Controllerless Networks

Reply
Aruba Employee

Re: Setting up Guest wifi in Enterprise

Each remote site would be it's own cluster, so the NAT'ed IP address can still be traced back to the site it originated from.


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor II

Re: Setting up Guest wifi in Enterprise

How would I do that? 

 

For example someone asks lets block this user and provides me MAC or IP address how would I trace where this client is connected to? We have remote locations in different states.

 

How will be able to exactly trace the user when using magic vlan for guest & AP is acting as DHCP server? 

Aruba Employee

Re: Setting up Guest wifi in Enterprise


@Toolbox015wrote:

How would I do that? 

 

For example someone asks lets block this user and provides me MAC or IP address how would I trace where this client is connected to? We have remote locations in different states.

 

How will be able to exactly trace the user when using magic vlan for guest & AP is acting as DHCP server? 


 

How are you managing remote IAP clusters today?

 

Each remote location will be it's own IAP cluster. So the virtual controller IP for each cluster will use an IP from the range allocated to that remote site. The virtual controller handles DHCP for the magic vlan, as well as the NAT functionality for translating guest users from the magic vlan to the internal network. So if HQ trips a security event for a user, the IP address seen at HQ will be the specific virtual controller IP for the branch where the user is connected.


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor II

Re: Setting up Guest wifi in Enterprise

We use Airwave to monitor/manage IAP clusters. 

 

I don't think security will be able to see IP address  of the VC rather just private or public address of the client device. 

 

I believe I can enter that info on Airwave and exactly find which location this user is connected to. 

Occasional Contributor II

Re: Setting up Guest wifi in Enterprise

Also is it possible to track the client if security provides me NAT'd IP? Acc. to them, this is the only visibility they have. 

Aruba Employee

Re: Setting up Guest wifi in Enterprise


@Toolbox015wrote:

Also is it possible to track the client if security provides me NAT'd IP? Acc. to them, this is the only visibility they have. 


I think we are saying the same thing. The NAT'd IP is the VC IP for the cluster. It might help draw out a diagram using actual IP ranges to ensure we're agreeing on the same terminology.


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor II

Re: Setting up Guest wifi in Enterprise

if I have 10 IAP in a cluster. Do I need to add Vlan 3333 in my switch and assign to AP ports?

 

I am having a issue that clients can go online if directly connected to VC but if they connect to any other "slave" IAP, they don't have internet access? 

 

Packet capture shows the "Slave" IAP doesn't forward packet to "master" IAP

Aruba Employee

Re: Setting up Guest wifi in Enterprise


@Toolbox015wrote:

if I have 10 IAP in a cluster. Do I need to add Vlan 3333 in my switch and assign to AP ports?


Where did vlan 3333 come from? Is that the VLAN you configured for the guest SSID?


Charlie Clemmer
Aruba Customer Engineering
Contributor I

Re: Setting up Guest wifi in Enterprise

We're currently using the Magic Vlan guest wifi at one of my customers.  All the traffic NATs out from the VC IP address or the IP address of the AP itself (usually same subnet as the VC).  The ACL that currently governs my AP traffic is also filtering my Guest traffic.  It's not the easiest thing in the world to find specific guest traffic as you need to go look at the AP itself (not the VC).  Currently even if I show datapath session on the AP itself, I cannot see the magic vlan traffic.

It works for what we need it for, but it sounds like you may need a more granular solution. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: