Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Connecting APs to controller on different firewall zones

This thread has been viewed 5 times
  • 1.  Connecting APs to controller on different firewall zones

    Posted May 08, 2022 02:13 PM

    We recently updated  a controller from 6.x to 8.8.  We are also attempting to connect this controller to our mobility master.
    Originally the stand alone controller on 6.x had the following setup:
    * VLAN 647 directly connected to the controller (172.47.x.x) - used for controller management and on an internal VRF. 
    * Managment IP is 172.47.0.75
    * VLAN 523 directly connected to the controller (10.23.x.x) - used for Access Points and belong to an untrusted VRF
    * Controller-ip is 10.23.0.254
    * VLAN 520 directly connected to the controller (10.20.x.x)- used for wireless clients and belong to an untrusted VRF
    * No communication between internal and untrusted VRFs. 
    * we have two switches SW1 and SW2
    * SW1 has vlans 523 and 520 and this switch is fully on the untrusted-VRF. 
    * SW2 has Vlan 647 and is on the internal VRF
    * controller has a leg on each switch to allow communication to both the APs and allow management access. 

    Now, after upgrading to 8.8  we are trying to connect to a mobility master using our management interface (as it has a route to the MM)
    * Set masterip on vlan 647 - Only vlan 647 has a route to the MM
    * Tried setting controller-ip with same IP 10.23.0.254 on vlan 523 but found that MM can't fully create the IPSEC tunnel if controller-ip is not reachable. 
    * moved the controller-ip to be 172.47.0.75 on vlan 647 and this allowed the controller to join the MM
    * problem now is that controller-ip is on a vlan 647  that is not reachable from vlan 523 which has our access points.
    * We can't really move APs to the SW2 because this one does not have the trunk for the wireless clients 

    Is there a way to allow masterip and controller-ip be on different vrfs?

    Initially I thought controller-ip is only for AP termination and masterip will tell you which way to talk to MM. Did not foresee the interaction between the two. 

    Is there a work around or any suggestion how to make this setup work?



    ------------------------------
    D
    ------------------------------


  • 2.  RE: Connecting APs to controller on different firewall zones

    EMPLOYEE
    Posted May 11, 2022 01:07 PM
    I am not aware of a workaround for this, unfortunately.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------