ArubaOS and Controllers

Reply
Contributor I
Posts: 34
Registered: ‎04-27-2009

src-nat private IP and multiple controllers

I have 3 controllers (master, local, local) running ArubaOS 3.3. The master does not terminate any APs, but acts as a backup for the two locals. There is a VRRP address between each local and the master, and the LMS_IP of the APs are one of the 2 VRRP addresses.

I want to set up a guest network using a private IP subnet, and the DHCP server on the master.

What's the best way to set this up? I've got VLAN2 (the private subnet) on all 3 controllers, with 172.16.0.1 as the master, and .2 and .3 as the locals. I use a GRE tunnel between each local and the master to "route" VLAN2 between controllers.

I set up a policy for source: user, dest: any, service: any, action: src-nat with a NAT pool of one address (the one public address I want to use), but right now, it's not working.

Is there anyone out there with a similar setup, who have it working?

Thanks,

JP
Guru Elite
Posts: 20,442
Registered: ‎03-29-2007

Guest Access

J.P.

To simplify this, you should have a DHCP server on each controller, an "IP NAT Inside" statement on your guest VLAN on each controller, that will source-NAT all traffic that is on your guest VLAN without needing that src-NAT firewall policy. Just go ahead an allow all the protocols you want guests to do in your guest firewall policy. Remove the GRE tunnels, because (1) Guests don't need to talk to each other and (2) You will be doing DHCP on each controller individually.

I hope this helps


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 34
Registered: ‎04-27-2009

Re: src-nat private IP and multiple controllers

Colin,

Thanks for the quick reply. This does sound like it could work for most of my problems. One question would be how the controllers handle a VRRP failover in the event of one of the locals dropping...

Also, I have one network that I want to use for our Helpdesk to be able to test and troubleshoot VPN problems. As a result, I would like to have a "vpn-test" SSID using a private subnet. I could use the ip nat inside on this VLAN, but as far as I can tell, you are restricted to using the controller's default gateway for the NAT'd address. This will not work in this case, as the default gateway is in VLAN20, but I need the source NAT address to be on VLAN129...

Any ideas for this?

Thanks again,

JP


J.P.

To simplify this, you should have a DHCP server on each controller, an "IP NAT Inside" statement on your guest VLAN on each controller, that will source-NAT all traffic that is on your guest VLAN without needing that src-NAT firewall policy. Just go ahead an allow all the protocols you want guests to do in your guest firewall policy. Remove the GRE tunnels, because (1) Guests don't need to talk to each other and (2) You will be doing DHCP on each controller individually.

I hope this helps


Guru Elite
Posts: 20,442
Registered: ‎03-29-2007

VLANs

JP,

Do the controllers have a public address on them? The controller will only be able to SRC-NAT with a pool of addresses that exist on the controller. In addition, those addresses must also be routable.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 34
Registered: ‎04-27-2009

Re: src-nat private IP and multiple controllers

Here's the quick rundown. VLAN129 is the public, routable address I want to use. The address on the master for this VLAN is X.X.129.100/24 (don't want to use full octets, sorry). VLAN129 also exists on the local with X.X.129.101.

On the master I've got VLAN2, which is my private subnet, with address 172.16.0.1. The master has a DHCP pool for this subnet. On the local I've got VLAN2 with 127.16.0.2, and a helper address pointing to 172.16.0.1.

I've got a VLAN based GRE tunnel between the two controllers that has both VLAN2 and 129 in it.

The LMS_IP of the test AP group I've got points to a VRRP address, of which the local is currently the primary.

With a test client, I am able to associate, and I get a valid VLAN2 private IP address. I can ping both X.X.129.101 and X.X.129.100, so routing to the 129VLAN appears to be working.

Now, my VPN concentrator to test is on another subnet at X.X.159.30/24. On the local, I entered a static route for X.X.159.0/24 -> X.X.129.100, and on the master I have a route X.X.159.0/24 -> X.X.129.20 (the next hop outside the controllers). I can ping this address on both controllers.

On the master I made a NAT pool with the range X.X.129.100 - X.X.129.100 (I want VPN traffic to only appear to be coming from the one address).

Now in my ACL, I created rules to src-nat UDP 500 and IP 50 for VPN traffic (I've also tested by just using user -> any src-nat. I put a network trace on the wire, and I see the VPN traffic coming in, but it's still coming from the private IP of the client, and NOT from the NAT pool address.

I'm not sure what I'm doing wrong...


JP,

Do the controllers have a public address on them? The controller will only be able to SRC-NAT with a pool of addresses that exist on the controller. In addition, those addresses must also be routable.


Guru Elite
Posts: 20,442
Registered: ‎03-29-2007

src-nat private IP and multiple controllers

JP,

Do you have a NAT pool defined on each controller? The name of the NAT pool
is defined at the master, but the pool is defined on each controller
individually. Traffic that is NATTed in this manner is ALWAYS natted out
the interface of the controller, and cannot be NATTED out of say, a MASTER
controller downstream, which is, what I think you're trying to do.

The simplest way to deal with this, is to get a SOHO router. Give it an IP
address on that public x.x.129.100 network and a proper default gateway. On
the other side, have it distribute IP addresses in the range of the guest
network. Assign an interface on master, local1 and local2 to that VLAN and
physically connect them to the private side of that SOHO router. In other
words, have all three controllers send their guest user traffic to a device
that does the DHCP and the NAT, and you can remove that from the equation.

Would this even help?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,442
Registered: ‎03-29-2007

Src-nat

BG,

When you use the SRC-NAT parameter in a user rule, it can only source NAT out of the interface of the controller that the user is on. If I am a user on the local, for example, my traffic will SRC-NAT out of the existing controller, but will not do BOTH. What you are trying to accomplish is SRC-Natting user traffic from one controller, THROUGH the master controller outside and there are a number of reasons why this won't work.

As an alternative, you might want to get a SOHO router, put the x.x.129.100 address on one side, 172.16.0.x address on another side (the default gateway for the controllers) and allow the SOHO device to do the DHCP as well as the SRC nat for all 3 controllers. The way you are doing it now forces you to make choices that seriously limit your flexibility and increase your complexity.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 34
Registered: ‎04-27-2009

Re: src-nat private IP and multiple controllers

Finally got it...

I have the DHCP on the local (172.16.0.2) serving out 172.16.0.134-164 with the default gateway of 172.16.0.2. The GRE tunnel now just has VLAN129 on it, no more VLAN2. The VLAN129 address on the local is X.X.129.101, so on the local, I made the NAT pool X.X.129.101. SRC-NAT is finally working!

Now I'm going to set up a similar structure on the master, for redundancy if the master becomes the primary on the VRRP. The master has 172.16.0.1 on VLAN2 and X.X.129.100 on VLAN129. I'll give it a DHCP scope of 172.16.0.100-133 with a default gateway 172.16.0.1. The NAT pool here will be X.X.129.100.

I'll get that set up, then test a VRRP failover...

Thanks for the help!
Search Airheads
Showing results for 
Search instead for 
Did you mean: