Wireless Access

last person joined: 2 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

  • 1.  DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 11, 2020 05:42 PM

    Hello Guys

    Right now we have a client which has the fallowing scenario:

    Version 6.x

    2x Master Controllers in the central site master stand by, it has a VRRP ip

     

    they have like 15 remote Site

    Each Site  has  one controller  in which they terminate their APs 

    For example Site A  has 15 APs and all the 15 APS terminate their tunnel in  that controller

     

    So its Master active  Master Stand By

     

    15 remote Sites( all local controllers)

     

     

    1x DMZ Controller in the Central site which has an internet for all the guest of all the 15 sites

     

     

    Each  Remote Site has a GRE Tunnel for the Guest traffic that points to the  Central site controller VRRP IP  and  the central site controller has a GRE Tunnel to the DMZ .   im passing the vlan 800 which is my Guest traffic and that vlan just exist in the controllers, it does not exist in the clients networks and is not rouatable.

     

     

    My question is simple i think

    Can  i do the same scenario in Version 8?

    It is recommended this in version 8?

    There is a better way to manage this in version 8?

     

    Cheers

    Carlos



  • 2.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 11, 2020 07:50 PM

    I don't see a reason why this design would not be doable with AOS8.

     

    My preference would be to have the remote sites tunnel directly to the DMZ controller, rather than hopping through the central controllers. I would either do user roles for guest users at the edge controller or at the DMZ controller, but having the user pass through the central controller does not add any functionality.



  • 3.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 11, 2020 08:10 PM

    Hello Charlie Thanks for your answer

     

    If you do what you say,  would my guest  users will show up in the WLAN controllers? i mean it would not show as a wired user on the dmz controller?

    The way i got it right now will correctly show what APs guest users are connected to in  Airwave which is nice.

     

    Also i don t know if i should use multizone here, if it will benefit me in some way?

     

    Cheers

    Carlos

     



  • 4.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 11, 2020 08:14 PM

    I guess i didnt type that i got master active and master stand by, and all the 15 sites are local controllers,  i just corrected that in my original post.



  • 5.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 11, 2020 08:32 PM

    Multizone is probably not needed, but is an option. With multizone, the APs themselves (rather than the gateways) so that the guest SSID would tunnel directly from the AP to the DMZ controller without touching the datapath on the internal controllers.

     

    Where are you doing user authentication for the guest users in your current setup? I'm assuming captive portal, but not sure whether the captive portal is internal to the controller, external, or reachable specifically from the inside or DMZ controllers.



  • 6.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 11, 2020 08:38 PM

    im doing the authentication on a clearpass.

    The clearpass can reach the controllers, and controllers and reach clearapass  for specific ports i need only.



  • 7.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 11, 2020 08:53 PM

    Forgot to comment you that im using both interfaces  Managment and data

     

    The Managment is on the trusted zone and the data port is on the DMZ of the client.



  • 8.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 11, 2020 09:20 PM

    You mentioned that the DMZ controller sees the guest users as wired users? So the DMZ controller is not trusting the GRE tunnel from the master controllers?



  • 9.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 12, 2020 08:55 AM

    I didnt mention, i was asking you,  i did say "The way i got it right now will correctly show what APs guest users are connected to in Airwave which is nice", but before asked you if the guest will show  correctly in the WLAN controllers and if it will not show as a wired user on the dmz controller

    Sorry, i guess you have hard time reading my english, is not the best.

    I though or i misunderstood what will happen with the guest clients, this was like 4 years ago.

    I could change them all in this new project  to the DMZ controller if you think its best way to do it

     

    It there any issue having it the way i got it??  i really would like to know that as future reference.

     

    Thanks again for answering

     



  • 10.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 12, 2020 11:56 AM

    My apologies for the confusion.

     

    When tunneling guests, the authentication could be handled either at the remote controller where the APs terminate (my preference), or on the DMZ controller. There are valid reasons for having the authentication performed on either of the controllers ... the DMZ may be the only controller that has IP routing for the guest user space. 

     

    If Airwave is correlating the guest user to an AP, then I believe the remote controllers are performing the authentication. This would also be fine in the AOS8 architecture as well, and would be my preference.



  • 11.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 12, 2020 02:44 PM

    Hello Charlie thanks for answering

    Right now im tunneling the the Guest vlan to the Master controller in the central site, and i got another tunnel from  the central site to the DMZ

     

    Now for the authentication, i should be authenticating them on the Local controllers(remote controllers) because im on the clearpass adding the local controllers as NADs, to make it work, if i dont add them, well it does not work.

     

    Now is there any issue if i tunnel the GRE to the master controller instead of the DMZ directly?  i see that you said that it does not add any functionality but i was wondering if it bad somehow.



  • 12.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 12, 2020 02:57 PM

    All good info, thanks for the clarification and verification.

     

    Tunneling through the master controller is not bad. It adds an extra failure point, although you have mitigated that with a standby master. There could be extra complexity in the configuration and troubleshooting, but as it is working for you now, that is all okay.



  • 13.  RE: DMZ Controller Guest traffic in Aruba OS 8 recommendation deployment

    Posted Feb 12, 2020 03:07 PM

    Thank you for your patience Charlie!

     

    thanks for your answers too