Controllerless Networks

We have IAP215's at most of our locations running the 8.6.0.8_79369 firmware. Configured with company and guest networks. We recently switched from Sonicwall firewalls to CATO and apparently they see the guest network differently.

We were behind the Sonicwalls when we setup the guest network. Set it as an employee type with passcode, virtual controller managed. Added a few rules to avoid our main network and it worked great, internet access only. After we switched to the CATO the guest network has been sketchy, especially for mobile devices.

After talking to a few CATO techs they recommended setting up a VLAN on the CATO firewall and forwarding everything on the guest network to it. DHCP, DNS, etc. Since setting up the guest network was super simple we were able to figure it out without a lot of Aruba specific knowledge. Now we are struggling. I'm assuming we can forward all guest traffic to the firewall, just not sure how to setup the AP's to do it. Any info would be appreciated.

------------------------------
Stephen Renner
------------------------------

You can trunk the VLAN (or a new one if it isn't there yet) that extends to the CATO from the IAPs. In your guest network settings you can put your guest users on the VLAN.If DHCP is to be hosted on the CATO, or a server beyond the CATO, be sure to configure DHCP on the CATO, or a DHCP helper to get the DHCP request to the appropriate server. You can still enforce policy on the guest users at the IAP, or just the CATO in your case. Up to you.

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Jun 02, 2021 04:31 PM
From: Stephen Renner
Subject: Reconfigure guest network

We have IAP215's at most of our locations running the 8.6.0.8_79369 firmware. Configured with company and guest networks. We recently switched from Sonicwall firewalls to CATO and apparently they see the guest network differently.

We were behind the Sonicwalls when we setup the guest network. Set it as an employee type with passcode, virtual controller managed. Added a few rules to avoid our main network and it worked great, internet access only. After we switched to the CATO the guest network has been sketchy, especially for mobile devices.

After talking to a few CATO techs they recommended setting up a VLAN on the CATO firewall and forwarding everything on the guest network to it. DHCP, DNS, etc. Since setting up the guest network was super simple we were able to figure it out without a lot of Aruba specific knowledge. Now we are struggling. I'm assuming we can forward all guest traffic to the firewall, just not sure how to setup the AP's to do it. Any info would be appreciated.

------------------------------
Stephen Renner
------------------------------

Unfortunately VLAN trunking is beyond my skill set. If you can point me in the direction of some resources that would be great. Or if there are any other solutions if possible. Sorry to be a pain, again not something we've have to deal with before.

------------------------------
Stephen Renner
------------------------------

Original Message:
Sent: Jun 03, 2021 06:37 AM
From: Dustin Burns
Subject: Reconfigure guest network

You can trunk the VLAN (or a new one if it isn't there yet) that extends to the CATO from the IAPs. In your guest network settings you can put your guest users on the VLAN.If DHCP is to be hosted on the CATO, or a server beyond the CATO, be sure to configure DHCP on the CATO, or a DHCP helper to get the DHCP request to the appropriate server. You can still enforce policy on the guest users at the IAP, or just the CATO in your case. Up to you.

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Jun 02, 2021 04:31 PM
From: Stephen Renner
Subject: Reconfigure guest network

We have IAP215's at most of our locations running the 8.6.0.8_79369 firmware. Configured with company and guest networks. We recently switched from Sonicwall firewalls to CATO and apparently they see the guest network differently.

We were behind the Sonicwalls when we setup the guest network. Set it as an employee type with passcode, virtual controller managed. Added a few rules to avoid our main network and it worked great, internet access only. After we switched to the CATO the guest network has been sketchy, especially for mobile devices.

After talking to a few CATO techs they recommended setting up a VLAN on the CATO firewall and forwarding everything on the guest network to it. DHCP, DNS, etc. Since setting up the guest network was super simple we were able to figure it out without a lot of Aruba specific knowledge. Now we are struggling. I'm assuming we can forward all guest traffic to the firewall, just not sure how to setup the AP's to do it. Any info would be appreciated.

------------------------------
Stephen Renner
------------------------------

What kind of switches are the IAPs connected to?

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Jun 11, 2021 04:10 PM
From: Stephen Renner
Subject: Reconfigure guest network

Unfortunately VLAN trunking is beyond my skill set. If you can point me in the direction of some resources that would be great. Or if there are any other solutions if possible. Sorry to be a pain, again not something we've have to deal with before.

------------------------------
Stephen Renner

Original Message:
Sent: Jun 03, 2021 06:37 AM
From: Dustin Burns
Subject: Reconfigure guest network

You can trunk the VLAN (or a new one if it isn't there yet) that extends to the CATO from the IAPs. In your guest network settings you can put your guest users on the VLAN.If DHCP is to be hosted on the CATO, or a server beyond the CATO, be sure to configure DHCP on the CATO, or a DHCP helper to get the DHCP request to the appropriate server. You can still enforce policy on the guest users at the IAP, or just the CATO in your case. Up to you.

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Jun 02, 2021 04:31 PM
From: Stephen Renner
Subject: Reconfigure guest network

We have IAP215's at most of our locations running the 8.6.0.8_79369 firmware. Configured with company and guest networks. We recently switched from Sonicwall firewalls to CATO and apparently they see the guest network differently.

We were behind the Sonicwalls when we setup the guest network. Set it as an employee type with passcode, virtual controller managed. Added a few rules to avoid our main network and it worked great, internet access only. After we switched to the CATO the guest network has been sketchy, especially for mobile devices.

After talking to a few CATO techs they recommended setting up a VLAN on the CATO firewall and forwarding everything on the guest network to it. DHCP, DNS, etc. Since setting up the guest network was super simple we were able to figure it out without a lot of Aruba specific knowledge. Now we are struggling. I'm assuming we can forward all guest traffic to the firewall, just not sure how to setup the AP's to do it. Any info would be appreciated.

------------------------------
Stephen Renner
------------------------------

Most locations are on an older HP or Aruba 2920 switch. We did just recently install Aruba Instant on 1930 switches.

------------------------------
Stephen Renner
------------------------------

Original Message:
Sent: Jun 13, 2021 09:00 PM
From: Dustin Burns
Subject: Reconfigure guest network

What kind of switches are the IAPs connected to?

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Jun 11, 2021 04:10 PM
From: Stephen Renner
Subject: Reconfigure guest network

Unfortunately VLAN trunking is beyond my skill set. If you can point me in the direction of some resources that would be great. Or if there are any other solutions if possible. Sorry to be a pain, again not something we've have to deal with before.

------------------------------
Stephen Renner

Original Message:
Sent: Jun 03, 2021 06:37 AM
From: Dustin Burns
Subject: Reconfigure guest network

You can trunk the VLAN (or a new one if it isn't there yet) that extends to the CATO from the IAPs. In your guest network settings you can put your guest users on the VLAN.If DHCP is to be hosted on the CATO, or a server beyond the CATO, be sure to configure DHCP on the CATO, or a DHCP helper to get the DHCP request to the appropriate server. You can still enforce policy on the guest users at the IAP, or just the CATO in your case. Up to you.

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Jun 02, 2021 04:31 PM
From: Stephen Renner
Subject: Reconfigure guest network

We have IAP215's at most of our locations running the 8.6.0.8_79369 firmware. Configured with company and guest networks. We recently switched from Sonicwall firewalls to CATO and apparently they see the guest network differently.

We were behind the Sonicwalls when we setup the guest network. Set it as an employee type with passcode, virtual controller managed. Added a few rules to avoid our main network and it worked great, internet access only. After we switched to the CATO the guest network has been sketchy, especially for mobile devices.

After talking to a few CATO techs they recommended setting up a VLAN on the CATO firewall and forwarding everything on the guest network to it. DHCP, DNS, etc. Since setting up the guest network was super simple we were able to figure it out without a lot of Aruba specific knowledge. Now we are struggling. I'm assuming we can forward all guest traffic to the firewall, just not sure how to setup the AP's to do it. Any info would be appreciated.

------------------------------
Stephen Renner
------------------------------

Hi Tech 17,

I created these topologies with some scenarios you could have.

I hope they'll help you.

Are in PDF format.

------------------------------
Jes�s Mitma
------------------------------

Original Message:
Sent: Jun 11, 2021 04:10 PM
From: Stephen Renner
Subject: Reconfigure guest network

Unfortunately VLAN trunking is beyond my skill set. If you can point me in the direction of some resources that would be great. Or if there are any other solutions if possible. Sorry to be a pain, again not something we've have to deal with before.

------------------------------
Stephen Renner

Original Message:
Sent: Jun 03, 2021 06:37 AM
From: Dustin Burns
Subject: Reconfigure guest network

You can trunk the VLAN (or a new one if it isn't there yet) that extends to the CATO from the IAPs. In your guest network settings you can put your guest users on the VLAN.If DHCP is to be hosted on the CATO, or a server beyond the CATO, be sure to configure DHCP on the CATO, or a DHCP helper to get the DHCP request to the appropriate server. You can still enforce policy on the guest users at the IAP, or just the CATO in your case. Up to you.

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Jun 02, 2021 04:31 PM
From: Stephen Renner
Subject: Reconfigure guest network

We have IAP215's at most of our locations running the 8.6.0.8_79369 firmware. Configured with company and guest networks. We recently switched from Sonicwall firewalls to CATO and apparently they see the guest network differently.

We were behind the Sonicwalls when we setup the guest network. Set it as an employee type with passcode, virtual controller managed. Added a few rules to avoid our main network and it worked great, internet access only. After we switched to the CATO the guest network has been sketchy, especially for mobile devices.

After talking to a few CATO techs they recommended setting up a VLAN on the CATO firewall and forwarding everything on the guest network to it. DHCP, DNS, etc. Since setting up the guest network was super simple we were able to figure it out without a lot of Aruba specific knowledge. Now we are struggling. I'm assuming we can forward all guest traffic to the firewall, just not sure how to setup the AP's to do it. Any info would be appreciated.

------------------------------
Stephen Renner
------------------------------

Ok back on this. I was able to setup the Instant on Portal add the switch and setup a VLAN. So a VLAN on the CATO on a different subnet, it will also act as DHCP. VLAN tag is 10. The Aruba IAP's are plugged into the Aruba switch so under networks I setup a Guest VLAN, tagged it as 10 and assigned it the ports that the AP's are using. I believe I'm heading in the right direction, when I look at the client list on the Aruba portal the AP clients are listed as connected to both the default and guest networks. The AP setup is where, at least I believe, I'm missing the last step. Unless I'm way off and I need to re do it all. Attached it a map of what is in place. This is my first time actually setting up a VLAN.

------------------------------
Stephen Renner
------------------------------

Original Message:
Sent: Jun 11, 2021 06:54 PM
From: Jes�s Mitma
Subject: Reconfigure guest network

Hi Tech 17,

I created these topologies with some scenarios you could have.

I hope they'll help you.

Are in PDF format.

------------------------------
Jes�s Mitma

Original Message:
Sent: Jun 11, 2021 04:10 PM
From: Stephen Renner
Subject: Reconfigure guest network

Unfortunately VLAN trunking is beyond my skill set. If you can point me in the direction of some resources that would be great. Or if there are any other solutions if possible. Sorry to be a pain, again not something we've have to deal with before.

------------------------------
Stephen Renner

Original Message:
Sent: Jun 03, 2021 06:37 AM
From: Dustin Burns
Subject: Reconfigure guest network

You can trunk the VLAN (or a new one if it isn't there yet) that extends to the CATO from the IAPs. In your guest network settings you can put your guest users on the VLAN.If DHCP is to be hosted on the CATO, or a server beyond the CATO, be sure to configure DHCP on the CATO, or a DHCP helper to get the DHCP request to the appropriate server. You can still enforce policy on the guest users at the IAP, or just the CATO in your case. Up to you.

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Jun 02, 2021 04:31 PM
From: Stephen Renner
Subject: Reconfigure guest network

We have IAP215's at most of our locations running the 8.6.0.8_79369 firmware. Configured with company and guest networks. We recently switched from Sonicwall firewalls to CATO and apparently they see the guest network differently.

We were behind the Sonicwalls when we setup the guest network. Set it as an employee type with passcode, virtual controller managed. Added a few rules to avoid our main network and it worked great, internet access only. After we switched to the CATO the guest network has been sketchy, especially for mobile devices.

After talking to a few CATO techs they recommended setting up a VLAN on the CATO firewall and forwarding everything on the guest network to it. DHCP, DNS, etc. Since setting up the guest network was super simple we were able to figure it out without a lot of Aruba specific knowledge. Now we are struggling. I'm assuming we can forward all guest traffic to the firewall, just not sure how to setup the AP's to do it. Any info would be appreciated.

------------------------------
Stephen Renner
------------------------------

On your AP for guest SSID, select Network Assigned and static VLAN !0 since the firewall will be the DHCP server for the guest network. This will tag VLAN 10 on the AP ethernet interface. Ensure the switch port to AP is untag vlan 1 and tag vlan 10. Not sure how the switch is connected to your firewall (whether single connection or two connections). If single connection, i.e. tagging, ensure vlan 10 is tagged. If two connections, I assume 1 is for corporate and the other guest, then both ports are untag on the respective VLANs (1 and 10). Ensure the same VLAN IDs on your firewall.

------------------------------
Simon Lim
------------------------------

Original Message:
Sent: Jun 24, 2021 11:36 AM
From: Stephen Renner
Subject: Reconfigure guest network

Ok back on this. I was able to setup the Instant on Portal add the switch and setup a VLAN. So a VLAN on the CATO on a different subnet, it will also act as DHCP. VLAN tag is 10. The Aruba IAP's are plugged into the Aruba switch so under networks I setup a Guest VLAN, tagged it as 10 and assigned it the ports that the AP's are using. I believe I'm heading in the right direction, when I look at the client list on the Aruba portal the AP clients are listed as connected to both the default and guest networks. The AP setup is where, at least I believe, I'm missing the last step. Unless I'm way off and I need to re do it all. Attached it a map of what is in place. This is my first time actually setting up a VLAN.

------------------------------
Stephen Renner

Original Message:
Sent: Jun 11, 2021 06:54 PM
From: Jes�s Mitma
Subject: Reconfigure guest network

Hi Tech 17,

I created these topologies with some scenarios you could have.

I hope they'll help you.

Are in PDF format.

------------------------------
Jes�s Mitma

Original Message:
Sent: Jun 11, 2021 04:10 PM
From: Stephen Renner
Subject: Reconfigure guest network

Unfortunately VLAN trunking is beyond my skill set. If you can point me in the direction of some resources that would be great. Or if there are any other solutions if possible. Sorry to be a pain, again not something we've have to deal with before.

------------------------------
Stephen Renner

Original Message:
Sent: Jun 03, 2021 06:37 AM
From: Dustin Burns
Subject: Reconfigure guest network

You can trunk the VLAN (or a new one if it isn't there yet) that extends to the CATO from the IAPs. In your guest network settings you can put your guest users on the VLAN.If DHCP is to be hosted on the CATO, or a server beyond the CATO, be sure to configure DHCP on the CATO, or a DHCP helper to get the DHCP request to the appropriate server. You can still enforce policy on the guest users at the IAP, or just the CATO in your case. Up to you.

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Jun 02, 2021 04:31 PM
From: Stephen Renner
Subject: Reconfigure guest network

We have IAP215's at most of our locations running the 8.6.0.8_79369 firmware. Configured with company and guest networks. We recently switched from Sonicwall firewalls to CATO and apparently they see the guest network differently.

We were behind the Sonicwalls when we setup the guest network. Set it as an employee type with passcode, virtual controller managed. Added a few rules to avoid our main network and it worked great, internet access only. After we switched to the CATO the guest network has been sketchy, especially for mobile devices.

After talking to a few CATO techs they recommended setting up a VLAN on the CATO firewall and forwarding everything on the guest network to it. DHCP, DNS, etc. Since setting up the guest network was super simple we were able to figure it out without a lot of Aruba specific knowledge. Now we are struggling. I'm assuming we can forward all guest traffic to the firewall, just not sure how to setup the AP's to do it. Any info would be appreciated.

