Wireless Access

last person joined: 19 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Mobility Domains and Controller Tunnels

This thread has been viewed 1 times

  • 1.  Mobility Domains and Controller Tunnels

    Posted Sep 27, 2016 09:16 PM

    Hey all,

     

    I've got a client with a setup that I need a bit of help with, and wanted to see if anyone had run into something like this before.

     

    Long story short, they would like to have someone from, say, Tuscon, who travels to the Dallas office, to be able to connect to the network and terminate to their Tuscon controller and network. I looked at setting up mobility domains, but I can't really find a comprehensive guide. The controller environment is such that there are two big controllers in a master primary - master backup vrrp / master-redundancy feeding local controllers in a number of locations. I'd rather not build a bunch of L2 tunnels for every location from the master-master cluster. Also, they'd like to use named vlans for every location, so when ClearPass does its authentication, it can do a derivation and dump them off on their correct controller.

     

    Any ideas?



  • 2.  RE: Mobility Domains and Controller Tunnels

    EMPLOYEE
    Posted Sep 27, 2016 10:35 PM

    Why can't you let anyone route their traffic to Tucson if needed.  That way, they don't have to have a specific ip address to obtain resources.  An ip address is just what a user has temporarily so that user can send and receive traffic.  Any other way and you are setting layer 2 tunnels to and from anywhere.  You should instead solve this at the network level.

     

    Mobility domains are only useful for users that want to roam between controllers where there is overlapping wifi between the two.  Your current situation cannot be solved using mobility domains.



  • 3.  RE: Mobility Domains and Controller Tunnels

    Posted Sep 27, 2016 11:08 PM
    Wouldn't work that way. All of the sites are separate island, so to speak.


  • 4.  RE: Mobility Domains and Controller Tunnels

    EMPLOYEE
    Posted Sep 27, 2016 11:11 PM

    How would sites communicate without wireless?



  • 5.  RE: Mobility Domains and Controller Tunnels

    Posted Sep 27, 2016 11:48 PM
    Via routing and named vlans. But how would controller B know that user A, when at location B, needs to terminate to controller A without mobility home agent / foreign agent assignments using IP mobility?


  • 6.  RE: Mobility Domains and Controller Tunnels

    Posted Sep 28, 2016 04:19 AM

    Why do you need the user who travels to terminate on its home controller? Do they access resources that only those networks at his home location are able to reach?

     

    If you want to keep access separated you might want to use the aruba roles instead so that a user from location A still gets role A when at location B but he will have an IP address from location B during his visit.

     

    This needs underlying connectivity/routing/firewall configuration to allow that kind of communication between the sites aswell.

     

    Cheers,



  • 7.  RE: Mobility Domains and Controller Tunnels

    Posted Oct 11, 2016 11:08 PM

    Thanks, Christoffer. Yes, each site is a separate island, so we needed to only terminate the user at their home controller. We accomplished this using VIP to VIP tunnels and assigned a vlan to a specific role, and then derivated based on certain conditions in ClearPass.

     

    Thanks for the assistance.