Community Home > Discuss > [Hidden] "Airheads Online (2004-2011)" Archive > ArubaOS and Controllers > Controller inside tunneling traffic to the one in ...

ArubaOS and Controllers

Reply
Highlighted
garryshtern
Contributor II
garryshtern

Controller inside tunneling traffic to the one in the DMZ.

‎09-23-2013 01:59 PM

I have seen a number of topics covering controllers between different security domains but I am not quite clear how would I accomplish the following setup:

 

- Internal controller that terminates all of my APs.

- Internal controller hosts captive portal and authenticates the users.

- Once authenticated, all user traffic including DHCP requests are tunnelled (via GRE) to the controller in the DMZ.

- The controller in the DMZ gives out IP addresses to anyone who comes via the GRE tunnel from the inside.

 

I tried setting this up but my clients never recieve DHCP from the DMZ.

 

Inside controller:

vlan 200 "Guest WiFi"

!

interface tunnel 1
description "Tunnel to DMZ"
tunnel source vlan 1
tunnel mode gre 0
tunnel destination <DMZ IP>
tunnel keepalive 5 3
mtu 1350
no inter-tunnel-flooding
tunnel vlan 200
!
wlan virtual-ap "guest"

  aaa-profile "default-dot1x-psk"
  vlan 200
!

 

In the DMZ:

vlan 200 "Guest WiFi" 

!

interface vlan 200
ip address 172.31.100.1 255.255.252.0
ip nat inside
operstate up
!

interface tunnel 1
description "Tunnel to Inside"
tunnel source vlan 1
tunnel mode gre 0
tunnel destination <inside controller IP>
tunnel keepalive 5 3
trusted
mtu 1350
no inter-tunnel-flooding
tunnel vlan 200
!

ip dhcp pool wifi-guest-pool
default-router 172.31.100.1
dns-server 8.8.8.8 8.8.4.4
lease 0 4 0 0
network 172.31.100.0 255.255.252.0
authoritative
!

 

Thanks!

 

 

Alert a Moderator
Message 1 of 18
6,476 Views
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Controller inside tunneling traffic to the one in the DMZ.

‎09-23-2013 02:08 PM

The non-dmz side of the tunnel is not trusted.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 2 of 18
6,472 Views
0 Kudos
garryshtern
Contributor II
garryshtern

Re: Controller inside tunneling traffic to the one in the DMZ.

‎09-23-2013 02:27 PM

Setting both sides of the tunnel to trusted doesn't seem to help.  I see user successfully being assigned to an l2 role, but yet I don't see him getting any IP from the dhcp.

Alert a Moderator
Message 3 of 18
6,468 Views
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Controller inside tunneling traffic to the one in the DMZ.

‎09-23-2013 02:32 PM

@garryshtern wrote:

Setting both sides of the tunnel to trusted doesn't seem to help.  I see user successfully being assigned to an l2 role, but yet I don't see him getting any IP from the dhcp.

Type "show datapath tunnel table" and see if the encaps and decaps are going up on each side when you ping from one interface of VLAN 200 to another.  If not, check your source/destination addresses in your tunnel statement..  They must be both reachable ip addresses between each controller.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 4 of 18
6,466 Views
0 Kudos
garryshtern
Contributor II
garryshtern

Re: Controller inside tunneling traffic to the one in the DMZ.

‎09-23-2013 02:54 PM

I figured out the issue was permissions on the acl assigned to the role given to the user.  This works now, so thanks a lot for that!

 

However, the actual captive portal functionality is not working.  That is, a user is assigned to the custom guest role, and he is able to resolve dns, ping remote sites as per rules.  However, whenever he tries to go to google.com which should force an automatic redirect to a captive portal page, it just hangs there.

 

Any hints?

 

Thanks!

Alert a Moderator
Message 5 of 18
6,459 Views
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Controller inside tunneling traffic to the one in the DMZ.

‎09-23-2013 03:01 PM

Use the "ip cp-redirect-address <ip address of vlan 200>" command.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 6 of 18
6,456 Views
0 Kudos
garryshtern
Contributor II
garryshtern

Re: Controller inside tunneling traffic to the one in the DMZ.

‎09-23-2013 03:05 PM

Will this work even if the local controller doesn't host this interface?  Meaning, do I specify the IP of the <interface vlan 200> of the DMZ controller?

Alert a Moderator
Message 7 of 18
6,453 Views
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Controller inside tunneling traffic to the one in the DMZ.

‎09-23-2013 03:07 PM

Give the non-dmz controller an IP address on Vlan 200 and point it at that.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 8 of 18
6,451 Views
0 Kudos
garryshtern
Contributor II
garryshtern

Re: Controller inside tunneling traffic to the one in the DMZ.

‎09-23-2013 03:12 PM

Thanks!  That worked, without ip cp-redirect, actually.  Do you know if there is a way to do this without explicitely defining the IP on the Vlan.  I want to avoid having the local controller route this traffic locally.

Alert a Moderator
Message 9 of 18
6,449 Views
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Controller inside tunneling traffic to the one in the DMZ.

‎09-23-2013 03:20 PM

just put no ip routing on VLAN 200.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 10 of 18
6,445 Views
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium