Wireless Access

 View Only
last person joined: 3 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

DNS Rewrite on RAP

This thread has been viewed 15 times
  • 1.  DNS Rewrite on RAP

    Posted Jan 07, 2022 11:58 AM
    Hi all,

    We are a higher education campus. We have RAPs running with a split-tunnel SSIDs in some of our remote campus housing . The DNS in use is public, since TAC could never get DNS to work over the tunnel reliably. We only send DHCP and some specific traffic back over the tunnel. This design works well for us and we do not intend to change it at this time.

    I am hoping to find a solution here. We are attempting to rewrite and/or redirect traffic to a certain DNS name to a specific server IP that is located on campus. This server can not be accessible externally. We basically want the RAP to see traffic going to something.campus.edu and immediately rewrite it to the IP address and send it over the tunnel.

    Thank you in advance for any assistance.

    ------------------------------
    Mark


  • 2.  RE: DNS Rewrite on RAP

    EMPLOYEE
    Posted Jan 08, 2022 01:52 PM
    I would say that split-tunneled RAPs are really only meant for a single device per area, since there is no stateful roaming between RAPs with split tunnel.

    With regards to the DNS working reliably, why don't you setup a private DNS server that accounts for all the hosts and DNS names that you want your users to get, and give that DNS server ip address out to your clients connected to your RAPs?  That way you would be giving out all of the ip addresses that you want.  There is no rewriting DNS requests to clients in a RAP, unfortunately.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: DNS Rewrite on RAP

    Posted Jan 13, 2022 04:43 PM
    Thanks for the response here.

    I am well aware of the roaming issues, but I have very limited options. Decisions were made well above my head, even after I explained the issues.

    When you say personal server, do you mean create one locally on the MC/MDs? We currently have locally hosted Windows DNS (multiple vm servers), but we had major issues with it in the Split-tunnel. The DNS would suddenly timeout or become unreachable as if the RAP lost it (or the tunnel itself). A few minutes later it would come back. This never happened on RAP tunneled networks. TAC worked on it for months and could never give us a straight answer. That is why we changed it to public DNS since this was student housing and we really did not have time to keep waiting on a solution.

    If you possibly have any input on getting it to work with our campus DNS servers that would be the preferred solution.

    ------------------------------
    Mark
    ------------------------------



  • 4.  RE: DNS Rewrite on RAP

    EMPLOYEE
    Posted Jan 13, 2022 05:16 PM
    If you have an SE or an Aruba VAR, that is probably the best solution.  TAC will block and tackle, but if they cannot see your problem with the limited information that is provided, they will probably not get to the bottom of the issue.

    If something works with a tunneled network, it should work with a split tunneled network if designed properly.  The roaming issues with a split-tunneled network will add to the unpredictability of your design, unfortunately.  Also, there might be a limit to how many nat-t sessions the local router at the site can pass to the same tunnel address, so there is that.  You also cannot do vlan pooling with a split tunneled SSID.  If you must design a split tunneled network you should start as simple as possible. You should have a limited set of subnets defined as tunneled and everything else route-source natted for performance.  Deploying a complicated scheme with DNS and split tunneling will only increase your frustration and create troubleshooting and management issues in the future..  You know what subnets need to be tunneled...  Give your clients your existing DNS so that those subnets are predictable.  Route and source-nat the rest out to the internet for performance.  Resist the urge to tunnel anything that could just as easily be reached over the internet.  Your split-tunnel ACL should rarely be more complicated than what is below:  

    ip access-list session Campus-split
      any any svc-dhcp permit
      user alias campus-networks any permit
      user any any route src-nat​



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------