Wireless Access

I read the article from some time back http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Connect-your-Aruba-Controller-to-a-Cable-Modem/td-p/951 But I have some questions on 620 . basically, I am trying to emulate the same function as a home router type thing.  I once saw a document that explained these where I had to add NAT Pools and/or VLAN.  I also want to make a few rules, to build a DMZ as well.  Any thought or help or guidance..  I have the wireless part down, it's just some of these more non-out-of-box things.

You would only have to make sure that "ip nat inside" is enabled for any wireless VLAN on the commandline or "Enable source NAT inside for this VLAN" in the GUI.

I'm still a little lost. Here is what I did

(config) #vlan 1000

(config) #interface vlan 1000

(config-subif)#ip address dhcp-client

(config-subif)#exit

(config) #interface fastethernet 1/3

(config-if)#switchport access vlan 1000

(config-if)#exit

(config) #ip default-gateway import dhcp

(config) #exit

#show ip route

Returns the following.  Note that 192.168.0.0/24 is the router I want to replace with the 620

 

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 192.168.0.1 to network 0.0.0.0 at cost 1
S*    0.0.0.0/0  [1/0] via 192.168.0.1*
C    192.168.0.0/24 is directly connected, VLAN1
C    10.10.10.0/24 is directly connected, VLAN1010
C    10.10.11.0/24 is directly connected, VLAN1011
C    10.11.10.0/24 is directly connected, VLAN1110

Running Show IP interface brief returns

vlan 1000                   unassigned / unassigned        up      up

 

I have also tried using port 8 gigabit just in case of some kind of physical network issue as well.

 

 

I am assuming that your cable modem is plugged into interface 1/3:

 

You need to unplug then plug in the cable from interface fastethernet1/3 so it can re-dhcp.

Some cable modems will remember the mac address of the last device that was plugged in, and will not issue an ip address unless you reboot the cable modem.  Reboot the cable modem and type "show ip interface brief" to see if VLAN 1000 gets an ip address from your ISP.

Do you have it plugged directly into the cable modem (or similar from your provider)?   It looks like you still have it plugged into your existing router?

yeah, I had to unplug it to send the message.  But let me try rebooting the cable modem, see if that does it.

I tried powering off the modem for a few minutes and the into the 620 gigabit then powered modem back on, still nothing.  here is the dump of data while plugged in.

 

(config) #show interface gigabitethernet 1/8

GE 1/8 is up, line protocol is up
Hardware is Gigabit Ethernet, address is 00:0B:86:63:2F:B9 (bia 00:0B:86:63:2F:B9)
Description: GE1/8 (RJ45 Connector)
Encapsulation ARPA, loopback not set
Configured: Duplex ( AUTO ), speed ( AUTO )
Negotiated: Duplex (Full), speed (1000 Mbps)
MTU 1500 bytes, BW is 1000 Mbit
Last clearing of "show interface" counters 11 day 17 hr 34 min 25 sec
link status last changed 0 day 0 hr 4 min 49 sec
    6064 packets input, 490872 bytes
    Received 5989 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input error bytes, 0 CRC, 0 frame
    2011 multicast, 75 unicast
    728 packets output, 65199 bytes
    0 output errors bytes, 0 deferred
    0 collisions, 0 late collisions, 0 throttles
This port is TRUSTED

 

Interface                   IP Address / IP Netmask        Admin   Protocol
vlan 1                     192.168.0.5 / 255.255.255.0     up      up
vlan 1010                   10.10.10.1 / 255.255.255.0     up      up
vlan 1011                   10.10.11.1 / 255.255.255.0     up      up
vlan 1012                   10.10.12.1 / 255.255.255.0     up      down
vlan 1110                   10.11.10.1 / 255.255.255.0     up      up
vlan 1000                   unassigned / unassigned        up      up
loopback                    unassigned / unassigned        up      up
mgmt                        unassigned / unassigned        down    down

 

(config) #show vlan 1000

VLAN CONFIGURATION
------------------
VLAN   Description  Ports         AAA Profile
----   -----------  -----         -----------
1000   VLAN1000     FE1/3 GE1/8   N/A

 

(config) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 192.168.0.1 to network 0.0.0.0 at cost 1
S*    0.0.0.0/0  [1/0] via 192.168.0.1*
C    192.168.0.0/24 is directly connected, VLAN1
C    10.10.10.0/24 is directly connected, VLAN1010
C    10.10.11.0/24 is directly connected, VLAN1011
C    10.11.10.0/24 is directly connected, VLAN1110

 

 

What is the output of:

Show vlan status
Show ip interface brief

Hey so I changed the port to access and got an IP address. Now how do I set that as the gateway for non local traffic

The port should have been access in the beginning.

You need to do ip nat inside for the other vlans to allow them to go out.

Hot **bleep**, it worked.  I just had to changed the defualt route.  Now, as long as my IP address doesn't change!  So now for the next part, how do I do an internal nat translation.  I.E. if something comes in from the internet over public IP I want to re-direct it to a specific IP address internallay. 

So I got everything else working now.  But have another issue.

I created the ipnat rule, however, if I go to https://myIP I get my controller login webpage and https traffic is not being forwarded to the host I want it to.

Can you share your ACL that you applied to the Internet port?   It should read something similar to this with dst-nat entries; with x.x.x.x being the internal IP of your webserver you want to hit.

 

ip access-list session INTERNET-ACL
  any any svc-dhcp  permit 
  any any svc-http dst-nat ip x.x.x.x 80

  any any svc-https dst-nat ip x.x.x.x 443

  any any any  deny

here is the info.  But actually it ended up being that I have the management IP set on vlan1.  I moved it to a different vlan and that fixed it.  I also don't need the DHCP because I have another device running DHCP.

 

1          any     any          svc-https  dst-nat ip 10.10.11.90 443                          
2         any     any          svc-http   dst-nat ip 10.10.11.90 80 
3         any     any          any        deny              

 

I have one last question I think, at least for now.  I want to create a firewall between vlans, so I can have a DMZ.  How do I create something like that?                                  

EDIT; duplicate post

I posted this a while back; it may get you started: 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Controller-acting-as-Router/m-p/208147#M41372

 

 

If you want to add additional rules, you can do so with dst-nat on the incoming policy; for example the following is a subset of the config in the above link; it will allow http and https from the Internet to an internal host.

 

ip access-list session XFINITY-LINK-ACL
  any any svc-dhcp  permit 
  any any svc-http dst-nat ip x.x.x.x 80

  any any svc-https dst-nat ip x.x.x.x 443

  any any any  deny