted Aruba for help but thought if someone in the community might have done something similar.

Thanks




Dlizotte,

Let's suppose Controller A has a Vlan "V" which is your voice Vlan. You have controller B which does not have that Voice VLAN, but you have clients that routinely attach to controller B which does not have Vlan V. Here's how you would solve that:

You would create a GRE Tunnel between Controller A and Controller B. On controller A, you would Attach Vlan V to that tunnel. On controller B, you would create Vlan "V" and attach it to no interfaces. You would attach Vlan "V" on Controller B to the same GRE tunnel. In other words, you would make a layer 2 Tunnel between two controllers, just for bridging the same VLAN.

When handsets attach to controller A, they would be placed into Vlan V, and their traffic would be sent on their way. When handsets attach to controller B, they would be placed into Vlan V, which tunnels back to Controller A, that has the REAL Vlan V and traffic would continue like nothing happened. Your main vulnerability, of course is if Controller A is down, you cannot put handsets onto Vlan V, because that is your only path to that Vlan.

Vlan V = 100
config example
Controller A:

interface tunnel 100
tunnel source vlan 1
tunnel destination 192.168.10.1 <---------IP interface on Controller B for terminating tunnel
tunnel Vlan 100 <-----Puts Vlan 100 traffic on that tunnel
trusted
!
!

Controller B:

Interface tunnel 100
tunnel source Vlan 1
tunnel destination 192.168.20.1 <--------IP interface on Controller A for terminating tunnel
tunnel Vlan 100 <------Puts all VLAN traffic 100 on that tunnel
trusted


In Summary:

1. Create Vlan 100 on Controller A
2. Assign Vlan 100 to an interface
3. Create Tunnel 100 on Controller A and attach Vlan 100 traffic to it, and make it trusted
4. Create Vlan 100 on Controller B but don't assign it to an interface
5. Create Tunnel 100 on Controller B and attach Vlan 100 traffic to it, and make it trusted

When handsets get on Controller B, they will be placed on Vlan 100, and their traffic will be sent back to Controller A where the REAL Vlan 100 is.

And NO, the Tunnel number does not have to equal the Vlan interface. The tunnel MUST however be trusted on both sides to pass traffic successfully.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 23
Registered: ‎05-01-2009

Ip int brief shows tunnel down

I took your advise on using the GRE tunnel to propagate my guest portal vlan from my master over to a local controller (across a wan link) so that I could make it appear as though my remote site guest users are directly linked to my guest network on the master located at my HQ site. I followed your verbatim instructs but the tunnel is showing physical up/protocol down on a SHO INT on both controllers at each end.

My master does have an IP configured on the vlan (666) since it hosts the guest network connection to include provisioning dhcp to the wireless guest clients. I configured the remote site local controller for vlan 666, but with no ip addr as you indicated. With both ends of the tunnel trusted, what could be the problem with the protocol not enabling? Thanks in advance.
Guru Elite
Posts: 19,947
Registered: ‎03-29-2007

Post your config

Post your tunnel config between both controllers on the commandline.

Also do a "show datapath session table " and the same thing on the opposite controller to see if GRE or protocol 47 traffic is being propagated. Also, do a show datapath tunnel table and look for your GRE tunnel and see if there are encaps and decaps. On the controller that does not have an ip address on Vlan 666 do this:

config t
vlan 666
operstate up


Usually the operational state of a VLAN depends on a physical interface on the controller also being Up. You can force it up, regardless. Also, double-check your tunnel destination commands to make sure that on each side it is pointing to the IP address of the egress interface of the controller.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 23
Registered: ‎05-01-2009

Its Up Now....

I didn't use the tunnel source vlan syntax correctly on the remote end. I input vlan 666 on the local controller instead of using vlan 1 which is the physical gateway for the controller. I noticed you didn't set any keepalive for your syntax. Is there a reason or is keepalive turned on by default? Thanks for your prompt reply. This will work wonders on extending CP out to field controllers so I don't have to terminate those connections on firewall "dirty feeds" at each site. Anything to eliminate another "point of failure".
Guru Elite
Posts: 19,947
Registered: ‎03-29-2007

Point of Failure

I'm not sure why keepalives is not enabled by default.

I'm glad you got it up and running.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 67
Registered: ‎06-04-2009

Re: Using GRE Tunnels to centralize L3 access

HI,

would you please share us how you would apply the firewall polices at the HQ server to the traffic coming through the tunnel


thnx in advance
Guru Elite
Posts: 19,947
Registered: ‎03-29-2007

Firewall Policies


HI,

would you please share us how you would apply the firewall polices at the HQ server to the traffic coming through the tunnel


thnx in advance




Wherever the user enters the controller, the user is placed into a role. The policy is enforced at that point, before the tunnel.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 67
Registered: ‎06-04-2009

Re: Using GRE Tunnels to centralize L3 access

Hi Colin,

i know but let me describe what i understood from this thread:

when needing to deploy branch controllers to each branch site and we don't want to setup a PEF license in each site so we could build a GRE tunnel between the branch controllers and the HQ controller, then we will need to install PEF license on the HQ controller only.

did i understand right?

if yes then:
how to configure the HQ controller to apply the PEF rules to the GRE tunnel traffic?

thnx in advance
Guru Elite
Posts: 19,947
Registered: ‎03-29-2007

PEF License


Hi Colin,

i know but let me describe what i understood from this thread:

when needing to deploy branch controllers to each branch site and we don't want to setup a PEF license in each site so we could build a GRE tunnel between the branch controllers and the HQ controller, then we will need to install PEF license on the HQ controller only.

did i understand right?

if yes then:
how to configure the HQ controller to apply the PEF rules to the GRE tunnel traffic?

thnx in advance




You would make the HQ side of the tunnel Untrusted, then it will force the users through a captive portal at the HQ end and assign them a role upon authentication. The PEF rules would be assigned to the initial role that the guests get AND the resulting role when they authenticate. Usernames and passwords for your guest portal will be maintained by the HQ controller.

A word about PEF:

The PEF license is very useful when you have a controller where you have different types of devices or you want to enforce policy, and improve performance. 90% of our users get the PEF license for each controller, because they don't want to be in a situation where they need it and they don't have it. If you are enforcing policies for your guests, no doubt you want to enforce policies for your different types of users, contractors, devices, etc. internally.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: