06-03-2015 02:08 PM
New IAP 205 cluster replacing an old 650 controller based installation. In the old system, the Guest traffic vlan, 172, was ported out port 2 on the 650 straight to the firewall. This vlan never existed anywhere else on their network.
In the new IAP cluster, I cannot use this vlan because it doesn't exist. If I want to use the Distributed DHCP L2 scope with same network, mask, dns, but their old external gateway, we will have to add this vlan to all IAP uplinks, their core, and extend it out to their firewall, right?
From a design perspective, what is the difference if I just set up the correct ACLs managing the role to prohibit traffic to internal networks, and let the IAP cluster NAT handle the rest?
Solved! Go to Solution.
06-03-2015 07:55 PM
So, using the roles to limit access will be your cleanest solution. Your other option is to use the "guest" type in the network settings however, that makes your IAP cluster the DHCP server and NAT is done on the virtual controller.
If you want to use the VPN option and have a VLAN on some north bound device AND that device is an Aruba controller, you could also consider Aruba GRE option in the VPN setup and choose per-AP setting so that all IAPs build a GRE tunnel. Then for the VLAN assigned during that setup, you can assign that to the SSID.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos