Controller Based WLANs

How to NAT and redirect of specific traffic using ACL on Aruba controller if Aruba controller is not the gateway for the client

Introduction  :  

  As per the below topology we have clients associating to Vlan 2 and their gateway is Firewall. Also, the controller gateway is defined on the firewall. We have a server in Vlan-x which is only routable to controller interface IP. We would like to send specific traffic to the server. As the gateway for the clients is Firewall so IP NAT Inside cannot be used. Also, normal ACL to src-nat cannot be used as the traffic would be bridged to the gateway of the client which is firewall.
 
A practical implementation for this would be, if we have captive portal server as server ( in topology ) and client just have to communicate with the server on HTTP/HTTPS.
 
In order to achieve this we could configure the server as ESI server and use the NAT+Redirect option in the ACL
 
Environment  :  This article applies to AOS version 6.1 and above
 
rtaImage.jpg
 
 
Configuration Steps  :  
  1. We can create an ESI server, where we could use the server IP as ESI server. For example I used 10.13.15.40 as server. As we have to route the traffic we need to use route mode
 
esi ping Aruba
  frequency 30
  timeout 1
  retry-count 2
!
esi server Aruba
  trusted-ip-addr 10.13.15.40
  untrusted-ip-addr 10.13.15.40
  mode route
!
esi group Aruba
  ping Aruba
  server Aruba
!
 
2. Once the ESI configuration are done we need to create a NAT POOL with start and end IP as the controller interface IP, which we would need as source IP for the traffic destined to the server.
 
(Aruba-2) #show ip nat pool
 
NAT Pools
---------
Name            Start IP      End IP        DNAT IP  Flags
----            --------      ------        -------  -----
dynamic-srcnat  0.0.0.0       0.0.0.0       0.0.0.0
internal        10.17.224.66  10.17.224.66  0.0.0.0
 
3. We could use below ACL to redirect and NAT the guest users traffic
 
user      host 10.13.15.40        svc-https/http      redirect esi-group Aruba direction forward src-nat pool internal
   
Answer :  
 
  As the gateway for the client is not controller, by design controller bridge the traffic. If we do not have route between the server on client's vlan, we would need to NAT+Redirect the traffic of the client to the server using one of the routable 
interface on the controller. This could not be achieved by using only src-nat ACL. We have to configure the server as ESI server in route mode and  use the acl to redirect and NAT specific traffic.
 
Verification  :  I have used RDP to demonstrate the TCP session

Client IP : 192.168.2.3
Server : 10.13.15.40

(Aruba-2) #show datapath  session table 10.13.15.40
 
 
Datapath Session Table Entries
------------------------------
 
Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
 
  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----
192.168.2.3     10.13.15.40     6    52076 3389   0/0     0 0   0   local       1    4         191        SRC
10.13.15.40     10.17.224.66    6    3389  52076  0/0     0 0   0   local       1    3         151        N

We could see that the traffic is Natted and redirected to the server. Without ESI the traffic would be bridged to uplink switch or the client's gateway.

 

Version History
Revision #:
1 of 1
Last update:
‎07-10-2014 03:43 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.