Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

ROLE ACL PBR when you got a DMZ controller

This thread has been viewed 0 times

  • 1.  ROLE ACL PBR when you got a DMZ controller

    Posted May 25, 2017 01:33 PM

    Helli i was wondering if i could do this 

    https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-bind-a-router-ACL-to-user-role-for-implementing-PBR/ta-p/234522

     

    When  i got this scenario

     

    I got 1 master controller 4 local controller and 1 DMZ Controller

     

    All local controller has a GRE tunnel to the master controller and the master controller has a GRE tunnel to the DMZ controller

     

    If i configure  this role pbr on the master controller even if i do the configureation for the role pbr there will it work???  this works perfectly if i got the internet connected directly to the controller im configuring the pbr as i have test it, but if i got the internet conected to the dmz controller and the roles are on the master controller in where i configure the pbr will it work????

    I cant really test it becasue i just got 1 controller :( 

    Does anyone knows????

    Or how can i configure when i got a vlan that just exist in controllers and i want that some of the users goes out trhough one service provider which is connected directly to the dmz controller and others users going to internet using the normal default gateway the dmz controller has??

     

     

    Cheers

    Carlos

     



  • 2.  RE: ROLE ACL PBR when you got a DMZ controller

    EMPLOYEE
    Posted May 25, 2017 01:52 PM

    It is complicated, but it is possible and you should test it.  The DMZ controller's side of the GRE tunnel should be untrusted, because that is where you want to place the PBR rules in the user role...



  • 3.  RE: ROLE ACL PBR when you got a DMZ controller

    Posted May 25, 2017 02:02 PM

    So its not possible doing it in the way i got it configured?

    Right now i got it like this

    WLAN controllers tunnel the guest VLAN to the DMZ controllers, but have the WLAN controllers do all of the policy enforcement, so that the DMZ controllers would not need any PEF licenses.

    The DMZ controllers provide DHCP and route the guest traffic wherever it needs to go, but the Captive Portal would be provided by the WLAN controllers....

     

    Cheers

    Carlos



  • 4.  RE: ROLE ACL PBR when you got a DMZ controller

    EMPLOYEE
    Posted May 25, 2017 02:07 PM

    I think whatever device is the default gateway of clients needs to have the PBR Role and ACLs.....  That would be the DMZ controller, right?

    Maybe someone who has done it the way you mention right now can chime in...



  • 5.  RE: ROLE ACL PBR when you got a DMZ controller

    Posted May 25, 2017 02:10 PM

    I think the same way you do, i brealive i need to have this on the default gateway, but i was asking if it was possible without chaning wnhat i already got.... i wanted to test it but i just got one controlller... 

     

    Anyways to do it in the way you mention, i would need to have a firewall license on the dmz controller to do that right?



  • 6.  RE: ROLE ACL PBR when you got a DMZ controller

    EMPLOYEE
    Posted May 25, 2017 02:54 PM
    Yes.