Right now we have a client which has the fallowing scenario:
2x Master Controllers in the central site master stand by, it has a VRRP ip
they have like 15 remote Site
Each Site has one controller in which they terminate their APs
For example Site A has 15 APs and all the 15 APS terminate their tunnel in that controller
So its Master active Master Stand By
15 remote Sites( all local controllers)
1x DMZ Controller in the Central site which has an internet for all the guest of all the 15 sites
Each Remote Site has a GRE Tunnel for the Guest traffic that points to the Central site controller VRRP IP and the central site controller has a GRE Tunnel to the DMZ . im passing the vlan 800 which is my Guest traffic and that vlan just exist in the controllers, it does not exist in the clients networks and is not rouatable.
My question is simple i think
Can i do the same scenario in Version 8?
It is recommended this in version 8?
There is a better way to manage this in version 8?
I don't see a reason why this design would not be doable with AOS8.
My preference would be to have the remote sites tunnel directly to the DMZ controller, rather than hopping through the central controllers. I would either do user roles for guest users at the edge controller or at the DMZ controller, but having the user pass through the central controller does not add any functionality.
Hello Charlie Thanks for your answer
If you do what you say, would my guest users will show up in the WLAN controllers? i mean it would not show as a wired user on the dmz controller?
The way i got it right now will correctly show what APs guest users are connected to in Airwave which is nice.
Also i don t know if i should use multizone here, if it will benefit me in some way?
I guess i didnt type that i got master active and master stand by, and all the 15 sites are local controllers, i just corrected that in my original post.
Multizone is probably not needed, but is an option. With multizone, the APs themselves (rather than the gateways) so that the guest SSID would tunnel directly from the AP to the DMZ controller without touching the datapath on the internal controllers.
Where are you doing user authentication for the guest users in your current setup? I'm assuming captive portal, but not sure whether the captive portal is internal to the controller, external, or reachable specifically from the inside or DMZ controllers.
im doing the authentication on a clearpass.
The clearpass can reach the controllers, and controllers and reach clearapass for specific ports i need only.
Forgot to comment you that im using both interfaces Managment and data
The Managment is on the trusted zone and the data port is on the DMZ of the client.
You mentioned that the DMZ controller sees the guest users as wired users? So the DMZ controller is not trusting the GRE tunnel from the master controllers?
I didnt mention, i was asking you, i did say "The way i got it right now will correctly show what APs guest users are connected to in Airwave which is nice", but before asked you if the guest will show correctly in the WLAN controllers and if it will not show as a wired user on the dmz controller
Sorry, i guess you have hard time reading my english, is not the best.
I though or i misunderstood what will happen with the guest clients, this was like 4 years ago.
I could change them all in this new project to the DMZ controller if you think its best way to do it
It there any issue having it the way i got it?? i really would like to know that as future reference.
Thanks again for answering
My apologies for the confusion.
When tunneling guests, the authentication could be handled either at the remote controller where the APs terminate (my preference), or on the DMZ controller. There are valid reasons for having the authentication performed on either of the controllers ... the DMZ may be the only controller that has IP routing for the guest user space.
If Airwave is correlating the guest user to an AP, then I believe the remote controllers are performing the authentication. This would also be fine in the AOS8 architecture as well, and would be my preference.
Hello Charlie thanks for answering
Right now im tunneling the the Guest vlan to the Master controller in the central site, and i got another tunnel from the central site to the DMZ
Now for the authentication, i should be authenticating them on the Local controllers(remote controllers) because im on the clearpass adding the local controllers as NADs, to make it work, if i dont add them, well it does not work.
Now is there any issue if i tunnel the GRE to the master controller instead of the DMZ directly? i see that you said that it does not add any functionality but i was wondering if it bad somehow.
All good info, thanks for the clarification and verification.
Tunneling through the master controller is not bad. It adds an extra failure point, although you have mitigated that with a standby master. There could be extra complexity in the configuration and troubleshooting, but as it is working for you now, that is all okay.
Thank you for your patience Charlie!
thanks for your answers too
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.