Remote Networking

Reply
New Contributor
Posts: 3
Registered: ‎08-14-2011

RAP Configuration and Local DHCP

I'm in the process of configuring APs and a RAP for be sent to a branch office to provide wireless networking in that office. I have successfully gotten the RAP and APs to connect to the controller over the ipsec tunnel, however I'm having problems getting the appropriate VLAN and DHCP behaviour from the clients connected.

We have two specific VLANs in each office that are relevant (They are the same numbers in each office), a corporate and a guest vlan. We have 2 SSIDs, one for each vlan (As defined in the VAP profiles). We would like only the WPA2-enterprise and WPA2-PSK authentication to go through the ipsec tunnel, and have all traffic pushed out onto the appropriate local VLANs, and the clients getting DHCP addresses from the DHCP servers on those VLANs (The corp subnets are different as they are routed via wan links, but the guest ranges are the same not sure if this is relevant).

I have tried enabling the Remote-AP Local Network Access option in the AP system profile, and changing the mode from split tunnel to bridging. Though that seemed to work (I got a DHCP address in the correct range from my lab setup), but this broke the existing connections in the head office, as the guest clients were getting DHCP addresses from the corporate VLAN. This issue persisted even when I created a new AP System profile just for the RAPs.

My question is, what is the appropriate configuration options to have the remote APs use the IPSec tunnelling only for authentication (Access to any network resources, even those in the head office can be accessed via the WAN links), and have all traffic pushed out onto the appropriate VLANs?
Guru Elite
Posts: 21,023
Registered: ‎03-29-2007

Re: RAP Configuration and Local DHCP


I'm in the process of configuring APs and a RAP for be sent to a branch office to provide wireless networking in that office. I have successfully gotten the RAP and APs to connect to the controller over the ipsec tunnel, however I'm having problems getting the appropriate VLAN and DHCP behaviour from the clients connected.

We have two specific VLANs in each office that are relevant (They are the same numbers in each office), a corporate and a guest vlan. We have 2 SSIDs, one for each vlan (As defined in the VAP profiles). We would like only the WPA2-enterprise and WPA2-PSK authentication to go through the ipsec tunnel, and have all traffic pushed out onto the appropriate local VLANs, and the clients getting DHCP addresses from the DHCP servers on those VLANs (The corp subnets are different as they are routed via wan links, but the guest ranges are the same not sure if this is relevant).

I have tried enabling the Remote-AP Local Network Access option in the AP system profile, and changing the mode from split tunnel to bridging. Though that seemed to work (I got a DHCP address in the correct range from my lab setup), but this broke the existing connections in the head office, as the guest clients were getting DHCP addresses from the corporate VLAN. This issue persisted even when I created a new AP System profile just for the RAPs.

My question is, what is the appropriate configuration options to have the remote APs use the IPSec tunnelling only for authentication (Access to any network resources, even those in the head office can be accessed via the WAN links), and have all traffic pushed out onto the appropriate VLANs?




Okay.

You have to create new virtual APS for the 802.1x and the WPA-PSK (or save a copy) and assign them to a new ap-group. That way you can have the Virtual APs for 802.1x and WPA-PSK bridged, but it can still be tunneled for the corporate, without breaking the corporate stuff.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎08-14-2011

Re: RAP Configuration and Local DHCP


Okay.

You have to create new virtual APS for the 802.1x and the WPA-PSK (or save a copy) and assign them to a new ap-group. That way you can have the Virtual APs for 802.1x and WPA-PSK bridged, but it can still be tunneled for the corporate, without breaking the corporate stuff.





Thank you very much for the reply :)

I don't think I was quite clear about the configuration I've got at the moment:
I've created two new virtual AP profiles under a new AP Group seperate from the original AP Group and corproate/guest VAP profiles. These VAPs have seperate "RAP" ssid profiles and have been set to both Bridge and Split Tunnel mode. However unless I select the Remote-AP Local Network Access option in the AP System Profile (Which breaks the existing AP Group, VAPs, and SSID profiles), when I connect to my test SSIDs, I get DHCP addresses from the main corporate and guest VLANs, not the 2 VLANs that are setup in my lab (Where the RAP is connected and is tunneling from).

Just to note, I also tried creating a new AP System Profile, but this configuration option (Remote-AP Local Network Access) seems to persist accross all system profiles for both the RAPs and the APs, or at least, the effects do.

Is there no ACL or configuration setting that will allow me to send ALL traffic from the clients out onto the VLANs connected to the controller (Including DHCP Advertisments and traffic destined for the head office), and just have the tunnel used for authentication and communication between the controller and AP?


Apologies for any confusion.
Guru Elite
Posts: 21,023
Registered: ‎03-29-2007

Re: RAP Configuration and Local DHCP

RAP local network access is so that bridged and split-tunnel users on the same access point can reach each other, even though they are on different subnets. I have a feeling this does not have anything to do with your situatoin

Bridged mode is what you need for the users who will need all of their traffic sent locally. 802.1x traffic, even in bridged mode, is sent by the controller and is completely separate from the actual user traffic.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎08-14-2011

Re: RAP Configuration and Local DHCP


RAP local network access is so that bridged and split-tunnel users on the same access point can reach each other, even though they are on different subnets. I have a feeling this does not have anything to do with your situatoin

Bridged mode is what you need for the users who will need all of their traffic sent locally. 802.1x traffic, even in bridged mode, is sent by the controller and is completely separate from the actual user traffic.




It's working now in bridged mode. I'm not sure why I was experiencing different behaviour when I tested it last week, presumably I did something wrong or didn't wait for long enough before testing but it's working now :)

Thank you very much for your assistance.
Occasional Contributor II
Posts: 11
Registered: ‎05-27-2010

Re: RAP Configuration and Local DHCP

So if i understand all this correctly, this was about bridge mode.
i guess there's no way to use local DHCP with split-tunnel mode?
Guru Elite
Posts: 21,023
Registered: ‎03-29-2007

Re: RAP Configuration and Local DHCP

There is no way. We track the user based on the ip address that he gets from the infrastructure (trusted) side in split-tunnel, not the "bridged side".

Please explain the use case, if you will.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎05-27-2010

Re: RAP Configuration and Local DHCP

In this case it's a company with it's head office in Stockholm, Sweden where all the servers are located.
This is where the controllers are deployed as well. The company opened a small office in Shanghai where there are about 5-10 users. They have local servers, printers and everything else they need there, so they primarily need local access. However they need to access some of the resources in the central environment.
I was thinking maybe a RAP-5 could solve this. But as they have a LAN already setup they want to use their local DHCP server.
Guru Elite
Posts: 21,023
Registered: ‎03-29-2007

Re: RAP Configuration and Local DHCP

How do the users access information in Stockholm? If there is already some sort of site-to-site VPN, bridged mode is the answer. If there is already a local environment, but no site to site VPN, split-tunnel is the answer. The user will authenticate and get an ip address from Stockholm. The user role that the user gets will tunnel everything back if it is addressed to Stockholm, but bridge anything that it needs to get locally by route-src-nat.

For example, I plug in my RAP5 at home and the home network is 192.168.1.x. The work network is 10.x.x.x. I get a 10.x.x.x address and all traffic that I initiate to the 10 network goes over the tunnel. My printer, NAS device and other local servers are at 192.168.1.x and when I try to go to those addresses, the ACL in the user role just bridges it locally.

With that being said, this setup will not work in all circumstances, but in most of the Small office/home office circumstances where users need file, print and internet.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎05-27-2010

Re: RAP Configuration and Local DHCP

I agree, it works in most situations but sadly not in this one.
Today the users access the central resources using a VPN-client as there's no site-to-site VPN.

Thanks for your help Colin!
Search Airheads
Showing results for 
Search instead for 
Did you mean: