Wireless Access

last person joined: 20 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Aruba AOS 8. - Wireless VLANs only on controller

This thread has been viewed 2 times

  • 1.  Aruba AOS 8. - Wireless VLANs only on controller

    Posted Mar 08, 2017 09:44 AM

    I'm working with a customer who has a setup, rather different than any others I've been working with - so looking for some input. 

    background: 

    - Customer have multiple customers and VLANs (many)

    - They have 1 x VLAN to all wireless systems (VLAN550)

    - They'll have +/- 200 customer VLANs. These VLANs exist only on controller

    - Controller will NOT do any source NAT

    - Controller will be default gateway for all wireless VLANs. 

     

    They have 1 x VMM and 2 x HW AOS7220.

     

    The issues would be: 

     

    1. Be able to use VLANs for routing. Routing from LAN to Wifi - we look into using OSPF for having router route traffic to stations back to the controller where that users is homed

    2. Which IP should clients use for gateway? there's 2 controllers. They're in separate data centers, - in same VLAN but not really L2 connected. we've set up VRRP for now, for default gateway. But there's a limit on 255 VRRPs for a controlller? 

     

    Any other good solutions for this ? 



  • 2.  RE: Aruba AOS 8. - Wireless VLANs only on controller

    Posted Mar 08, 2017 06:59 PM

    As you said they have single VLAN for the Wi-Fi, what is the use of those 200+ customer VLANs?



  • 3.  RE: Aruba AOS 8. - Wireless VLANs only on controller

    Posted Mar 09, 2017 04:52 PM

    Sorry - I see now i was rather unclear when explaining this. 

    They have VLAN13 - which is routable on switches and firewall, and a "known" VLAN to all network. In this VLAN all WiFi equipment is located (Controllers, Airwave - some APs).

    All wireless client VLANS (VLAN300 - VLAN499) are isolated on controllers. Only controller have these VLANs. The controllers are default gateway for all wireless clients. 

    The client traffic however, is not NAT'ed but passed along through VLAN13 - with source IP the IP the client has in the client VLAN (300 - 499)



  • 4.  RE: Aruba AOS 8. - Wireless VLANs only on controller

    Posted Mar 19, 2017 12:50 PM

    An interesting customer setup, multi tentant environment i assume.

     

    Multi-zone feature which is new ArubaOS 8 is an alternative than running an seperate router.

    Example of some use cases, worth exploring.

     

    Use Case #1: Isolate guest traffic from the internal network by having a Multizone AP build separate, secure tunnels to the corporate controller and the guest anchor controller (DMZ) for corporate and guest SSIDs respectively, thus creating an "airwall" between the two SSIDs. Doing so helps avoid the need for guest traffic to traverse the corporate controller on its way to the guest anchor in the DMZ. In 6.x, both guest and corporate SSIDs are tunneled from the AP to the corporate controller, and the guest tunnel from there onwards to the guest anchor controller via an L2 GRE tunnel, and this can be a security concern for some customers.

    Use Case #2: Allow multiple 'tenants' in a geographical location to be able to leverage existing AP infrastructure to advertise their own SSIDs. The PZ will be the owner of the WLAN infrastructure (including APs), and one or more DZs will be the 'tenants'.