Controller Based WLANs

How to enable authentication across a GRE tunnel only for one vlan but not for another vlan?

by on ‎07-08-2014 03:33 PM

Introduction : Aruba supports L-2 and L-3 GRE tunnels. L-2 GRE tunnel has a special property that it can extend a vlan across a L-3 boundary. This allows us to have authentication at a HUB controller by untrusting the tunnel at the central Controller.

 

Configuration Steps:

 

We can configure L-2 GRE tunnel in Aruba to Join same vlans across a network. To configure L-2 GRE, we execute the following commands:

#interface tunnel 1
#tunnel source 192.168.1.1
#tunnel destination 192.168.1.2
#tunnel vlan 2
#no trust
#no shut

Once we untrust the port, all the traffic on this port will undergo authentication depending upon the profile configured as following:

#aaa authentication wired
#profile <name of the profile>

If we want to bridge two vlans using GRE, we can do the following:

#interface tunnel 1
#tunnel source 192.168.1.1
#tunnel destination 192.168.1.2
#tunnel vlan 2,3
#no trust
#no shut

However, this will untrust both the vlans and traffic from both the vlans will have to undergo authentication.




Workaround:

We can put different Vlans in different tunnels and untrust the Vlan where we want the authentication.

#interface tunnel 1
#tunnel source 192.168.1.1
#tunnel destination 192.168.1.2
#tunnel vlan 2
#no trust
#no shut

#interface tunnel 2
#tunnel source 192.168.1.1
#tunnel destination 192.168.1.2
#tunnel vlan 3
#trust
#no shut

Now vlan 2 traffic will undergo authentication and fall in the user role. However, vlan 3 traffic will not undergo any authentication.

 

 

Answer:

To have the authentication for one vlan traffic while bridging other vlans, create multiple tunnels for different vlans and untrust the vlan which needs to undergo authentication.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.