10-29-2008 05:16 PM - edited 10-03-2015 01:48 PM
Most deployments of an Aruba Controller are in front of an internet connection with a fixed IP address, or a device downstream that would handle the dynamic nature of a broadband connection like a SOHO router. What would happen at a site if you ONLY had a cable modem that supplies a dynamic address and an Aruba Controller? Could the controller get an IP address, subnet mask, gateway, default route and DNS settings and route traffic? The answer, of course, is yes.
After configuring a management IP address and Vlan for the Aruba Controller, create a SEPARATE VLAN for acquiring an ip address from your cable modem and assign it to a port using the "ip address dhcp-client" command. This physical port would be connected to your cable modem or broadband device.
(Aruba800-4) (config) #interface vlan 930
(Aruba800-4) (config-subif)#ip address dhcp-client
(Aruba800-4) (config) #interface fastethernet 1/0
(Aruba800-4) (config-if)#switchport access vlan 930
***Some cable modems require a reboot before they recognize a new device and issue a DHCP address. Reboot your cable modem and type "show ip interface brief" after the link comes up to see if it issued a new ip address.
To be able to route your clients out that connection, the Aruba controller needs to dynamically get the default gateway from it. Use the "ip default-gateway import" command to obtain your default gateway from the dynamic connection:
(Aruba800-4) (config) #ip default-gateway import
To automatically distribute the dns server obtained from your broadband connection to clients in your pools, use the "dns-server import command"
ip dhcp pool local
lease 1 0 0
network 126.96.36.199 255.255.255.0
Verify the interface address was obtained dynamically:
(Aruba800-4) #show ip interface brief
Interface IP Address / IP Netmask Admin Protocol
vlan 1 192.168.15.3 / 255.255.255.0 up up
vlan 4000 188.8.131.52 / 255.255.255.0 up up
vlan 930 184.108.40.206 / 255.255.240.0 up up
DHCP is enabled on VLAN 930
Verify that the default gateway was obtained dynamically:
(Aruba800-4) #show ip route
Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default
Gateway of last resort is 220.127.116.11 (DHCP) to network 0.0.0.0
S* 0.0.0.0/0 via 18.104.22.168*
C 192.168.15.0 is directly connected, VLAN1
C 22.214.171.124 is directly connected, VLAN4000
C 126.96.36.199 is directly connected, VLAN10
One last word about security: To ensure that no untrusted traffic comes from the internet into the Aruba controller, create a session-acl that only allows dhcp and apply it to the interface that connects to the broadband device:
ip access-list session dhcp-only
any any svc-dhcp permit
any any any deny
interface fastethernet 1/0
ip access-group dhcp-only session
For the wireless VLANs that users attach to with private addresses, you would only have to enable "ip nat inside" (source nat) for that VLAN to allow your wirelss users go to the internet. On the gui, that would be "Enable source NAT inside for this VLAN":
interface vlan 1
ip nat inside.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
02-08-2014 11:50 AM
Are the commands here still valid? I ask because I tried the above and a few commands were not found, and doesn't say anything around requiring trunking the uplink port. Is this still required as well?
I'm going to most likely create a new post and refer to this write-up.