Controllerless Networks

Hi everyone..!

I'm new to aruba and Im experimenting with a couple of demo devices: IAP-205 and IAP-225, no big controller or anything else, just the IAPs.

The issue Im facing now is that Im trying to set up a guest network in order to prepare the devices for demo environment. One of the thins I need to do for security reasons, is to separate the guest network from the internal network.

This is how things are beeing set up for the moment:

1. Our main firewall is the DHCP for our internal network.

2. I just plugged the IAPs into the network, so they have aquired a internal IP address and connected to Aruba central for administration.

That's it.

I first configured a wireless network for internal use, which works just fine.

The problem comes with the guest network, because initially works great, but it has access to internal network. So i add a new rule in the firewall restricting access to our internalnetwork/24 , but once this is done, guests are not having Internet anymore.

I found the configuration of the VLAN that the IAP's use for when they are set as virtual DHCP's, so I set up public DNS in order to pass those to guest clients, but still no Internet access.

What confuses me a little, is that even though the guests are getting the correct IP and everything, when performing a trace route, they don't use the virtual gateway, but goes to our internal instead:

As you can see, I have configured the DHCP pool for the IAP's to serve the network 192.168.200.0/27, and our internal network is 192.168.0.0/24. Our main gateway is 192.168.0.31.

My direct question is why the guest devices are looking for our internal gateway instead of using the virtual one provided by the IAP..?

Im sure Im missing several things here....right..?

Im sorry to make my first post this long..!!!

Thank you all.!

Best Regards.

When you setup the guest network with the VLAN setup of "Virtual Controller Assigned", the Virtual Controller will assign a private subnet to guests and traffic will be source-natted out of the ip address of the Virtual controller.

To prevent guests from going to your internal subnets, you need to block destination traffic to your internal networks and allow everything else.  If my internal network is 10.x.x.x, here are the rules I would write:

Hi Colin.! Thanks for your kind response..!

I can see now my confusion with our internal gateway, because I was waiting as the first hit the virtual one assigned by the IAP, but at the end our internal is just the next hop.

This is how the rules were set up:

Now things are working just fine.

A quick question though:

Why do I need to explicitly define a DNS allow rule, since the last one is allowing all to the outside..? Is the DNS still happening somehow directly on my internal network..?

Just something I wish to clear up..that's all....but Im happy that now it's working.

Thanks again..! :)

The permit DNS is only for if you are using an internal DNS rule that might conflict with the second rule.  You can remove it if your DNS server is external.

Hi Colin.!

Thanks again for your feedback.

To be honest, at first things were not working as expected, that's why I decided to post here. I've implemented the rules and deleted the DNS one since the IAP is assigning public DNS's, so I guess for now everything works as it should.

Thank you again for the help.

Best Regards.

Hansel.

Hansel_CR,

Glad to hear it.