Wireless Access

Reply
Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

L2 GRE tunnel question

Hi guys, quick question for you, i have this config (below), so i have a GRE l2 tunnel to a dmz controller, now when the users connect to the guest ssid they will go to vlan 888 and the traffic will go to the tunnel, they will fall into the "Guest" role ..... here is my question, if i apply access-list guest-control to the Guest role everything below access-list session guest-control won't matter right, because when they hit the access-list session guest-control all the traffic will be redirected to the DMZ controller and fall into whatever the wired profile is in there right?

 

 

user-role Guest
captive-portal "default"
access-list session global-sacl
access-list session apprf-Guest-PreAuth-sacl
access-list session ra-guard
access-list session guest-control
access-list session logon-control
access-list session captiveportal
!

guest-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any redirect tunnel 101 Low 4

 

 

interface tunnel 101
description "Tunnel Interface To DMZ"
tunnel mode gre 0
tunnel source 1.1.1.1
tunnel destination 3.3.3.3
trusted
mtu 1400
tunnel vlan 888
!

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: L2 GRE tunnel question

Correct.

 

If you have an any any any ACL, no other rules are evaluated.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

Re: L2 GRE tunnel question

one more question and i am pretty sure it depends on the topology but what is the advantage/disadvantage of redirecting all the traffic to the DMZ controller and letting the wired-profile there take care of everything on the dmz.... I have a scenario where i have Clearpass on the DMZ along with the DMZ controllers i guess for me is easier to send all the traffic to the dmz controller and NAT it to the DMZ controller IP address vs dealing with the captive portal access-list on the local controller. do i lose any good information on the local controller if apply an "any any reditect tunnel 101" ?

 

 

 captiveportal session acl
IPv4 user any svc-http-proxy3 dst-nat 8088 Low
IPv4 user controller svc-https dst-nat 8081 Low
IPv4 user any svc-http dst-nat 8080 Low
IPv4 user any svc-https dst-nat 8081 Low
IPv4 user any svc-http-proxy1 dst-nat 8088 Low
IPv4 user any svc-http-proxy2 dst-nat 8088 Low

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: L2 GRE tunnel question

With that method, you lose the controller-ap-username relationship since the authentication occurs at the DMZ controller. If you are just basically asking your users to accept terms and conditions, it does not matter. You should have all of the other stats on the controller that the AP terminates on.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

Re: L2 GRE tunnel question

thanks, so i guess that my role on the local controller will never change from "guest-preauthenticated" to something like "guest" because there is no way that the dmz controller informs the local controller that the authentication took place? or there is a way to do something like that

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: L2 GRE tunnel question

You could do the captive portal authentication on the controller, but the guest subnet in the DMZ would need to be routable to the controller (the controller would need an IP address in the DMZ subnet). You also would not have a redirect t in your ACL; You would just have a tunnel VLAN (guest VLAN number) statement below the interface tunnel x statement so that it bridges traffic to the tunnel. You would make the DMZ side of the tunnel trusted, but still allow the DMZ controller to supply IP addresses and be the default gateway for your clients...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

Re: L2 GRE tunnel question

Thanks, everything is clear, just one question here "(the controller would need an IP address in the DMZ subnet)", what is the best way of doing this? assigning that IP the an "interface vlan XX" xx being the tunnel vlan that I used inside the GRE tunnel?

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: L2 GRE tunnel question

Yes.

 

A good example of how to do this without using the redirect ACL is here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-redirect-guest-access-across-a-GRE-tunnel-to-a-DMZ/ta-p/183468



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

Re: L2 GRE tunnel question

thanks you, i was kind of confused with this part of your previous answer

 

You could do the captive portal authentication on the controller, but the guest subnet in the DMZ would need to be routable to the controller (the controller would need an IP address in the DMZ subnet).

 

Because i was thinking that i needed to make the guest network routable on my network and i didn't want that, but as long as it is just adding an IP address of the network to the interface vlan of each of the controller i am ok with it. I didn't what to add a 172.0.0.0 network into my network because we only use 10.0.0.0 so far.

 

Thanks

Search Airheads
Showing results for 
Search instead for 
Did you mean: