Controllerless Networks

Can a separate IP address be created for device management when using the VC address for NATing local DHCP assigned addresses? Or, conversely, can a non-VC NAT address be used for locally assigned DHCP addresses?

 

Here's the issue: when using local DHCP server on the IAP the DHCP assigned client addresses are NATed to the VC address, so, outside the IAP, all clients have the same IP address as the VC.  But the VC address is also the address used to manage the device, so any rules created in corporate firewalls to allow management of the IAP also apply to the clients.  Wireless clients should not have the same IP address as the management address of the device.

 

I understand that internal to the IAP access rules can be applied to the clients that would not apply to the VC, so, on paper, it might look like security has been applied, blocking clients from the enterprise management stations, but, Enterprise Security will not, and should not, consider that a viable security solution. (for one reason, doing so would place corporate security policy enforcement outside of the Security Organization's control)

 

Is there a way to separate the client IP address from the device management IP address?

 

-ScottD

I would prefer to address this question from a wholistic network design perspective. I have the following questions:

1. How many VLANs and subnets in the network?
2. Can you give example VLAN numbers and subnet ranges in the network?
3. Which VLAN and IP range do we want the APs to obtain their IPs from?
4. Which VLAN and IP range do we want the clients to obtain their IPs from?
5. Which VLAN and IP do we want to use to access the IAP Web UI?
6. Which VLAN and IP do we want the IAP to NAT to?

A VC-IP is used for management purposes. Might this perhaps solve your problem?

 

http://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/virtual_controller/Virtual_Controller_IP_Ad.htm

 

 

Hi John, thanks for the reply.

The VC will be the management address, yes, but the problem is the clients.  They'll be NATed to that same address, so any firewall rules created on corporate firewalls will apply equally to the IAP and the clients. 

Regards,

ScottD

 

That shouldn't be the case as the IAP should do NAT from it's uplink IP - which is not the same as the VC IP.

sdunn@hpe.com,

 

Well, why don't you give guest clients a routable VLAN.  You can assign ACLs on the guest role keeping them away from the internal network and you can also maybe have ACLs on the router that is their default gatway as a secondary protection.  You don't have to NAT guests out of the instant cluster...

You're right, John. I had misread it.  The NAT address for the clients will be the IAP's physical address, not the VC.  The firewall rules can be applied to the /32 of the VC, and will reject the rest of the subnet, including the uplink addresses of the IAPs. 

Thank you Sir,

-ScottD