I was able to get it working the guide is wrong shows the tunnel ip as 1.1.1.1/32 and 1.1.1.2/32 on each end of the tunnel it needs to be 1.1.1.1/30 and 1.1.1.2/30. Also not good idea to use 1.1.1.1 because there is a public DNS IP I thought it was working reality it wasn't after doing a trace route. This is what worked if someone else is trying to figure this out be here.
Controller 2 > VLAN 200 Wireless 1.200.1.254/24 > Tunnel Source IP is the Controller 2 IP>
Inside tunnel IP (192.168.1.1/30 - 192.168.1.2/30) < DEST Controller 1 IP > VLAN 900 IP 10.255.63.253/24 > PA firewall Trunked Dot.1q L3 Sub-interface Vlan 900 IP 10.255.63.254.
Oddly I had issues getting it to work with just a access port L3 interface even though arp tables on the PA firewall and arp table in the Directly connected Controller 1 had both IP and MAC's in each table would not ping from the controller to the firewall. Configured as a Trunk port worked. I even setup a laptop to the IP and gateway of the controllers configured trusted access port still the controller would not ping it works from a WLAN. The strange thing was on the other controller I was able to ping both ways same configuration. We like Trunk ports anyway in production it worked without issue using the Trunk and .1Q sub-interface IP.
Controller 2 routes
Default gateway 192.168.1.1
IP route 10.255.63.0/24 next hop 192.168.1.1
Controller 1 routes
Default gateway 10.255.63.254
IP route 10.200.1.0/24 next hop 192.168.1.2
PA firewall which is has a nat going to the internet
Trust sided routing
IP Route 10.200.1.0/24 next hop 10.255.63.253
I have a DHCP server running from the controller vlan 200 DNS 8.8.8.8.
We had never used L3 tunnels before because of the controllers limited DHCP server now that Aruba supports up to 4000 IP's with a 7200 controller that should be more then enough for each controller set we don't have more then 2000 clients on each controller cluster. Also if you don't have those Default gateways setup correctly I was able to ping 8.8.8.8 when I used a browser it would try to use the controllers captive portal like an interface was not Trusted. I need to do further testing when I turn this up on our production network make sure no one is able to manage our controllers either using SSH, or WebUI from our open SSID guest wireless.
------------------------------
Kelly L
------------------------------
Original Message:
Sent: Jul 06, 2021 04:39 PM
From: Colin Joseph
Subject: Requesting help with Layer 3 GRE tunneling
Honestly, you would need an l2 gre tunnel. Have you seen the attached document?
What routes what depends on what is the default gateway of the guest clients. There can be a l2 gre tunnel from controller to controller, but the guest VLAN could have the default gateway of a third device that actually does the routing.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Jul 06, 2021 12:56 PM
From: Kelly Levine
Subject: Requesting help with Layer 3 GRE tunneling
It's been pointed out to me that the tunnel Ip address mask should not be /32 both sides of the tunnel need to be in the same subnet the guide shows using 1.1.1.1/32 Although the Aruba GRE tunnel guide shows both tunnel IP address's with /32 mask's. Maybe a mistake should have been /30
I have made change
1.1.1.1 255.255.255.252 Controller 1
1.1.1.2 255.255.255.252 Controller 2
------------------------------
Kelly L
Original Message:
Sent: Jul 06, 2021 03:24 AM
From: Kelly Levine
Subject: Requesting help with Layer 3 GRE tunneling
Hello,
We have had a spoke and hub style Layer 2 GRE tunnel setup for our guest wireless network for years, but I would like to make the tunnels layer 3 move the DHCP server down to the local controllers currently DHCP is from the firewall one big layer 2 network.
I setup a lab configuration for testing the layer 3 GRE tunnels, but I'm unable to get traffic to route properly though the GRE tunnel to the internet. I have static routes to direct traffic to the tunnel IP on both ends as the guide states. When I do a ping from test-2 controller where I have an AP and a few clients connected. I'm not able to ping my internet gateway, or any internet IP using source vlan 200. I have tested the firewall by configuring a WLAN on the internet controller (test-1) that is directly connected to the firewall I was able to get on the internet using vlan 900 I have trunked from that internet controller to the firewall VLAN 900. I know the internet is working I'm not able to get traffic to go though the tunnel. Both controllers are licensed with AP, PEF, RF-protect. AOS software is 8.5.0.13 I can post the entire configs if needed, and I have included a Visio Drawing PDF file.
