we have a customer with several Instant clusters with VPN tunnels back to a Aruba 6000.
We appear to have a problem whereby clients associated to the master get pushed down the tunnel are ok.
If clients are associated to any of the other AP's in the cluster they appear to work.
I was wondering if you could terminate on the VC??
I'm not sure I understand but the VC is the device terminating the VPN tunnel to the 6000. Not any other AP in the cluster.
that's what i thought but it appears to be terminating on the master!!
The master is your VC
what is happening is that the VPN's are up and visible to the central controller.
There are two or three IAP's in the cluster however it is only clients that are associated to
the master IAP that are getting their traffic pushed down the VPN tunnel.
I am sure it's a config thing but TAC have checked the config and say it's ok.
The IAP's are connected to an access port on a switch but the guest VLAN is pushed down the tunnel.
So no need to make the ports trunk ports.
I am at a bit of a loss.
Ah!!! The VLAN that is being used for the DHCP profile for the VPN traffic MUST be trunked on the wired network between the master IAP and the other IAPs
Otherwise each iAP will have to build it's own tunnel.
That can only happen if each AP is in standalone mode...thereby defeating the purpose of IAPs and virtual controller clusters.
I wouldn't recommend that. If you are using VPN, make sure the LAN is set to have that VLAN id trunked between all IAPs at the site.
I don't quite agree. I have a remote office from which I GRE-tunnel the guest-wireless VLAN back to HQ for internet handoff. The DHCP and routing for the Internet connection is past the master controller at the HQ.
The solution per TAC was to trunk the VLAN throughout the remote office or set up a tunnel for each iAP. Security concerns said no trunking, so...
The cluster has just one tunnel configured, but the 3600 at headquarters has one tunnel defined for each iAP.
(Messy in my opinion, but it's working fairly well)
If you could paste your IAP config, I'd appreciate it. I might have to ahem - edit - my last statement!
Thanks for the info!
Here are the parts pertinent to the GRE tunnels.
(I've also left the captive-portal bits in in case whomever finds this artifact later might find that part useful)
The interesting bit is the "gre per-ap-tunnel" and the "ip dhcp guest = server-type Centralized,L2"
gre primary 10.21.0.65
gre type 0
name <VC name>
virtual-controller-ip <VC IP>
wlan access-rule guestW
rule any any match any any any permit
wlan auth-server CLEARPASS
ip <clearpass IP>
nas-ip <VC IP>
banner-text "WinCo Foods Guest Network"
terms-of-use "This network is not secure, and use is at your own risk"
use-policy "Logging in as a registered user indicated that you have read, or at least agree to our Acceptable Use Policy"
ip dhcp guest
route 0.0.0.0 0.0.0.0 10.21.0.65
wlan ssid-profile guestW
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.