I am not aware of a workaround for this, unfortunately.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides:
https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card------------------------------
Original Message:
Sent: May 08, 2022 02:12 PM
From: Diego Arguello
Subject: Connecting APs to controller on different firewall zones
We recently updated a controller from 6.x to 8.8. We are also attempting to connect this controller to our mobility master.
Originally the stand alone controller on 6.x had the following setup:
* VLAN 647
directly connected to the controller (172.47.x.x
) - used for controller management and on an internal VRF.
* Managment IP is 172.47.0.75
* VLAN 523
directly connected to the controller (10.23.x.x
) - used for Access Points and belong to an untrusted VRF
* Controller-ip
is 10.23.0.254
* VLAN 520
directly connected to the controller (10.20.x.x
)- used for wireless clients and belong to an untrusted VRF
* No communication between internal and untrusted VRFs.
* we have two switches SW1
and SW2
* SW1
has vlans 523
and 520
and this switch is fully on the untrusted-VRF.
* SW2
has Vlan 647
and is on the internal VRF
* controller has a leg on each switch to allow communication to both the APs and allow management access.
Now, after upgrading to 8.8 we are trying to connect to a mobility master using our management interface (as it has a route to the MM)
* Set masterip
on vlan 647
- Only vlan 647 has a route to the MM
* Tried setting controller-ip
with same IP 10.23.0.254
on vlan 523
but found that MM can't fully create the IPSEC tunnel if controller-ip
is not reachable.
* moved the controller-ip
to be 172.47.0.75
on vlan 647
and this allowed the controller to join the MM
* problem now is that controller-ip
is on a vlan 647
that is not reachable from vlan 523
which has our access points.
* We can't really move APs to the SW2 because this one does not have the trunk for the wireless clients
Is there a way to allow masterip and controller-ip be on different vrfs?
Initially I thought controller-ip is only for AP termination and masterip will tell you which way to talk to MM. Did not foresee the interaction between the two.
Is there a work around or any suggestion how to make this setup work?
------------------------------
D
------------------------------