Controller 1 routing config
ip route 10.200.1.0 255.255.255.0 1.1.1.1
ip default-gateway 10.255.63.254
ip default-gateway 10.10.10.1
Tunnel config
interface tunnel 1
description tunnel-1
ip address 1.1.1.1 255.255.255.255
tunnel source controller-ip
trusted
tunnel destination 10.10.10.79
tunnel mode gre ip
tunnel keepalive
tunnel keepalive 10 3
(TEST-1) *[mynode] #show ip route
Codes: C - connected, O - OSPF, R - RIP, S - static, B - Bgw peer uplink
M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch
I - Ike-overlay, N - not redistributed
Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 10.10.10.1 to network 0.0.0.0 at cost 1
Gateway of last resort is 10.255.63.254 to network 0.0.0.0 at cost 1
S* 0.0.0.0/0 [0/1] via 10.255.63.254*
[0/1] via 10.10.10.1
S 10.200.1.0/24 [0/1] via 1.1.1.1*
C 10.10.10.0/24 is directly connected, VLAN1
C 10.255.63.0/24 is directly connected, VLAN900
C 1.1.1.1 is directly connected, Tunnel 1
(TEST-1) *[mynode] #show ip interface brief
Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 10.10.10.78 / 255.255.255.0 up up
vlan 900 10.255.63.253 / 255.255.255.0 up up
loopback unassigned / unassigned up up
tunnel 1 1.1.1.1 / 255.255.255.255 up up
(TEST-1) *[mynode] #show interface tunnel
Tunnel 1 is up line protocol is up
Description: tunnel-1
Internet address is 1.1.1.1 255.255.255.255
Source 10.10.10.78
Destination 10.10.10.79
Tunnel mtu is set to 1100
Tunnel is an IP GRE TUNNEL
Tunnel is Trusted
Inter Tunnel Flooding is enabled
Tunnel keepalive is enabled
Keepalive type is Default
Tunnel keepalive interval is 10 seconds, retries 3
Heartbeats sent 2817, Heartbeats lost 22
ICMP keepalive is disabled
Tunnel is down 2 times
routing config for controller 2
ip default-gateway 10.10.10.1
ip default-gateway 10.255.1.254
ip route 10.254.63.0 255.255.255.0 1.1.1.2 2
ip nexthop-list load-balance-gateways
!
Tunnel config for controller 2
interface tunnel 2
description "tunnel-2"
tunnel mode gre ip
ip address 1.1.1.2 255.255.255.255
tunnel source 10.10.10.79
tunnel destination 10.10.10.78
tunnel keepalive
trusted
(TEST-2) *[mynode] #show ip route
Codes: C - connected, O - OSPF, R - RIP, S - static, B - Bgw peer uplink
M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch
I - Ike-overlay, N - not redistributed
Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 10.10.10.1 to network 0.0.0.0 at cost 1
S* 0.0.0.0/0 [0/1] via 10.10.10.1*
S 10.254.63.0/24 [0/2] via 1.1.1.2*
C 10.10.10.0/24 is directly connected, VLAN1
C 10.200.1.0/24 is directly connected, VLAN200
C 1.1.1.2 is directly connected, Tunnel 2
(TEST-2) *[mynode] #show ip interface brief
Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 10.10.10.79 / 255.255.255.0 up up
vlan 200 10.200.1.254 / 255.255.255.0 up up
loopback unassigned / unassigned up up
tunnel 2 1.1.1.2 / 255.255.255.255 up up
(TEST-2) *[mynode] #show interface
cellular Cellular Interface
counters L2 interfaces counters information
gigabitethernet GigabitEthernet IEEE 802.3 Interface
list List interfaces for all platforms supported by current
SC version
loopback Loopback IP Interface
mgmt Management Ethernet IP Interface
port-channel Port-Channel Interface
tunnel Tunnel interface
vlan VLAN IP Interface
| Output Modifiers
<cr>
(TEST-2) *[mynode] #show interface tunnel
Tunnel 2 is up line protocol is up
Description: tunnel-2
Internet address is 1.1.1.2 255.255.255.255
Source 10.10.10.79
Destination 10.10.10.78
Tunnel mtu is set to 1100
Tunnel is an IP GRE TUNNEL
Tunnel is Trusted
Inter Tunnel Flooding is enabled
Tunnel keepalive is enabled
Keepalive type is Default
Tunnel keepalive interval is 10 seconds, retries 3
Heartbeats sent 2798, Heartbeats lost 0
ICMP keepalive is disabled
Tunnel is down 1 times
Failed ping test from TEST-2 controller
(TEST-2) *[mynode] #ping 10.255.63.254 source 200
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 10.255.63.254 from 10.200.1.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
(TEST-2) *[mynode] #
PA firewall routing table
admin@PA-220> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: V-router (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 10.10.10.1 10 A S ethernet1/1
10.10.10.0/24 10.10.10.28 0 A C ethernet1/1
10.10.10.28/32 0.0.0.0 0 A H
10.200.1.0/24 10.255.63.253 10 A S ethernet1/2.900
10.255.63.0/24 10.255.63.254 0 A C ethernet1/2.900
10.255.63.254/32 0.0.0.0 0 A H
total routes shown: 6
admin@PA-220>
------------------------------
Kelly L
------------------------------