Wired Intelligent Edge

Hi all,

 

I'm working on some aruba gear and try to figure something out with NAT. It is long ago that I did some NAT configuration, however this was not with Aruba gear.

 

The topology is as followed:

The modem is from my ISP it does NAT and DHCP, but I want to put this in bridge mode and use the 2930f as NAT router. However, as I already read, the 2930f is a L3 swich and does not provide NAT functionality.

I did some research how to solve this, but I do not know what is wise.

 

1) Use the Branch Controller 7005 as NAT device. Than I need to connect the modem to the branch controller and the branch controller to the 2930f. However, is it good to move the Branch Controller to the edge?

 

2) Use the same topology as seen in the picture, and install on the NUC Sophos XG Firewall Home Edition. This should be a firewall and able to handle NAT(?), I don't have any experiences with this. However, I never configured a FW as a virtual server on the L3 SW. Normally the FW should be between the ISP and the L3 SW.

 

What are your ideas?

#2530
#7005
#2930F

Hi Mark,

 

Yes, you need a "router" with support of NAT...

the better solution is a firewall !

 

You can use 7005 but i think, it is used for other stuff ?

The 7005, I've 2, are my mobility controllers in combination with the mobility master. I can go with 1 controller of course and 1 as branch router/NAT, but that will take the advantaged of the Mobility Master away since it is only 1 controller.

So, than I guess the Sophos XG is the option I'll take. Aruba NAT capability devices are only the 7000 and 7200 serie or can the SD WAN 9004 also do NAT? Don't know the price range of that device.

 

Just need a NAT device, don't really care if this will be through a 3rd party Sophos XG virtual Firewall or something from Aruba. I do want to play with the Mobility Master, so I do think I need both of the 7005 as controller right?

Hi! If I were you - considering you already have a NUC with at least two Ethernet interfaces (one will have the WAN role, the other one will have the LAN role) - I would immediately deploy an open source Firewall appliance - like the one developed by www.opnsense.org - as my perimeter Firewall leaving the Aruba 7005 protected inside my trusted portion of internal Network.

Thanks Parnassus, sadly the intel NUC doesn't have two NICS.

Looking into that as well if there are any 'hacks' to create a second NIC on the NUC. 

 

I do think in ESXI it is possible to create a virtual switch and so you can create more than 1 NIC. If anyone has experience in that please share.

Yes, ESXI support vlan tagged... need to add a PortGroup

 

yes, it is possible to use opnsense or pfsense too !

Thanks guys! I'm going to look into the Aruba 9004 Gateway. I assume this device can do NAT right?

 

For now I have temporarily a router from another vendor.

I'll install the firewall on the NUC with 1 NIC and configure the port as a trunk. The one-armed firewall principle.

Yes, the 9004 is the new generation of 70xx