Controllerless Networks

Reply

How to assign a VLAN/Subnet to an IAP through IPSec back to the controller ?

 

(3200-controller) #show  iap table long 

IAP Branch Table
----------------
Name              VC MAC Address     Status  Inner IP        Assigned Subnet  Assigned Vlan  Key                                                 Bid(Subnet Name)
----              --------------     ------  --------        ---------------  -------------  ---                                                 ----------------
Instant-C2:12:34  22:33:44:55:66:77  UP      192.168.102.11                                 e38f612f01ba4a5b5ff36a8378f3t3514f7cf3d016dfbf887d  

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: How to assign a VLAN/Subnet to an IAP through IPSec back to the controller ?

That should be populated based on the VPN and DHCP information in the IAP.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos

Re: How to assign a VLAN/Subnet to an IAP through IPSec back to the controller ?

 

Below modes could achieve the IAP to change the VLAN or subnet. Here is the details.

 

IAP DHCP methods

 

  • Local Mode
  • Centralized L2 Mode
  • Distributed L2 Mode
  • Distributed L3 Mode

 

Local Mode:-

------------------

Local mode provides VPN capabilities using inner IP of RAPNG IPsec tunnel.

Client traffic that has to be forwarded to the corporate destinations is Src-Nated by the Master AP using inner IP of the IPSec tunnel and traffic destined to internet is Src-Nated using localip of the master AP.

We need to make sure controller`s VPN L2TP pool is routable from upstream.

 

Centralized L2 Mode:-

-----------------------------

This method is basically extending corporate VLAN/broadcast domain to remote branches; L2 extension in classic RAP`s.

DHCP server & the gateway for clients reside in data cent; either controller or upstream router can be

gateway for clients. Aruba recommends to use an external DHCP server.

Be default, any client traffic destined to data center will be forwarded by Master AP through IPSec tunnel to the client`s

gateway in data center.Traffic destined to local destination is Src-NATed using localip of master AP and bridged locally.

 

Distributed L2 Mode:-

----------------------------

Distributed L2 mode is similar to Centralized mode except DHCP server for clients is the Master IAP in the cluster itself.

Default-gateway for client is still from data center(Master AP through IPSec) which is the L2 extension of corporate VLAN to remote site.

Traffic destined to local destination is Src-NATed using localip of master AP and bridged locally.

Major difference is that when the WAN link is down, the IAP will proxy-arp for default-gateway in the data center.

Clients can renew their lease and receive ip address even when the WAN link is down which is not possible at Centralized L2 mode.

 

Distributed L3 Mode:-

----------------------------

Distributed L3 mode is very similar to site-site IPsec VPN where two VPN endpoints connect individual network over a public network

Each branch location has the dedicated subnet. Master AP in branch manages the dedicated subnet and acts as DHCP server

and also as the gateway for clients.

Client traffic to date center is routed to controller through IPSec and local traffic will be Src-NATed locally.

Since controller is in datacenter is aware of L3 subnet at each branch and it can redistribute these routes to upstream router using OSP.

 

We need to make sure Aruba Instant OS 3.3 are required to support the above ability to do this.

 

Hope this helps.

 

 Thanks!

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: