02-17-2013 06:22 PM
I have a local controller where i have to interfaces to my core switch on different VLANs.
I am trying to NAT from another VLAN on the controller to one of the interfaces. Looks like this:
Default gateway 172.17.180.1
VLAN 1: 172.17.180.0/23 (Routeable network) IP 172.17.181.230 on GE1/24
VLAN 2: 192.168.172.0/24 IP (non-routeable) 192.168.172.5 SRC NAT on VLAN, DHCP to clients
VLAN 25: 192.168.171.0/24 IP (non-routeable) 192.168.171.5 SRC NAT on VLAN, DHCP to clients
VLAN 500: 192.168.200.0/24 IP (non-routeable) 192.168.200.5 DHCP to clients
VLAN 200: 182.x.x.x /29 on FE1/23 (VLAN appropriately tagged through routable network.)
I want to get users that join VLAN 500 to NAT with the address assigned to VLAN 200.
Anyone who joins VLAN 500 gets the role that has a SRC NAT rule that uses a NAT pool.
What should my settings be for the NAT Pool and should this work?
02-17-2013 09:27 PM - edited 02-17-2013 09:28 PM
For what im looking you got 2 internets(the one for guest that you got attached directly to the Controller, and the other port that is attached to the internal network... and well the internet of the internal users is though that port...
And you want to send vlan 500 which might be the guest users lkike i said....
If that your scenario i dont think what you want to do willl work but you got other options which are
1-Put a default gateway pointing to internet, and natting the guest users with no issue. For the internal users you dont need to do anything as their default gateway is the core switch and not the wireless controller... if they are going to internet... they willl go to their gateway first which is the switch core and then the switch core willl send them to internet.
Now you will need to add some routes so you can manage the Wireless controller from the internal network(will explain that if you dont understand if this is the case)
2-Best option and most secure one. Put the default gateway like you got it right now. For the second internte which is the one for the Guest users connect it to a small firewall, which will be the default gateway of the Guest users.
In this case their default gateway will be the Small firewall... AS that is what you will distribute in the DHCP you will tell them well your default gateway is the small firewall... and the small firewall will nat them out. For the internal users the switch core will be their default gateway.... And you will have not any problem managing it from your internal network...
I personally prefer option 2
I dont like connecting my wireless controller directly to internet...
If you select option 1 you will have issue with RAPS.... and VIAs if you point them to the corporate public network(not the guest network public ip address)
The packet in this case will go in through the corporate public ip address and will try to go out through the guest public ip addresss and it wont work.
IF this is not the case please explain your case with more detail to see if we can help you.
Product Manager - Aruba Networks
02-18-2013 02:08 PM
Thanks Carlos, yes you have it pretty right.
The thing that was getting me was how the "guest" network was recieving a default gateway to hit the router to the internet.
I don't like opening the controller direct to the internet either but this is sort of a requirement.
The requirement was for unrestricted access to the internet from this SSID - no proxy servers (due to duty of care all of our internet connections are filtered by proxy server, except this one).
I will change the way I have currently set it up and remove the NAT pool and nat the VLAN out through the default VLAN to an ISA box which also has an interface on the 182.x.x.x subnet and the default VLAN.
They will just have to traverse the ISA server with very little resrictions and no authentication.
Thanks for your reply.