Wireless Access

Hey Guys,

I'm really struggling with the setup of a RAP-5 with split tunnel.

What might be helpful is to tell you what the customer wants to accomplish.

They are wanting to setup a branch office connected via a RAP5. Most of the branch will be hardwire connected to a switch that is then connected to the ETH1 port on the RAP but a few will be connected via a wireless SSID broadcasted from the RAP. 

-The RAP5 is connected to their corporate controller via a Verizon USB hotspot- I have this working

-The controller handing out branch IP addresses of 192.168.30.50 through 150 mask 255.255.255.0  (Vlan 30) I have this working and can pull a 192.168.30.X address when I connect to the ETH1 port on the RAP. Currently the default gateway is the vlan 30 interface of the Aruba 192.168.30.254 but I was unsure if this would be the correct setup.

- Corporate network is 10.10.0.0 255.255.0.0  All 10.10.X.X traffic should be sent down the RAP tunnel towards corporate. Any and all other traffic should be sent out the Verizon USB connection on the RAP. I do not have this set up as I'm not sure the step to accomplish this.

-Corporate SSID's do not need to be broadcasted from the RAP but they would like to broadcast a simple WPA2 preshare key SSID that will get them on the vlan 30 192.168.30.X network. SSID name Branch30 as example. I do not have this set up but seems simple enough to create the SSID in the controller and assign it to the RAP AP group.

If the controller becomes unavailable

-The RAP should stay up and continue to provide dhcp addresses and connectivity to the Internet for the branch. The only differnce they should notice is that they would not be able to reach any 10.10.X.X addresses. I thought (hoped) the RAP dhcp addresses could be the other half of the dhcp range 192.168.30.151 through 250 255.255.255.0 so that they could continue to connect to their statically assigned printers.

-RAP should also broadcast a backup SSID. (Something like Backup30 instead of the normal Branch30 as an example) so that people would know that the connection to Corporate was down. Again the RAP would hand out the other half of the dhcp range and continue to route traffic out their Internet connection.

-Once the corporate controller becomes available the RAP should reboot and go back to normal operation.

I know I've asked a lot of questions here and for the most part I think I'm really close with a lot of it. Really struggling with the split tunnel part of it and the options for the rap providing the backup ssid and dhcp if the controller becomes available.

Thanks in advance for any input .........

Mike

Hi Jassperff - What you're looking to do is pretty straightforward and I do almost exactly what you're looking to do.

It looks like you have all the basics going and you're fine with the controller being default gateway to VLAN30.

Whether you're wired or wireless, the policies accociated with your user roles will determine whether traffic is tunneled or bridged out to the internet.  If you use the "permit" operator, it will go over the tunnel.  "Route" or "route src-nat" will bridge traffic right out the RAP's E0 port.  If it's just "route" then the route will send the traffic out with the host's ip address unmodified, "route src-nat" will NAT the host's address to the RAP's E0 address, which is most likey what you want.  So, in your case, your policy would generally look like this:

ip access-list session sample-policy

user any udp 68 deny

any any svc-dchp permit

user  network 10.10.0.0 255.255.0.0 any permit

user any any route src-nat

user-role sample-role
session-acl sample-policy

For your "Branch30" SSID, you seem to have that handled, just use "sample-role" for that VAP, and for your wired users as well.  They will all need to be in VLAN 30.

Your backup scenarios are all viable and I do exactly what you're want to do as well, but it's a little more work.  What I'm going to describe is what I designed, someone may do things a little differently, but it works for sure.  First, to have a RAP takeover DHCP, what I did was create a "dummy" vlan on my controller, VLAN 999 with no VLAN interface associated with it.  My backup SSID is associated with that VLAN and is in bridge mode.  I create that VLAN so I can associate the RAP's DHCP pool to that VLAN, which is only in effect when I'm in backup mode.  So for you, the relevant pieces are:

vlan 999

ap system-profile "RAP-PROFILE"
   rap-dhcp-server-vlan 999
   rap-dhcp-server-id 192.168.30.253
   rap-dhcp-default-router 192.168.30.253
   rap-dhcp-dns-server x.x.x.x
   rap-dhcp-pool-start 192.168.30.151
   rap-dhcp-pool-end 192.168.30.250
   rap-dhcp-pool-netmask 255.255.255.0
   rap-dhcp-lease 1
   rap-local-network-access (this isn't part of DHCP, but good to turn on)

Now, create your "Backup30" SSID, make its VAP be bridged forwarding mode and its Remore AP Operation will be "backup", build the policies and roles, and everything in the policies will be "route src-nat" so it will get bridged.

For your wired ports, there's nothing really to change, except make sure their AP wired port profileh as "Remote-AP Backup" checked in the GUI.

If you note, I used 192.168.30.253 as the RAP DHCP server ID and the default-gateway.  I do that because when I did lab testing, if I used .254, I sometimes saw that my client's arp entries were stale with the controller's MAC address, not the RAP's mac address.  I got around that with that method.

Good luck!

Well that got me a bit further... still struggling with some of it though.

It seems like I"m really close. Any chance you could email me and we could chat live or do a remote session?  I'd rather not call into tech support and have to explain it all out again especially seeing how you seem to know it so well.    [Personal Information Removed]

We have it up and working.  Thanks again for your help Mike.

the big piece that I was missing was to apply the AAA profile to the AP wired ports in the AP group.

ap wired-port-profile "RAP_32"
   wired-ap-profile "RAP_32"
   aaa-profile "Beth32-aaa_prof"
   bridge-role "RAP32"