Wireless Access

Reply
MVP
Posts: 3,009
Registered: ‎10-25-2011

DMZ Controller questions

Hello im doing a deployment of a WLAN in which in the design we do have a controller which is on the DMZ

We have to tunnel all the guest traffic from all the other controllers

All the other controllers would be:

2 Master controller one active one standby with vrrp

x ammount of local controllers in different sites

 

Now i know that you have to create a GRE tunnel from each controller i maen from every local controller to that DMZ controller for the Guest network that will just exist in that DMZ Controller.

 

1-Does this Controller can be a local controller of the pair of Master controllers ill have in the data center? it just that i would like to use the centrilized licensing.

2-do i need an extra license here a firewalll license or something like that for example a PEFNG license?

3-Ports that i need to open between the DMZ controllers and ALL the other controllers would be:

 

  • PAPI (udp/8211 and tcp/8211)
  • IP-IP (protocol 4) - if L3 mobility is enabled

 

  • IPSEC/NAT-T (udp/4500) -
  • GRE (protocol 47)
  • HTTPS (tcp/443 and tcp/4343)
  • SSH (tcp/22)
  • SNMP (udp/161 and udp/162)

I am missing any port????

 

Cheers

Carlos

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: DMZ Controller questions


 

1-Does this Controller can be a local controller of the pair of Master controllers ill have in the data center? it just that i would like to use the centrilized licensing.

It can be a local or masters.  Most people use a master controller so that configuration on that device is not tied to any other controllers, if there is an outage.  I would not bother trying to use centralized licensing, because the licensing would be like 1 AP license, 1 PEF license would be minimal.  You would be only configuring policy on wired traffic, not AP traffic.

2-do i need an extra license here a firewalll license or something like that for example a PEFNG license?

For maximum flexibility, you would need the PEF license, yes.  Since you would not terminate any access points on that controller, you would only need a 1 AP and 1 PEF license.

3-Ports that i need to open between the DMZ controllers and ALL the other controllers would be:

If you are tunneling Gre you would need protocol 47 between those DMZ controllers and your other controllers.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: DMZ Controller questions

Hello Collin

If they do not have this extra license.

Is there any issue if we put it as a local controller besides depending on the Master controller to do some configs?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: DMZ Controller questions

Collin

If i have 50 licenase and 50 APS

 

Even if i do centrilized license i would need 1 EXTRA license of AP and PEFNG to do this? right?

 

So it doesnt really matter if i used centralized license or not

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: DMZ Controller questions

Making it a local controller would mean that you would have to allow other ports between the DMZ controller and the other controllers.  Also if anything would happen to the master controller, you would lose the ability to configure the DMZ controllers, unless you change them to masters and reboot them.  You honestly don't want the DMZ controllers tied to any other controllers;  that is why you have them in the DMZ.  

 

Alternatively, you could just have WLAN controllers tunnel the guest VLAN to the DMZ controllers, but have the WLAN controllers do all of the policy enforcement, so that the DMZ controllers would not need any PEF licenses.   You would not need centralized licensing and you would only need GRE opened between the DMZ controllers and the WLAN controllers.  A side benefit of this is that the guest users will show up on the WLAN controllers and APs and not in the wired user table of the DMZ controllers, so Airwave will correctly show what APs guest users are connected to.  The DMZ controllers would provide DHCP and route the guest traffic wherever it needs to go, but the Captive Portal would be provided by the WLAN controllers....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: DMZ Controller questions

Thanks Collin

 

Thats looks like a nice solution.  Would this impact in any way in the security? having the captive portal on the master(which is on the internal network) instead of the captive portal on the DMZ controller?

I guess not because thats interface is still on a vlan which just can go out of that vlan trhough the firewall that is connected to the DMZ controller but still... it never hurt asking for a second opinion.

 

Cheres

CArlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: DMZ Controller questions

The WLAN controllers would have an IP address on the subnet that is provided by the DMZ controllers and would bring up the Captive Portal on that interface (IP cp-redirect-address). That IP address would not be routable and the default gateway would be in the DMZ. On top of that the initial and guest roles on the wlan controller would block traffic to any destination that you do not want it to go through using firewall policies.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: DMZ Controller questions

Thanks Collin

One last question

For the GRE tunnels you woudl do them from the local controllers to the Master- Stanby controller and another GRE tunnel fromt he Master- Stanbd By controller to the DMZ controller?

 

For the GRE Tunnels to  the Master-Stand by controller do i point i guess to the Virtual IP of the HA right?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: DMZ Controller questions

Please see the thread here:  http://community.arubanetworks.com/t5/Wireless-Access/GRE-L2-tunnel-from-Local-to-VRRP-Master/td-p/219331/highlight/true/page/2

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: DMZ Controller questions

hahah

Thank you Collin you just saved me a lot of time..  Ill have that in mind when configuring this!

 

Thanks again!!!

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: