ArubaOS and Controllers

Reply
Contributor II

Re: Controller inside tunneling traffic to the one in the DMZ.

Hi,

 

This worked perfectly.  Thanks a lot for a quick and detailed response!!!

Contributor II

Re: Controller inside tunneling traffic to the one in the DMZ.

My setup is a master controller internally with a tunnel group to two DMZ controllers that carries a VLAN with each DMZ controller hosting identical SVI's and DHCP pools.  This way, if the primary GRE tunnel goes down (due to missed keepalives), all traffic fails over to the secondary.  CP is hosted on the internal master, with a local non-routable SVI.  All of this seems to work well.

 

Now, I am trying to setup a local internal controller.  I joined to the master and it got the entire WLAN configuration including a virtual-ap with a VLAN.  I am going to setup the same VLAN on the local, tunnel group to the same DMZ controllers, and another non-routable SVI on the local.

 

Now, I want to ensure that the only traffic that is allowed from DMZ controller to the Intrernal controller is either return packets for the traffic that was originated by clients of the internal controller(s), or between clients on the internal controller(s).  I am looking to block any traffic initiated on the DMZ controller or behind it from being routed into this VLAN.

 

Thank you.

 

 

Guru Elite

Re: Controller inside tunneling traffic to the one in the DMZ.

If on the inside end of the tunnel, VLAN 200 has no ip routing inside, nothing can be routed by the controller.  If on the DMZ side of the controller you have a router as the default gateway for VLAN 200, that is the only way in or out.  The key is "no ip routing" on the nearside interface of VLAN 200.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Controller inside tunneling traffic to the one in the DMZ.

I am not really concerned about traffic leaking from the GRE tunnel inside via one of the Internal controllers since the SVI on those is non-routable (as you mentioned).  As we have effectively 3 controllers sharing the same broadcast medium (VLAN that is tunneled from two internal controllers to the DMZ one), I want to ensure the following:

 

1. No traffic enters that VLAN unless it is either return packets back to the client, by the way of controller, that initiated the traffic. I believe we are safe here thanks to the role that is assigned to a user.

2. Allowing traffic from a client behind one of the internal controllers to go up to the DMZ controller, and then back down to another client behind the second internal controller. Here, I want to make sure that the receiving controller does not start creating user sessions for these packets.  I am not sure if this covered by the "trusted" clause on the tunnel interface.

 

I am not sure that I am clearly describing the intent so please let me know if this doesn't make sense.

 

Thanks.

Guru Elite

Re: Controller inside tunneling traffic to the one in the DMZ.

If your client role for those guest users included something like this:

 

user network (vlan 200) drop

 

Then the destination of that clients traffic could not be anything in VLAN 200 and that traffic would be dropped at the controller doing the enforcement.  They would only be able to send traffic to things that are outside of VLAN 200.

 

I hope that makes sense.

 

 

[EDIT] To ensure the security of your network, you should have someone in TAC or support or a VAR look over all the details of your configuration to ensure that it is secure.  Those people who have access to all the details would be provide the best solution to your problem.  My answer is only a general one based on the limited information you are providing and is only a general suggestion.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Controller inside tunneling traffic to the one in the DMZ.

It does make sense if I wanted to prevent traffic from the user to vlan 200.  

 

I am trying to actually allow inter-user traffic on vlan 200, even if the users are on two different controllers that share this vlan.  I am not clear what role would this traffic be assigned to on the controller that is the recipient of the incoming traffic.

Guru Elite

Re: Controller inside tunneling traffic to the one in the DMZ.

Traffic that enters a controller on a trusted port do not have any rules applied.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Controller inside tunneling traffic to the one in the DMZ.

That's what I was hoping to be the case.

 

Thanks a lot for the confirmation!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: