10-17-2012 02:36 PM
Ok, so we've never really considered setting up IP mobility as we can run big flat networks and our wireless users roam freely. Unfortunately, now I need to do something that seems like it's mobility-oriented, but not exactly IP mobility as far as I can tell.
I'm setting up a peering link with another company so that we can extend their SSIDs over our APs in a shared physical space. This means we cut down on the number of radios polluting the spectrum, but the hitch is that they have HIPAA concerns and I'd like to be able to have all of their user connections tunnel back to the one controller with the peering link. Furthermore, I don't really want any APs to have to be associated with that controller - I would want them to be handled by the master/local controllers that we have over the rest of the campus.
I'm assuming that I can setup the peering controller as a master, then put this master and the rest of my master/local controllers in the same mobility domain ... can I configure this so that these users would always be treated like foreign agents and get routed back to the controller with the peering link ??
Or am I doing something completely wrong in my design ?
Solved! Go to Solution.
10-17-2012 04:47 PM
Let me be sure I'm answering this right:
You want an access point to terminate on one controller, but you want the user traffic to terminate on a different controller? The second controller being the one that actually is connected to the Physical VLANs that those users need to be on?
Here's what you can do:
Create a non-routable VLAN on controller #1. Let's call it VLAN 1000. Make sure it does not exist on any trunks on that controller. Create a layer 2 GRE tunnel between controller #1 and #2 and assign that Arbitrary VLAN to the GRE tunnel on controller one:
config t interface tunnel 100 tunnel source <management ip of controller 1> tunnel destination <management ip address of controller 2> trusted
tunnel mode gre 0
no shut tunnel VLAN 1000
Config t interface tunnel 100 tunnel source <management ip address of controller #2> tunnel destination <management ip address of controller#1> trusted
tunnel mode gre 0
no shut tunnel VLAN <Vlan number that those users should end up on on controller #2>
Run the WLAN/LAN Wizard on Controller #1 and create a WLAN for those special users and assign it to VLAN 1000.
This is more of a deterministic construct than IP mobility.
Last TIP: If the two controllers this GRE tunnel will be on are master-local and have an ipsec tunnel between them, make sure that you execute a "tunnel mtu 1100" command on each tunnel interface so that the GRE tunnel will fit into the ipsec tunnel without issue.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
10-18-2012 01:26 PM
That sounds better than what I was trying to do since I wasn't sure how to get the users on the "home" controller when they'd never actually roamed from it to the foreign controllers. Thanks!