3 weeks ago
I'm working with a customer who has a setup, rather different than any others I've been working with - so looking for some input.
- Customer have multiple customers and VLANs (many)
- They have 1 x VLAN to all wireless systems (VLAN550)
- They'll have +/- 200 customer VLANs. These VLANs exist only on controller
- Controller will NOT do any source NAT
- Controller will be default gateway for all wireless VLANs.
They have 1 x VMM and 2 x HW AOS7220.
The issues would be:
1. Be able to use VLANs for routing. Routing from LAN to Wifi - we look into using OSPF for having router route traffic to stations back to the controller where that users is homed
2. Which IP should clients use for gateway? there's 2 controllers. They're in separate data centers, - in same VLAN but not really L2 connected. we've set up VRRP for now, for default gateway. But there's a limit on 255 VRRPs for a controlller?
Any other good solutions for this ?
2 weeks ago
Sorry - I see now i was rather unclear when explaining this.
They have VLAN13 - which is routable on switches and firewall, and a "known" VLAN to all network. In this VLAN all WiFi equipment is located (Controllers, Airwave - some APs).
All wireless client VLANS (VLAN300 - VLAN499) are isolated on controllers. Only controller have these VLANs. The controllers are default gateway for all wireless clients.
The client traffic however, is not NAT'ed but passed along through VLAN13 - with source IP the IP the client has in the client VLAN (300 - 499)
An interesting customer setup, multi tentant environment i assume.
Multi-zone feature which is new ArubaOS 8 is an alternative than running an seperate router.
Example of some use cases, worth exploring.
Use Case #1: Isolate guest traffic from the internal network by having a Multizone AP build separate, secure tunnels to the corporate controller and the guest anchor controller (DMZ) for corporate and guest SSIDs respectively, thus creating an "airwall" between the two SSIDs. Doing so helps avoid the need for guest traffic to traverse the corporate controller on its way to the guest anchor in the DMZ. In 6.x, both guest and corporate SSIDs are tunneled from the AP to the corporate controller, and the guest tunnel from there onwards to the guest anchor controller via an L2 GRE tunnel, and this can be a security concern for some customers.
Use Case #2: Allow multiple 'tenants' in a geographical location to be able to leverage existing AP infrastructure to advertise their own SSIDs. The PZ will be the owner of the WLAN infrastructure (including APs), and one or more DZs will be the 'tenants'.