Wireless Access

Reply
Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Raps with DMZ controller

Hi forum,

I am having a bit odd a mental block

I have a master controller with some tunnels to a DMZ controller. I want to terminate raps on the DMZ controller.

Anyone point me in the right direction for this kind of implementation?

Never been able to deploy raps I am missing something fundamental


Thanks
Guru Elite
Posts: 21,024
Registered: ‎03-29-2007

Re: Raps with DMZ controller

That is a major design question.  We will need tons of more information about your infrastructure.  If you have never setup a RAP controller, you might want to do that independently to understand all the parts involved, before terminating it on a DMZ controller....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Raps with DMZ controller

OK - I have got a aruba 620 for lab and using a AP-105 as a RAP

 

I just want to start basic then layer on extra features later.

 

Note: I have not done this before!

 

I got 2 vlans, both trusted.  an inside and and outside if you like.

 

I run the wizard for RAP and provision, and I browse into the RAP and it shows disconnected from the controller

 

I check datapath tables, I see some udp/4500 traffic, not much.

 

I see via the console plugged into the 105 - I know it sees the master ip configured right - and the IP address the AP gets is on the same subnet.

 

The AP never comes up, I even disable control plane security to let any AP register?!

 

Dont know how to debug this!

 

Stumped, completely.   I can only guess I am missing a massive fundamental thing here.  Any suggestions welcome!   

 

 

Guru Elite
Posts: 21,024
Registered: ‎03-29-2007

Re: Raps with DMZ controller

Nik,

 

Did you:

 

- Create an IPSEC pool?

- What is the output of "show crypto ipsec sa" when the AP is trying to connect

- Make sure that the LMS-IP of the AP system profile in that AP group has no ip address?

 

 

- Control Plane Security has nothing to do with it.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Raps with DMZ controller

Thanks for the pointers cj. I'll post up a configuration when I get into the office. I have done what you've said, which is reassuring so I guess I am having a bit of an idiot moment! Bear with me and thanks again!
Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Raps with DMZ controller

One quick question: for the inner pool of addresses. Just to make sure I have not misunderstood the documentation: should this address block be part of a subnet which is part of a vlan which is configured as an ip interface on the controller?
Guru Elite
Posts: 21,024
Registered: ‎03-29-2007

Re: Raps with DMZ controller

The inner pool can be any range.  I normally choose 8.8.8.1 - 8.8.8.20 so I do not get confused.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Raps with DMZ controller

Cool I'll set up a lab at work and at home and I'll get this working if it kills me :)

 

Guru Elite
Posts: 21,024
Registered: ‎03-29-2007

Re: Raps with DMZ controller

Nik,

 

Does your controller have a public ip address, as a management address, or are you using a firewall to do a 1:1 NAT to a public address?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Raps with DMZ controller

my original lab everything was private and the AP was directly connected (i was worried ADP may have confused my config) as I do not have PoE on my home network.

 

I appreciate this was a nonsense of a setup, but I just wanted to prove things in priciple.

 

At work I'll set up this:  controller, inside private, usual 172.16.0.0/24 and outside public ip space

with a AP that'll get another subnet IP, again public.  I'll introduce NAT later.

 

BTW - do I need a IP on the Vlan interface for the IP pool in IPSEC?  Or is the inner pool a bit of a "formality"?

 

Thanks! :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: