Wireless Access

 View Only
last person joined: 18 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Centralized L2 IAP VPN and WLC traffic forwarding

Jump to Best Answer
This thread has been viewed 12 times
  • 1.  Centralized L2 IAP VPN and WLC traffic forwarding

    Posted Jun 22, 2022 03:40 AM
    Hi folks!

    Customer is using IAP-VPN setup where SSID VLAN (say VLAN=X) is configured to use DHCP in Centralized L2 mode, split-tunnel is not in use. This is existing deployment and proven to be functional. They have several IAP clusters broadcasting the SSID and sharing the same L2 network, wireless clients have been able to connect, get IP address and send traffic via WLC in the DC.

    Question arose what should happen if the WLC in the DC doesn't have the VLAN=X configured. Should the WLC still accept VLAN=X traffic coming via IAP-VPN tunnel and possibly forward it to other IAP-VPN tunnels?

    If we think of common LAN switch functionality the answer is no: the switch will just discard the frame since it's not aware of the existence of VLAN=X. But, does the same apply to WLC too, will it discard the frame since there's no VLAN=X configured in the WLC?

    And what if the frame is a broadcast frame, for example DHCP Discover? Will the WLC forward the frame, or just discard it?

    What if we have two VLANs using Centralized L2 DHCP, say VLAN=X and VLAN=Y? Any difference in behaviour?

    I would think no; the WLC will not forward the frame of VLAN=X if the WLC doesn't have VLAN=X configuration.

    Below diagram for your reference:

    gone fishing.

  • 2.  RE: Centralized L2 IAP VPN and WLC traffic forwarding
    Best Answer

    Posted Jun 23, 2022 01:22 AM
    If WLC in the DC doesn't have the VLAN configured or tagged, WLC will drop the traffic.
    In Centralized L2 mode, the DHCP server (VPNC or External DHCP server) is in the DC. If you have the VLAN configured in VPNC/WLC, the DHCP broadcast will be received.

    Kapildev Erampu
    Systems Engineer, ACEX#94
    Aruba, a Hewlett Packard Enterprise company
    Sydney, Australia.
    Any opinions expressed here are solely my own and not necessarily that of HPE

  • 3.  RE: Centralized L2 IAP VPN and WLC traffic forwarding

    Posted Jun 27, 2022 01:08 AM
    Hello Kapildev!

    Thank you for the message, your view is in sync with mine. I also did some lab testing using just two IAPs and one 7005 as WLC, and the results are aligned with the above: in case there's no VLAN configured on the WLC it will drop the traffic. I was monitoring the traffic of the other leg (on right hand side) at the same time when another leg (on left hand side) had a WLAN client connecting to the SSID which was configured as Centralized L2 DHCP. Wireshark capture did show other traffic, but nothing from the WLAN client.

    gone fishing.