Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

multiple guest VLANs outside firewall

This thread has been viewed 1 times

  • 1.  multiple guest VLANs outside firewall

    Posted May 23, 2014 11:06 AM

    Hello,

     

    We are new to Aruba (long time Cisco shop) and trying to setup our guest networks.  I've learned quite a bit from the forums so I figured I would post a question here.

     

    We are trying to setup two wireless networks, one open and one guest auth (using CPPM).  Both of these need to be on VLANS that are NAT-ed and that end up virtually outside our PaloAlto firewall.  The thought is that the openNET will use OpenDNS for filtering and have bandwidth restrictions and the guestNET will have no BW restriction and use our internal DNS.

     

    I'm having a hard time visualising the config for this and perhaps I'm just going about it all wrong and some of our Aruba gear could do this more efficiently.  Thoughts?



  • 2.  RE: multiple guest VLANs outside firewall

    EMPLOYEE
    Posted May 23, 2014 11:16 AM

    So, because we have a firewall and control there, the idea of VLAN segmentation may or may not be needed in your environment.  Where do you want the NAT to happen - firewall or controller?



  • 3.  RE: multiple guest VLANs outside firewall

    Posted May 23, 2014 11:32 AM
    @SethFiermonti wrote:

    So, because we have a firewall and control there, the idea of VLAN segmentation may or may not be needed in your environment.  Where do you want the NAT to happen - firewall or controller?

    My initial thought was on the controller, but I'm not sure I have a preference.  The less that we have to mess with our firewall the better.  That being said, pros and cons are welcome.

     

    EDIT:  Also, the VLANs that are being created are wireless only...they do not exist on our wired network.  We simply want these folks going out to the Internet.



  • 4.  RE: multiple guest VLANs outside firewall
    Best Answer

    EMPLOYEE
    Posted May 23, 2014 11:49 AM

    So, if you NAT on the controller, that's fine.  The traffic is sourced upstream with the controller-ip address.  

     

    Outside of that NAT discussion, your clients can run in one of two modes really with the controller.  

     

    1. L2 where the controller is a bump in the line.  The clients' default gateway is NOT the controller.  It is the upstream router on the VLAN(s) on the controller. So, on one SSID, you can add one or more VLANs on the network.  The client traffic (while inspected and enforced) is a "passthrough" if you will from a data plane standpoint.

     

    2. L3 where the controller IS the default gateway of the clients.  For guest, this is more applicable in some cases because of NAT.  

     

    Please look over our VRDs here for more info - http://www.arubanetworks.com/resources/reference-design-guides/