Campus Switching and Routing

Reply
Occasional Contributor II

Role of MAS

For a remote office deployment, should a MAS be deployed behind a firewall? I would imagine IPSec and/or GRE of the mobility switch ip need to be opened.

My goal is to provide remote offices authenticated port access. The MAS would tunnel back to a controller for policy enforcement.

I almost wish I had deployed 5 raps rather than the MAS. Reason I say that is I have firm understanding based on the reference guide for remote office. I am just having a hard time getting my brain around the MAS.

Can someone describe, architecturally, how you deployed a MAS for a remote office?

Aruba

Re: Role of MAS

Hi,
The Mobility Access Switch (MAS) platforms can be deployed in several remote office configurations:

1) MAS behind a RAP

  • RAP provides local internet access and access to Corporate resources (aka split-tunnel), stateful user-enforcement and NAT
  • MAS can provide stateless user-enforcement (via UDR, 802.1x, MAC-Auth, Guest Captive Portal).

 

2) MAS behind Firewall

  • Firewall provides local internet access, stateful firewall and NAT.
  • MAS can establish IPSEC VPN tunnel for access to Corporate resources (Requires AOS 7.2)
  • MAS can provide stateless user-enforcement (via UDR, 802.1x, MAC-Auth, Guest Captive Portal)
  • MAS can also tunnel user-traffic via Tunneled Node on a per-port basis back to Mobility Controller for stateful user-enforcement. (requires LIC-x-AP and LIC-SEC-x per standalone switch or ArubaStack)

 

3) Standalone MAS

  • MAS establishes IPSEC VPN tunnel for access to Corporate resources and Internet Access (Requires AOS 7.2). A stateless ACL would be applied on egress interface only allowing return IPSEC traffic
  • MAS can provide stateless user-enforcement (via UDR, 802.1x, MAC-Auth, Guest Captive Portal)
  • MAS can also tunnel user-traffic via Tunneled Node on a per-port basis back to Mobility Controller for stateful user-enforcement. (requires LIC-x-AP and LIC-SEC-x per standalone switch or ArubaStack)

 

I hope this helps.

 

Best regards,

 

Madani

Occasional Contributor II

Re: Role of MAS

Thank you madjali - I worked through a config this weekend and have the MAS behind a firewall and tunnled over an IPSEC tunnel.  That works, except I have yet to establish "internet" connectivity although I do authenticate and have access to internal corporate resouces.

 

Im intrigued by deployment #1, as that may be more in tune (and simplier) with my objectives.  

 

In that configuration, is each port of the MAS authenticate via the same 802.1x profile that the RAP is configured for on the controller?   Is the 802.1x request just passed the same as the wired ports  on the RAP?    Is the port just set as untrusted with a trunk port on the RAP?  (IE- MAS trunked to RAP).   I'll start experimenting with that to see if I can get it working.

 

Thanks for thorough response and any additional details you might have on option #1.

 

 

 

 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: