Community Home > Discuss > Technology > Security > Re: Setup 2nd guest network

Security

Reply
skylogic
Occasional Contributor II
skylogic

Setup 2nd guest network

‎03-11-2019 02:22 PM

Aruba 3400 controller
I need to setup a 2nd 'guest' network using the DHCP from my Aruba 3400. I currently have 3 SSIDs- each on their own VLAN, and all using the same AP Groups.

VLAN ID IP Address Net Mask Associated Ports Admin State Operation State Mode
1 192.168.100.2 255.255.255.0 Pc0-7 Enabled Down Regular
600 172.16.138.3 255.255.255.128 GE1/1 Enabled Up Regular
700 (Ext. DHCP) 192.168.254.104 255.255.255.0 GE1/2 Enabled Up Regular
701 172.16.165.2 255.255.255.0 GE1/0,GE1/3 Enabled Up Regular

 

I would like to create 'Guest2', and use the 3400's DHCP service to assign addresses.

This 'Guest2' will be isolated from other users and WLANS, and will be used by a limited number of devices.

Going through the WLAN wizard, I'm getting confused and have to cancel out, not knowing how to properly proceed without possibly affecting my existing WLANs.

- When at 'Specify WLAN for Group default', can I 'copy' the current 'Guest1' VLAN and modify it's config?

- Or do I start the new from scratch and create a VLAN for 'Guest2'?

- I also need to make sure the new WLANs SSID is hidden.

I'm kind of lost, and any advice would be greatly appreciated.

Thanks in advance!

Alert a Moderator
Message 1 of 21
826 Views
Reply
0 Kudos
MVP Expert
MVP Expert
mharing

Re: Setup 2nd guest network

‎03-12-2019 07:49 AM

I would personally recommend not using the WLAN wizard. To build a fully functional WLAN you need three things - a AAA profile, an SSID profile, and a containing profile known as a VAP or Virtual-AP profile. Each of these profiles have their own components, but for simplicity sake, let's say you need to do the following:

 

1. Create a new VLAN on the controller

2. Build the DHCP scope for that VLAN

3. Add that VLAN to a port

4. Build a AAA profile, can probably be the same as current guest

5. Build an SSID profile, this will be unique because the SSID will be different and hidden

6. Build a VAP profile, this will tie together the AAA, SSID, and define the VLAN.

7 Go into your AP group(s) and add the new VAP to the groups you want to broadcast it. 

 

If you want to be extra cautious about effecting your other guest network, I would at least copy the existing guest AAA profile and rename it, in case you want to make changes in the future.

 

Does that make sense? If you Google Aruba Networks Profile Diagram, you should be able to find a diagram showing how all profiles are tied together.

 

For reference, you can also log into CLI and do a "show run" and grab each component of your current Guest network to better understand how they all tie together.


Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Alert a Moderator
Message 2 of 21
782 Views
Reply
Highlighted
skylogic
Occasional Contributor II
skylogic

Re: Setup 2nd guest network

‎03-13-2019 02:32 PM

Thanks, Michael- this is the first info I've been able to follow. I'll ry the steps you've mentioned, and let you know how it goes. Thank you kindly for your time and your help!

 

Be Well!

Alert a Moderator
Message 3 of 21
745 Views
Reply
0 Kudos
MVP Expert
MVP Expert
mharing

Re: Setup 2nd guest network

‎03-14-2019 11:21 AM

Happy to help, let us know how it works out!


Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Alert a Moderator
Message 4 of 21
723 Views
Reply
0 Kudos
skylogic
Occasional Contributor II
skylogic

Re: Setup 2nd guest network

‎03-18-2019 03:03 PM

Everything went well, it seemed. I followed your instructions, filling in the details by comparing the existing config, and reading up on the topics here. Cloned the appropriate profiles, etc., and I have the new WLAN\SSID, and it's providing IPs from the internal DHCP service on the 3400.

No internet access, however. Not sure where\how to check for the proper DNS to enter, or if I should be using NAT or a NAT pool (please excuse- this is my first foray into the config of this unit, besides the occassional update to AOS.)

 

How could  I go about checking the proper config for internet access for this newly created WLAN\VLAN\SSID?

Alert a Moderator
Message 5 of 21
666 Views
Reply
0 Kudos
MVP
MVP
cclemmer

Re: Setup 2nd guest network

‎03-18-2019 04:42 PM

Can you provide the output from "show wlan virtual-ap" for both the original guest SSID and the newly created SSID?

 

From there, we'll compare the VLAN configurations to sort out if/where NAT is being applied.


Charlie Clemmer
Aruba Customer Engineering
Alert a Moderator
Message 6 of 21
656 Views
Reply
0 Kudos
skylogic
Occasional Contributor II
skylogic

Re: Setup 2nd guest network

‎03-19-2019 10:23 AM

Sure, here's what I get with show wlan virtual-ap

 

Virtual AP profile List
-----------------------
Name                       References  Profile Status
----                       ----------  --------------
default                    0
Acme_Regional-vap-profile  1
Acme_Guest-vap-profile     1
Acme_RAP-vap_prof          1
Acme_Guest2nd-vap_prof     1
test-vap-profile           0
test-vap_prof              0
Acme_nursing-vap-profile   1

Total:8

Alert a Moderator
Message 7 of 21
624 Views
Reply
0 Kudos
MVP
MVP
cclemmer

Re: Setup 2nd guest network

‎03-19-2019 10:37 AM

Okay, so now we need "show wlan virtual-ap Acme_Guest-vap-profile" and "show wlan virtual-ap Acme_Guest2nd-vap_prof" to compare the two WLANs.


Charlie Clemmer
Aruba Customer Engineering
Alert a Moderator
Message 8 of 21
620 Views
Reply
0 Kudos
skylogic
Occasional Contributor II
skylogic

Re: Setup 2nd guest network

‎03-19-2019 12:51 PM

With the exception of the profile names, they seem to appear identical unless I'm overlooking something.

 

Virtual AP profile "ACME_Guest-vap-profile"
------------------------------------------
Parameter                                       Value
---------                                       -----
QinQ Outer VLAN                            0
Virtual AP enable                            Enabled
Allowed band                                  all
AAA Profile                                     ACME_GUEST-aaa-profile
802.11K Profile                               default
SSID Profile                                    ACME_GUEST-ssid-profile
VLAN                                              700
Forward mode                                tunnel
Deny time range                             N/A
Mobile IP                                       Enabled
HA Discovery on-association        Disabled
DoS Prevention                             Disabled
Station Blacklisting                        Enabled
Blacklist Time                                3600 sec
Dynamic Multicast Optimization (DMO)       Disabled
Dynamic Multicast Optimization (DMO)       Threshold  6
Authentication Failure Blacklist Time           3600 sec
Multi Association                               Disabled
Strict Compliance                              Disabled
VLAN Mobility                                   Disabled
Preserve Client VLAN                       Disabled
Remote-AP Operation                       standard
Drop Broadcast and Multicast           Enabled
Convert Broadcast ARP requests to unicast       Enabled
Band Steering                                   Disabled
Steering Mode                                   prefer-5ghz
VLAN POOL SIZE                             0
WMM Traffic Management Profile     N/A

 

Virtual AP profile "ACME_GUEST2nd-vap_prof"
---------------------------------------
Parameter                                       Value
---------                                       -----
QinQ Outer VLAN                           0
Virtual AP enable                            Enabled
Allowed band                                  all
AAA Profile                                     ACME_GUEST2nd-aaa_prof
802.11K Profile                               default
SSID Profile                                    ACME_GUEST2nd-ssid_prof
VLAN                                              759
Forward mode                                tunnel
Deny time range                             N/A
Mobile IP                                       Enabled
HA Discovery on-association        Disabled
DoS Prevention                             Disabled
Station Blacklisting                        Enabled
Blacklist Time                                3600 sec
Dynamic Multicast Optimization (DMO)            Disabled
Dynamic Multicast Optimization (DMO) Threshold  6
Authentication Failure Blacklist Time           3600 sec
Multi Association                               Disabled
Strict Compliance                             Disabled
VLAN Mobility                                   Disabled
Preserve Client VLAN                       Disabled
Remote-AP Operation                       standard
Drop Broadcast and Multicast           Enabled
Convert Broadcast ARP requests to unicast       Enabled
Band Steering                                   Disabled
Steering Mode                                   prefer-5ghz
VLAN POOL SIZE                             0
WMM Traffic Management Profile     N/A

Alert a Moderator
Message 9 of 21
609 Views
Reply
0 Kudos
skylogic
Occasional Contributor II
skylogic

Re: Setup 2nd guest network

‎03-19-2019 12:52 PM

Oops- And the VLANS.

Alert a Moderator
Message 10 of 21
608 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium