Controllerless Networks

I have configure this succesfullly but i got 2 IAPS on the cluster and it just work in one of theml, what would i need to do to make it work on the others aps in the cluster??? it just soo odd

 

Also im using a controller which has PEFV license...

Do i need this to make this work? i dont have a controller that doesnt have that license so i cant really test....

 

The config is like this

Configured aruba ipsec pointing to the virutal ip on the firewall that points to the aruba controller

 

Configure in the routing table on iap the internal networks i want to see trhought he vpn

 

I create ont he DHCP a centrlized DHCP with a vlan of my corporate network  that i want to extend on the remote site and split tunnel on

 

On the controller on the vpn service i just added the pool of ip addresses which vlan to the same vlan of the controller ip address.

 

On the IAP vpn role i assigned to the l2tp pool the pooli created in the step before.

Also i added the mac address on the RAP whitelist and also on the Branch whitelist(on this i did allow ALL)

 

After this the first AP i had worked perfectly

I added another ap to the cluster, and if i connect to the SSID that got the corporate vlan configured it doesnt work... and if i reconnect to the first AP it works.... so it doesnt work in one ap but works in the other...

 

Help!

 

Cheers

Carlos

What's not working ?

Hello Victor

I configured vlan 200 which is a vlan on my corporate network

Im on my home right now, andi get ip address from that vlan witht the DHCP server of the corporate network and everything works fine but just from one IAP of the cluseter

If i connect to another IAP which is on my home which is on the same cluster the ssid doesnt work... is like the VPN just worked in one IAP of the cluster but didnt work on the other IAP of the cluster

I got 2 IAPs at home which form one cluster.

 

Cheers

Carlos

Have you Configured vlan 200 on the switch and trunk it to the second IAP ?

No...

I need to do taht?

Does all the traffic goes trhough that Master IAP?

It doesnt do  separate tunnel for each IAP or something like that?

 

Cheers

Carlos

You have to do that because it's layer 2 centralized

But the vpn is only formed by master AP




Thank you


Sent from Mobile
Please excuse the brevity spelling and punctuation.

Now it works after doing that

Thanks victor

 

2 more questions

1-Do i need any license to build a VPN like this L2 Centrlized VPN on controller?

2-Sometimes i get randomly logon role.... i dont know why(on the client) wheni connect to the SSID intead of getting the default iap role... i dont know why this happens... i beliave that if im connected to another SSID and then i connect to that one it happens but im not sure...

I can tell you that i bealive that its when i connect from the other ssid because i can see on the controller that im with the ip address of my local network of my home(the one that just got access to internet but not to the corporate network)

last time i see the mac addresses twice but with 2 different IPS one of my internal network of my hom and the other with the corporate network with logon roles

Have you Configured vlan 200 on the switch and trunk it to the second IAP ?

What's not working ?

The role is used for the IAP vpn not the wireless client.

The PEFV is not a requirement but it is a good thing to have if you have a bunch of branches with IAPs and you don't want add the IP address for each location as a RADIUS client ,so instead you can change the the IAP role in the controller to source NAT the RADIUS traffic using the controller IP address

Get Outlook for iOS

"he role is used for the IAP vpn not the wireless client."

 

sorry i mean this role default-iap-user-role

but someimtes it showed me the client with logon role instaed of that role...

 

"The PEFV is not a requirement but it is a good thing to have if you have a bunch of branches with IAPs and you don't want add the IP address for each location as a RADIUS client ,so instead you can change the the IAP role in the controller to source NAT the RADIUS traffic using the controller IP address"

 

It jsut one site so im really not worried about that.  We are planning in using 802.1x for the authentication of these users.   What ip i need to add as radius client???

Would it be the IP address that it get from the ipsec address pool???

 

Cheers

Carlos

.

That role for the outer ip and the IAP role for the inner ip


It jsut one site so im really not worried about that. We are planning in using 802.1x for the authentication of these users. What ip i need to add as radius client???

Would it be the IP address that it get from the ipsec address pool???

Yes

Get Outlook for iOS

do i need to be careful of performance if im using IAP 207 or 305 for this?

 

Cheers

Carlos

Can you please elaborate on the type of performance ?

Get Outlook for iOS

Can you please elaborate on the type of performance ?

Get Outlook for iOS

i mean for example that the user expirience slwo connection speed, or anything that affect end user expirience.

 

Cheers

Carlos

The only thing you need to be careful is the amount of broadcast/multicast traversing the link since you have a L2 Centralized design.
Aruba recommends using a Layer 3 Distributed design instead which keeps of that broadcast local

Guess in that model ill have Network x.x.x.x, and corporate network need to point to controller with a route to know this network so it can be routed to it right?  ITs like a new network that only the controller knows where it is.

 

Cheers

Carlos

ah victor also ont aht remote site on that ssid the client wont connect no more than 5 devices, so maybe the broadcast is no that a problem.

Normally it would be like 2 devices max 5 devices.

Hello Victor

I already tested with radius authentication and works perfectly

Thank you

 

But it keeps happening sometimes

I got 2 SSIDS

Local SSID which is my home SSID

SSID that got access to the corporate network

 

If my laptop is connected first to the local SSID of my home and i try to connect to the ssid on the corporate network sometimes i get logon role on the controller for that user... this limit my access of cousse because of the role... after like 5 minutes it fix by itself like he recognize he has the wrong roel anc change it....

 

I dont know how to fix that... do you know why that could be happning???

 

Cheers

Carlos

What do you see when you run this command in the controller:
show iap trusted-branch-db

(Aruba7010) #show iap trusted-branch-db

Trusted Branch Validation: Disabled
IAP Trusted Branch Table
------------------------
Branch MAC
----------
(allow all as trusted branch)

(Aruba7010) #

 

 

Also to try again i just did that

Connected to my SSID of my home

Then i connected to the SSID that has access to corporate networks and i got logon role....

I just dont get it why it does that....

Add the following command
iap trusted-branch-db add

Get Outlook for iOS

Add the following command
iap trusted-branch-db add

Get Outlook for iOS

I did it and happened the same....

Ill try configuring it on L3 mode like you suggested to see if it happens the same...

hello Victor

At the end i configured as you suggested with L3 distributed....

As the client is not added in the controller client table because i reach by routes i dont seems to have this problem anymore.

 

Thanks for your help

Its really appreciated!

 

Cheers

Carlos