Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Requesting help with Layer 3 GRE tunneling

Jump to Best Answer
This thread has been viewed 39 times
  • 1.  Requesting help with Layer 3 GRE tunneling

    Posted Jul 06, 2021 03:25 AM
      |   view attached
      We have had a spoke and hub style Layer 2 GRE tunnel setup for our guest wireless network for years, but I would like to make the tunnels layer 3 move the DHCP server down to the local controllers currently DHCP is from the firewall one big layer 2 network. 

    I setup a lab configuration for testing the layer 3 GRE tunnels, but I'm unable to get traffic to route properly though the GRE tunnel to the internet. I have static routes to direct traffic to the tunnel IP on both ends as the guide states. When I do a ping from test-2 controller where I have an AP and a few clients connected. I'm not able to ping my internet gateway, or any internet IP using source vlan 200. I have tested the firewall by configuring a WLAN on the internet controller (test-1) that is directly connected to the firewall I was able to get on the internet using vlan 900 I have trunked from that internet controller to the firewall VLAN 900. I know the internet is working I'm not able to get traffic to go though the tunnel.  Both controllers are licensed with  AP, PEF, RF-protect.  AOS software is  I can post the entire configs if needed, and I have included a Visio Drawing PDF file. 


    Aruba-lab-L3-GRE.pdf   119 KB 1 version

  • 2.  RE: Requesting help with Layer 3 GRE tunneling

    Posted Jul 06, 2021 12:56 PM

  • 3.  RE: Requesting help with Layer 3 GRE tunneling

    Posted Jul 06, 2021 04:39 PM
      |   view attached
    Honestly, you would need an l2 gre tunnel.  Have you seen the attached document?

    What routes what depends on what is the default gateway of the guest clients.  There can be a l2 gre tunnel from controller to controller, but the guest VLAN could have the default gateway of a third device that actually does the routing.

    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.


  • 4.  RE: Requesting help with Layer 3 GRE tunneling

    Posted Jul 06, 2021 06:59 PM

  • 5.  RE: Requesting help with Layer 3 GRE tunneling
    Best Answer

    Posted Jul 13, 2021 06:39 PM
    I was able to get it working the guide is wrong shows the tunnel ip as and on each end of the tunnel it needs to be and Also not good idea to use because there is a public DNS IP I thought it was working reality it wasn't after doing a trace route.  This is what worked if someone else is trying to figure this out be here.   

    Controller 2 > VLAN 200 Wireless  > Tunnel Source IP is the Controller 2 IP> Inside tunnel IP ( - < DEST Controller 1 IP > VLAN 900 IP > PA firewall Trunked Dot.1q L3 Sub-interface Vlan 900 IP

    Oddly I had issues getting it to work with just a access port L3 interface even though arp tables on the PA firewall and arp table in the Directly connected Controller 1 had both IP and MAC's in each table would not ping from the controller to the firewall. Configured as a Trunk port worked. I even setup a laptop to the IP and gateway of the controllers configured trusted access port still the controller would not ping it works from a WLAN. The strange thing was on the other controller I was able to ping both ways same configuration.  We like Trunk ports anyway in production it worked without issue using the Trunk and .1Q sub-interface IP. 

    Controller 2 routes 
    Default gateway
    IP route next hop

    Controller 1 routes
    Default gateway
    IP route next hop 

    PA firewall  which is has a nat going to the internet
    Trust sided routing 
    IP Route next hop 

    I have a DHCP server running from the controller vlan 200 DNS 
    We had never used L3 tunnels before because of the controllers limited DHCP server now that Aruba supports up to 4000 IP's with a 7200 controller that should be more then enough for each controller set we don't have more then 2000 clients on each controller cluster.  Also if you don't have those Default gateways setup correctly I was able to ping when I used a browser it would try to use the controllers captive portal like an interface was not Trusted. I need to do further testing when I turn this up on our production network make sure no one is able to manage our controllers either using SSH, or WebUI from our open SSID guest wireless. 

    Kelly L