Controller Based WLANs

How to enable source NAT for VIA clients

Feature Notes : When a new VLAN (which does not exist in the entire network) is created in the controller, it needs to be advertised in the entire network so  that the clients getting associated to the VLAN can be routable. An alternate way is to enable ip nat inside for the new VLAN. However, any VIA client associated to the VLAN will not be routable until an ACL is added to the role in which the VIA clients fall.

 

Environment : This article applies to all controllers running OS versions 5.x or later running VIA.

 

Configuration Steps : Check the role in which the users fall using the following command.

Using CLI:

(controller) (config) #show user-table
 
Users
-----
    IP              MAC            Name     Role              Age(d:h:m)  Auth     VPN link    AP name  Roaming  Essid/Bssid/Phy  Profile  Forward mode  Type
----------     ------------       ------    ----              ----------  ----     --------    -------  -------  ---------------  -------  ------------  ----
10.100.107.12  00:00:00:00:00:00  irfaan    via-role          00:00:00   VIA-VPN    10.0.0.253  N/A                                         tunnel
10.0.0.253     00:00:00:00:00:00            logon             00:00:01                         N/A                                         tunnel
 
User Entries: 2/2

Create an ACL add it to the respective user-role.


(controller) (config) # ip access-list session snat
(controller) (config-sess-snat)#any any any src-nat
(controller) (config-sess-snat)#exit
(controller) (config) #user-role via-role
(controller) (config-role) #access-list session snat

 

 

Verification :

 

The same can be verified using the following command.

 
(controller) (config) #show rights via-role
 
Derived Role = 'via-role'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 61/0
 Max Sessions = 65535
 
 
access-list List
----------------
Position  Name      Location
--------  ----      --------
1         allowall
2         snat
 
allowall
--------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4
2         any     any          any      permit                           Low                                                           6
snat
----
Priority  Source  Destination  Service  Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      src-nat                           Low                                                           4
 
Expired Policies (due to time constraints) = 0

 

Version history
Revision #:
1 of 1
Last update:
‎07-08-2014 03:20 PM
Updated by:
 
Labels (1)
Contributors
Tags (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.