------------------------------
Stephen Renner
------------------------------

I've got the AP's guest network set to Network Assigned with a Static VLAN of 10. I thought that's what it was supposed to be. We have 3 switches at this location, the AP's and the firewall are plugged into the Aruba switch. The other 2 branch off the Aruba. The Aruba switch default network, VLAN1, is untagged on all ports. Done by default. The guest network, VLAN 10, is tagged on the AP ports. All the other ports are clear. The firewall has a guest subnet and DHCP configured and set with a VLAN 10 tag. 

I've tried the using a 172.16 subnet and the original Aruba guest subnet of 172.31. Both are not working. I just want to make sure this side configured properly before I jump back with the firewall guys.

------------------------------
Stephen Renner
------------------------------

Original Message:
Sent: Jun 24, 2021 11:27 PM
From: Simon Lim
Subject: Reconfigure guest network

On your AP for guest SSID, select Network Assigned and static VLAN !0 since the firewall will be the DHCP server for the guest network. This will tag VLAN 10 on the AP ethernet interface. Ensure the switch port to AP is untag vlan 1 and tag vlan 10. Not sure how the switch is connected to your firewall (whether single connection or two connections). If single connection, i.e. tagging, ensure vlan 10 is tagged. If two connections, I assume 1 is for corporate and the other guest, then both ports are untag on the respective VLANs (1 and 10). Ensure the same VLAN IDs on your firewall.

------------------------------
Simon Lim

Original Message:
Sent: Jun 24, 2021 11:36 AM
From: Stephen Renner
Subject: Reconfigure guest network

Ok back on this. I was able to setup the Instant on Portal add the switch and setup a VLAN. So a VLAN on the CATO on a different subnet, it will also act as DHCP. VLAN tag is 10. The Aruba IAP's are plugged into the Aruba switch so under networks I setup a Guest VLAN, tagged it as 10 and assigned it the ports that the AP's are using. I believe I'm heading in the right direction, when I look at the client list on the Aruba portal the AP clients are listed as connected to both the default and guest networks. The AP setup is where, at least I believe, I'm missing the last step. Unless I'm way off and I need to re do it all. Attached it a map of what is in place. This is my first time actually setting up a VLAN.

------------------------------
Stephen Renner

Original Message:
Sent: Jun 11, 2021 06:54 PM
From: Jes�s Mitma
Subject: Reconfigure guest network

Hi Tech 17,

I created these topologies with some scenarios you could have.

I hope they'll help you.

Are in PDF format.

------------------------------
Jes�s Mitma

Original Message:
Sent: Jun 11, 2021 04:10 PM
From: Stephen Renner
Subject: Reconfigure guest network

Unfortunately VLAN trunking is beyond my skill set. If you can point me in the direction of some resources that would be great. Or if there are any other solutions if possible. Sorry to be a pain, again not something we've have to deal with before.

------------------------------
Stephen Renner

Original Message:
Sent: Jun 03, 2021 06:37 AM
From: Dustin Burns
Subject: Reconfigure guest network

You can trunk the VLAN (or a new one if it isn't there yet) that extends to the CATO from the IAPs. In your guest network settings you can put your guest users on the VLAN.If DHCP is to be hosted on the CATO, or a server beyond the CATO, be sure to configure DHCP on the CATO, or a DHCP helper to get the DHCP request to the appropriate server. You can still enforce policy on the guest users at the IAP, or just the CATO in your case. Up to you.

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Jun 02, 2021 04:31 PM
From: Stephen Renner
Subject: Reconfigure guest network

We have IAP215's at most of our locations running the 8.6.0.8_79369 firmware. Configured with company and guest networks. We recently switched from Sonicwall firewalls to CATO and apparently they see the guest network differently.

We were behind the Sonicwalls when we setup the guest network. Set it as an employee type with passcode, virtual controller managed. Added a few rules to avoid our main network and it worked great, internet access only. After we switched to the CATO the guest network has been sketchy, especially for mobile devices.

After talking to a few CATO techs they recommended setting up a VLAN on the CATO firewall and forwarding everything on the guest network to it. DHCP, DNS, etc. Since setting up the guest network was super simple we were able to figure it out without a lot of Aruba specific knowledge. Now we are struggling. I'm assuming we can forward all guest traffic to the firewall, just not sure how to setup the AP's to do it. Any info would be appreciated.

------------------------------
Stephen Renner
------------------------------