Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Frequent Contributor II

Tunnel mode to multiple controllers?

Hi,

I have some switches doing tunnelled mode for a set of users. I have a requirement to do tunnelled mode for a new set of users - only this time, I want to buy new controllers and have them tunnel to that instead.

Can I set this within clearpass / the switch (3810) ? Add a new profile / role for this new tunnelled mode to go to a different controller?

Thanks

Accepted Solutions
Highlighted

Re: Tunnel mode to multiple controllers?

Hi, 

 

You can only tunnel to a single controller or single cluster from a switch in AOS-Switch. A switch cannot tunnel to multiple, separate controllers or clusters. 

 

Justin

View solution in original post

Highlighted

Re: Tunnel mode to multiple controllers?

Yes, absolutely, that's the idea behind user based tunneling.  Each role has its own unique policy applied to it.  You can even block traffic role to role at the controller.

View solution in original post

Highlighted

Re: Tunnel mode to multiple controllers?

So each wired tunnel has a primary role (switch) and a secondary role (controller).  The controller role is where you would put your policy in to restrict or grant access to other roles.  Each role will have to have policy designed to do so.

 

For AD, you'd have to tie the user role in the ClearPass Enforcement Policy to the AD user that you would want the specific role applied to.

View solution in original post


All Replies
Highlighted

Re: Tunnel mode to multiple controllers?

Hi, 

 

You can only tunnel to a single controller or single cluster from a switch in AOS-Switch. A switch cannot tunnel to multiple, separate controllers or clusters. 

 

Justin

View solution in original post

Highlighted
Frequent Contributor II

Re: Tunnel mode to multiple controllers?

Thanks very much
Frequent Contributor II

Re: Tunnel mode to multiple controllers?

Could I do tunnelled mode with 2 different profiles? So tunnel my guest traffic (what I'm doing currently), then tunnel some other wired traffic to same controller but give it a different role / profile so that traffic is treated differently by the controller?

Thanks
Highlighted

Re: Tunnel mode to multiple controllers?

Yes, absolutely, that's the idea behind user based tunneling.  Each role has its own unique policy applied to it.  You can even block traffic role to role at the controller.

View solution in original post

Highlighted
Frequent Contributor II

Re: Tunnel mode to multiple controllers?

Perfect, so in theory I could do the following (all tunnelled mode from the switch - wired and wireless):

Guest internet role
Department 1 role
Department 2 role
....
Department 100 role

How would the controller differentiate between the roles? My guest internet is already in place

But these new departments I want to bring on board and keep separated; I was going to put them all in same AD and use security groups as the differentiator. Maybe up to a 100 of them ... all controlled from my controller pair. Would this work?

And by default have them not allowed to talk to each other?

Thanks
Highlighted

Re: Tunnel mode to multiple controllers?

So each wired tunnel has a primary role (switch) and a secondary role (controller).  The controller role is where you would put your policy in to restrict or grant access to other roles.  Each role will have to have policy designed to do so.

 

For AD, you'd have to tie the user role in the ClearPass Enforcement Policy to the AD user that you would want the specific role applied to.

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: