Wireless Access

Reply
Occasional Contributor II
Posts: 23
Registered: ‎02-28-2014

multiple guest VLANs outside firewall

Hello,

 

We are new to Aruba (long time Cisco shop) and trying to setup our guest networks.  I've learned quite a bit from the forums so I figured I would post a question here.

 

We are trying to setup two wireless networks, one open and one guest auth (using CPPM).  Both of these need to be on VLANS that are NAT-ed and that end up virtually outside our PaloAlto firewall.  The thought is that the openNET will use OpenDNS for filtering and have bandwidth restrictions and the guestNET will have no BW restriction and use our internal DNS.

 

I'm having a hard time visualising the config for this and perhaps I'm just going about it all wrong and some of our Aruba gear could do this more efficiently.  Thoughts?


Mike Naylor
The College of Wooster
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: multiple guest VLANs outside firewall

So, because we have a firewall and control there, the idea of VLAN segmentation may or may not be needed in your environment.  Where do you want the NAT to happen - firewall or controller?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 23
Registered: ‎02-28-2014

Re: multiple guest VLANs outside firewall

[ Edited ]

SethFiermonti wrote:

So, because we have a firewall and control there, the idea of VLAN segmentation may or may not be needed in your environment.  Where do you want the NAT to happen - firewall or controller?


My initial thought was on the controller, but I'm not sure I have a preference.  The less that we have to mess with our firewall the better.  That being said, pros and cons are welcome.

 

EDIT:  Also, the VLANs that are being created are wireless only...they do not exist on our wired network.  We simply want these folks going out to the Internet.


Mike Naylor
The College of Wooster
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: multiple guest VLANs outside firewall

So, if you NAT on the controller, that's fine.  The traffic is sourced upstream with the controller-ip address.  

 

Outside of that NAT discussion, your clients can run in one of two modes really with the controller.  

 

1. L2 where the controller is a bump in the line.  The clients' default gateway is NOT the controller.  It is the upstream router on the VLAN(s) on the controller. So, on one SSID, you can add one or more VLANs on the network.  The client traffic (while inspected and enforced) is a "passthrough" if you will from a data plane standpoint.

 

2. L3 where the controller IS the default gateway of the clients.  For guest, this is more applicable in some cases because of NAT.  

 

Please look over our VRDs here for more info - http://www.arubanetworks.com/resources/reference-design-guides/

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: