ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 14
Registered: ‎03-01-2011

single 6000 solution ?

Hi all, I am faced with a scenario where I need some fundamental guidance.
I have been given a single 6000 controller to design around. I have local corporate users, I have guest users and remote users as in home workers.
I need to complete a design paper that will allow connectivity for these users. My initial thoughts was to have one interface on the corporate side for corporate users and another interface going to a firewall DMZ for guest users.
So far is this a good plan or should I be putting the controller completely into the DMZ and taking all the wireless traffic through it? (I amnot a wireless engineer and have bit off a fair bit here :confused: ) Is it best practice to have the remote AP users on their own SSID or should they be on the local SSID? The other thing is where should the tunnel for the Remote users terminate. Do I need to have an internet facing IP address or am I making it too complicated? Thanks in advance.
Guru Elite
Posts: 21,576
Registered: ‎03-29-2007

Re: single 6000 solution ?

It all depends on what is convenient for you and what is in line with the policies of your organization.

If you already have a controller deployed internally with a private ip address, you could consider doing a static 1:1 NAT with a public address on your firewall and allow UDP 4500 inbounds to the controller. You would NOT have to readdress anything, if you did.

With regards to the guest traffic, you need to decide if you want them to share your existing internet connection or bridge them to a separate cable modem or linksys router to provide access. If you want them to use your existing internet connection, you can create a subnet that only exists in the controller. The controller would provide DHCP and captive portal, as well as the default gateway for the clients and sourc-nat the traffic out of the controller's interface using the "ip nat inside" directive on that VLAN interface. You would of course place the guest users into a role that will not allow them to send anything to your internal network.

You have quite a few choices, but please take a look at the guides on the page here: http://www.arubanetworks.com/technology/reference-design-guides/ for more information

Virtual Branch Networks Validated Reference Design v3.0
Aruba Campus Wireless Networks Validated Reference Design


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎03-01-2011

Re: single 6000 solution ?

thanks. this has been helpfull.
Occasional Contributor II
Posts: 14
Registered: ‎03-01-2011

Re: single 6000 solution ?

If I install two controller modules into this chassis, what is the separation accross the back plane? By this I mean if one of these is facing a firewall (DMZ) and the other is facing onto the corporate network, can traffic traverse the back plane directly between these controllers, hence risking exposing the corporate network?
Guru Elite
Posts: 21,576
Registered: ‎03-29-2007

Re: single 6000 solution ?

No. They are separate devices except where you connect them yourself. The backplane is passive.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎03-01-2011

Re: single 6000 solution ?

excellent, thanks.
Search Airheads
Showing results for 
Search instead for 
Did you mean: