Wireless Access

last person joined: 14 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

L2 GRE tunnel question

This thread has been viewed 8 times

  • 1.  L2 GRE tunnel question

    Posted Oct 10, 2016 12:12 PM

    Hi guys, quick question for you, i have this config (below), so i have a GRE l2 tunnel to a dmz controller, now when the users connect to the guest ssid they will go to vlan 888 and the traffic will go to the tunnel, they will fall into the "Guest" role ..... here is my question, if i apply access-list guest-control to the Guest role everything below access-list session guest-control won't matter right, because when they hit the access-list session guest-control all the traffic will be redirected to the DMZ controller and fall into whatever the wired profile is in there right?

     

     

    user-role Guest
    captive-portal "default"
    access-list session global-sacl
    access-list session apprf-Guest-PreAuth-sacl
    access-list session ra-guard
    access-list session guest-control
    access-list session logon-control
    access-list session captiveportal
    !

    guest-control
    -------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
    1 any any any redirect tunnel 101 Low 4

     

     

    interface tunnel 101
    description "Tunnel Interface To DMZ"
    tunnel mode gre 0
    tunnel source 1.1.1.1
    tunnel destination 3.3.3.3
    trusted
    mtu 1400
    tunnel vlan 888
    !



  • 2.  RE: L2 GRE tunnel question
    Best Answer

    EMPLOYEE
    Posted Oct 10, 2016 12:23 PM

    Correct.

     

    If you have an any any any ACL, no other rules are evaluated.



  • 3.  RE: L2 GRE tunnel question

    Posted Oct 10, 2016 01:30 PM

    one more question and i am pretty sure it depends on the topology but what is the advantage/disadvantage of redirecting all the traffic to the DMZ controller and letting the wired-profile there take care of everything on the dmz.... I have a scenario where i have Clearpass on the DMZ along with the DMZ controllers i guess for me is easier to send all the traffic to the dmz controller and NAT it to the DMZ controller IP address vs dealing with the captive portal access-list on the local controller. do i lose any good information on the local controller if apply an "any any reditect tunnel 101" ?

     

     

     captiveportal session acl
    IPv4 user any svc-http-proxy3 dst-nat 8088 Low
    IPv4 user controller svc-https dst-nat 8081 Low
    IPv4 user any svc-http dst-nat 8080 Low
    IPv4 user any svc-https dst-nat 8081 Low
    IPv4 user any svc-http-proxy1 dst-nat 8088 Low
    IPv4 user any svc-http-proxy2 dst-nat 8088 Low



  • 4.  RE: L2 GRE tunnel question

    EMPLOYEE
    Posted Oct 10, 2016 03:03 PM
    With that method, you lose the controller-ap-username relationship since the authentication occurs at the DMZ controller. If you are just basically asking your users to accept terms and conditions, it does not matter. You should have all of the other stats on the controller that the AP terminates on.


  • 5.  RE: L2 GRE tunnel question

    Posted Oct 10, 2016 03:09 PM

    thanks, so i guess that my role on the local controller will never change from "guest-preauthenticated" to something like "guest" because there is no way that the dmz controller informs the local controller that the authentication took place? or there is a way to do something like that



  • 6.  RE: L2 GRE tunnel question

    EMPLOYEE
    Posted Oct 10, 2016 03:27 PM
    You could do the captive portal authentication on the controller, but the guest subnet in the DMZ would need to be routable to the controller (the controller would need an IP address in the DMZ subnet). You also would not have a redirect t in your ACL; You would just have a tunnel VLAN (guest VLAN number) statement below the interface tunnel x statement so that it bridges traffic to the tunnel. You would make the DMZ side of the tunnel trusted, but still allow the DMZ controller to supply IP addresses and be the default gateway for your clients...


  • 7.  RE: L2 GRE tunnel question

    Posted Oct 10, 2016 04:51 PM

    Thanks, everything is clear, just one question here "(the controller would need an IP address in the DMZ subnet)", what is the best way of doing this? assigning that IP the an "interface vlan XX" xx being the tunnel vlan that I used inside the GRE tunnel?



  • 8.  RE: L2 GRE tunnel question

    EMPLOYEE
    Posted Oct 10, 2016 06:21 PM

    Yes.

     

    A good example of how to do this without using the redirect ACL is here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-redirect-guest-access-across-a-GRE-tunnel-to-a-DMZ/ta-p/183468



  • 9.  RE: L2 GRE tunnel question

    Posted Oct 10, 2016 06:28 PM

    thanks you, i was kind of confused with this part of your previous answer

     

    You could do the captive portal authentication on the controller, but the guest subnet in the DMZ would need to be routable to the controller (the controller would need an IP address in the DMZ subnet).

     

    Because i was thinking that i needed to make the guest network routable on my network and i didn't want that, but as long as it is just adding an IP address of the network to the interface vlan of each of the controller i am ok with it. I didn't what to add a 172.0.0.0 network into my network because we only use 10.0.0.0 so far.

     

    Thanks