Education

Reply
Occasional Contributor II
Posts: 19
Registered: ‎05-02-2009

Legacy VLAN, multiple subnets and Captive Portal

Hiya,

My first post and we haven't even got the kit yet!

We're in the design stage and we're trying to come up with a way of moving our existing guest access (using Cisco autonomous APs, an old linux box and lots of custom code) over to the Aruba controller, on a wired untrusted interface, but have hit a problem.

Our current system is home grown and has a VLAN with multiple non-contiguous public subnets on it. I can go into the details why if necessary, but, for now, suffice it to say that splitting this VLAN into multiple ones would be a very long and difficult job. We'd probably stick with the current aging and partially broken system rather than do that.

The Aruba VLAN configuration can only take one subnet at a time so we can't configure our VLAN to be routed on the Aruba controller. The alternative would be to configure the VLANS, and route, externally. What we don't know is if this would cause any problems with captive portal?

If it does then does anyone have other suggestions?

We've thought of moving to a private contiguous subnet of the right size (/20 or /19) and using NAT but that would be very disruptive to the University. Finding a free /20 of public addresses is nigh on impossible and a /19 - not a chance. Waiting until Aruba do multiple VLANs per subnet is an option. Researching a solution using magic was mentioned too.

Thanks

Mike
Occasional Contributor I
Posts: 6
Registered: ‎08-18-2007

Re: Legacy VLAN, multiple subnets and Captive Portal


Hiya,

My first post and we haven't even got the kit yet!

We're in the design stage and we're trying to come up with a way of moving our existing guest access (using Cisco autonomous APs, an old linux box and lots of custom code) over to the Aruba controller, on a wired untrusted interface, but have hit a problem.

Our current system is home grown and has a VLAN with multiple non-contiguous public subnets on it. I can go into the details why if necessary, but, for now, suffice it to say that splitting this VLAN into multiple ones would be a very long and difficult job. We'd probably stick with the current aging and partially broken system rather than do that.

The Aruba VLAN configuration can only take one subnet at a time so we can't configure our VLAN to be routed on the Aruba controller. The alternative would be to configure the VLANS, and route, externally. What we don't know is if this would cause any problems with captive portal?

If it does then does anyone have other suggestions?

We've thought of moving to a private contiguous subnet of the right size (/20 or /19) and using NAT but that would be very disruptive to the University. Finding a free /20 of public addresses is nigh on impossible and a /19 - not a chance. Waiting until Aruba do multiple VLANs per subnet is an option. Researching a solution using magic was mentioned too.

Thanks

Mike



Mike,
Not sure if I understand your current setup completely but here are my thoughts. You probably have the multiple non-contiguous subnets because of the old Autonomous APs, where the wireless network is determined by which vlan the AP is connected to.
One of the major design benefits of the Aruba controller based solution is that all wireless traffic is tunnelled back to the controller and therefore the vlan where the AP is connected to becomes unimportant in terms of your wireless network addressing.
As long as the AP can get an IP address and find its way back to the controller (various discovery mechanisms supported L2 broadcast, DHCP option, DNS name) all should be ok.
This should allow you to remove some of your existing "wireless vlans" from your current switching and routing network and redeploy on the Aruba controller as wireless VLANs which are then bound to your Guest SSID.
Hope this makes sense.
Cam.
Occasional Contributor II
Posts: 19
Registered: ‎05-02-2009

Re: Legacy VLAN, multiple subnets and Captive Portal

Sorry, I probably wasn't clear enough. The VLANs with the non-contiguous subnets are the ones used to assign IPs to guest users, not to the APs themselves.
Aruba Employee
Posts: 49
Registered: ‎04-02-2007

Re: Legacy VLAN, multiple subnets and Captive Portal

Hi Mike,

There is a feature called VLAN Pooling. In essense, it allows you to have multiple vlan defined for a given ESSID.

The rules to follow are:
- the subnet mask should be the same, typically, we see /24 to reduce the broadcast domain.
- the ip address do not have to be contiguous

Here is snippet:

interface vlan 200
ip address 192.168.200.1 255.255.255.0
!
interface vlan 201
ip address 192.168.201.1 255.255.255.0
!
interface vlan 210
ip address 192.168.210.1 255.255.255.0
!
interface vlan 212
ip address 192.168.212.1 255.255.255.0
!

wlan virtual-ap
vlan 200-201,210,212
..
..
!
Occasional Contributor II
Posts: 19
Registered: ‎05-02-2009

Re: Legacy VLAN, multiple subnets and Captive Portal

Sorry, it probably didn't stand out but




so VLAN pooling isn't really appropriate in this case.

MVP
Posts: 495
Registered: ‎04-03-2007

Re: Legacy VLAN, multiple subnets and Captive Portal

I think you'd have to further explain your setup for precise advice. However, if you currently have one VLAN for wireless, you can trunk this one VLAN to the controller and place clients in there, having the controller operate as a layer 2 switch.

A problem I could foresee is that you'll likely need an IP address on the the controller within the subnet guest users will get (for the nat to work). If you have one vlan but "multiple subnets", this could prove problematic. But again, without more details, it is too hard to tell.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
Showing results for 
Search instead for 
Did you mean: