Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM multiples interfaces and Capital portal(source ip)

This thread has been viewed 7 times

  • 1.  CPPM multiples interfaces and Capital portal(source ip)

    Posted Feb 23, 2017 07:54 AM

     

     We have got CPPM cluster serving the corporate users and guest users. There are some SSIDs in both environments require web authentication, which is served by CPPM. Security team got a concern that traffic flow for both corporate and guests are taking the same path from controllers. I have the following doubts in this deployment.

     

    1. What will be the source ip-address when guest/Corporate users try to access capital portal (CPPM). Is it controller address or the end-user vlans address space?
    2. Can CPPM have multiple data ports. So that, we can deploy one port in corporate vrf and other port in guest vrf. In this way, we can host corporate capital portal in corporate vrf and guest capital portal in guest VRF.

     

     



  • 2.  RE: CPPM multiples interfaces and Capital portal(source ip)

    Posted Feb 23, 2017 07:56 AM

     

     We have got CPPM cluster serving the corporate users and guest users. There are some SSIDs in both environments require web authentication, which is served by CPPM. Security team got a concern that traffic flow for both corporate and guests are taking the same path from controllers. I have the following doubts in this deployment.

     

    1. What will be the source ip-address when guest/Corporate users try to access capital portal (CPPM). Is it controller address or the end-user vlans address space?
    2. Can CPPM have multiple data ports. So that, we can deploy one port in corporate vrf and other port in guest vrf. In this way, we can host corporate capital portal in corporate vrf and guest capital portal in guest VRF.

     

     



  • 3.  RE: CPPM multiples interfaces and Capital portal(source ip)
    Best Answer

    Posted Feb 23, 2017 08:10 AM

    1. unless you are NAT'ing your guest traffic at the controller (or external source), the source ip of the requests will be the actual client VLANs.  

    2. CPPM cannot be configured with 2 "data" ports. However the management interface will also respond to Guest requests; so you could use both interfaces

     

    From the CPPM Service Routing Technote:

    cppm-routing-guest.pnghttps://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=14011

     

     



  • 4.  RE: CPPM multiples interfaces and Capital portal(source ip)

    Posted Feb 24, 2017 04:30 AM

     

    I am planning to do NAT on the controller as you mentioned. In this case, whether the CPPM will show "connected users" address as controller-ip or the actual user ip-address.



  • 5.  RE: CPPM multiples interfaces and Capital portal(source ip)

    Posted Feb 23, 2017 08:17 AM

    <Duplicate Post/Response>



  • 6.  RE: CPPM multiples interfaces and Capital portal(source ip)

    EMPLOYEE
    Posted Feb 23, 2017 03:58 PM
    In your case I would place a cluster of 2 CPPM's in a DMZ (guest vrf)for guest usage, and a cluster of 2 CPPM's in the internal vlan(Corporate vrf).


  • 7.  RE: CPPM multiples interfaces and Capital portal(source ip)

    EMPLOYEE
    Posted Feb 23, 2017 03:59 PM
    Normally you don't use the mgmt port for user traffic