Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

L3GRE Tunnel bw two controllers to redirect Guest traffic to the DMZ controller

This thread has been viewed 4 times

  • 1.  L3GRE Tunnel bw two controllers to redirect Guest traffic to the DMZ controller

    Posted Apr 07, 2014 06:14 PM

    Hi, I've been searching for configuring L3 GRE tunnel bw two controllers, I didn't find good resources so far, I only find information about L2 GRE and it works just fine when I configured it.

     

    I need to confiugre L3 GRE between two controllers, one on the Operation zone (OZ) that has the SSID and authentication config for Guest with preshard key authentication, the other one is on the DMZ where the dhcp server exist and should serve the Guest usser for IP address and at then end route the Guest traffic.

     

    I need to know the flow of the traffic from connection to authentication, to getting the IP address to access the network resources.

     

    I have configured the following:

    1- Controller on the OZ:

    Guest VLAN.

    Wireless configuration for preshard key authentication for the guest ssid.

    tunnel interface with ip address, tunnel source, tunnel destination, mtu, keepalive.

    User deriviation rule to put the user that connect to guest SSID to a role and apply access list to that role to redirect all the traffic to the tunnel interface.

     

    2- Controller on DMZ:

    Guest VLAN.

    IP address for the interface of the Guest VLAN.

    Ip helper address on the Guest VLAN interface (to point to the DHCP server on the DMZ network).

    tunnel interface with ip address, tunnel source, tunnel destination, mtu, keepalive.

     

     

    On both controller there is a static route to point to a firewall that allow routing on the network as well as policy network traffic.

    I did configure the same network for L2 GRE and it is worked, when I switched to L3 GRE, client doesn't get an IP address from DHCP and I can't find it on the OZ controller...

     

    shall I add a routing  for the L3 GRE to work! ; I configured both tunnel sides as a trusted; anyone has configured User Diversification and it is working for directing guest traffic to the tunnel interface?

     

    Thank you and have a great day.

     

     



  • 2.  RE: L3GRE Tunnel bw two controllers to redirect Guest traffic to the DMZ controller

    EMPLOYEE
    Posted Apr 07, 2014 10:05 PM

    why wouldn't you just use a l2 tunnel?  What can you not accomplish with a layer2 tunnel?

     

    Please look at the article here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-717

     



  • 3.  RE: L3GRE Tunnel bw two controllers to redirect Guest traffic to the DMZ controller

    Posted Apr 08, 2014 10:44 AM

    Thank you for your reply :smileytongue:

     

    I had a conversation with Aruba Support and they clarifiy the meaning of GRE L2 verse L3:

    - Layer 2 GRE:

    Could be used between the DMZ controller and the OZ controller (both are Aruba) as soon as the Guest VLAN is exist on both controllers. DMZ will support the Guest with a DHCP service, DMZ devices and network know about the Guest VLAN and are able to route the traffic for the Guest user.

     

    - Layer 3 GRE:

    2 Different VLANs one on the DMZ controller and one on the OZ controller (the two controllers have no knowledge of the vlan that is exsit on the other controller), if we need these two VLANs to communicate across GRE then we have to create a policy to direct the traffic of this VLAN from OZ to DMZ, as well as a static route on both cotntrollers to direct traffic to the required VLAN.