Wireless Access

Hello everyone -

 

Leave it to me to have another odd question :)

 

So we have the controller located in one office (site1), with mpls connections to 2 other offices (site2 and site3) (10mb connection). Each of the offices at the end of the mpls connection has a local DHCP server on their network. The main location has 2 dhcp servers.

 

So here's what we see, when a person connects to the RAP at site 2, the ip address of the computer comes from the dhcp server at site1, we are seeing some issues with routing on this and would rather have the dhcp servers at site2 and site3 hand out ip addresses to all wireless clients at those locations.

 

So is this even possible? (hopefully this makes sense...)

 

Lirria

 

Change the forwarding mode of that Virtual AP at those locations to "Bridged" instead of "tunneled"

 

How will that effect local traffice - will all local traffic still be sent thru the RAP's local internet connection not the connection at site1?

 

Currently all remote aps are set to split-tunnel.

 

 

Lirria

Local traffic will be bridged to the local network (the sub net of the rap). It will follow the traffic patterns of whatever you are doing locally in that sub net.

So instead of splittunnel I really want bridged?

 

I just don't want to make a massivie change that adversly impacts the 7 remote aps that we are currently running.

 

And (just because I'm very confused at the moment) how will this impact the RAP5's and RAP2's that are deployed? Will the clients there actually pull an ip from their local systems too?

 

Don't get me wrong - this sounds like exactly what I'm needing - just want to be sure before changing it.

 

 

Lirria

If all those raps are on your private wan, you cab make the change. If not you need to create an ap group for aps that are on your private wan and change the forwarding mode of that virtual ap to bridged.a

So it sounds like I need 2 different virtual ap configurations.

 

1 for the ones on the MPLS (direct connect to our offices)

 

and then 1 for the RAP's which just come in  over their local isp.

 

I'll create a new Virtual ap group and put the ones on the MPLS on it and see what happens.

 

Keep your fingers crossed :)

 

Lirria

You will also need to make sure the default dot1x role In the new AAA profile for that virtual ap allows all traffic, and does not have split rules.

Well that did go so well - I must have some errors someplace - couldn't even pull an ip from the local network, traffic not flowing at all - *sigh* I"ll recheck tomorrow - must of missed something in the config.

 

Lirria

When you change the Virtual AP to bridged, change the VLAN to 1, as well.

 

Why?  In the Ap-group, there is an ap system profile which contains the Native VLAN parameter, which dedides if traffic that is bridged will be tagged (if the VAP vlan doesn't match this Native VLAN parameter), or just passed through (if the Virtual AP vlan does match -- by default it is one).  If it is anything besides one, it will tag the traffic, and it will not work.

 

Well changed the vlan to be 1, tried again - we can get to the internet, but not to the networks at the main site. I'll have to march back thru the configs again and see if I missed something. Any other thoughts? It's really causing some havoc with routing due to the site1 ip addresses being used.

 

Lirria

 

 

What are the acls on the role that the user gets? What could be blocking him besides your aruba configuration?

Well it's difficult to say - because I'm at home, an the RAP2 and can't seem to get anything on the network - so I can't really tell what roll I am getting :(

 

difficult to trouble shoot this one - I don't have anybody that can test with out taking them fully offline for the duration. So I'm stuck trying to test off hours in my spare time.

 

I'm sure I'm just missing something in the config - I know it all comes down to the configuration and getting things set right - but I just can't see it. :(

 

I can say that I am successfully pulling an IP from the local (home) network - so that's a start - I just can't get the traffic to flow to the corporate network now. Interestingly enough I can ping the corp default gateway - I just can't ping or get to anything else - so I know it's an acl issue now.

 

I have changed the session acl under advanced services >all profile management>ap>ap systemprofile>myprofile and have had no luck getting anything to work as I expect.

 

Guess I'll read some more on the controller and see if I can figure out what I'm missing.

 

Lirria

 

 

If you are pulling an ip address from home, there is no way that you will reach corporate. You traffic is probably bridged and bridging only works for a private wan. If you are at home it needs to be tunnel or split tunnel.

 

EDIT:  Please open a case with support, because it is going to be very painful for you to resolve without any visibility to the controller through this forum.  They can certainly tell you where to go from here.

 

Just wanted to follow up on this - and add my findings.

 

First off don't you just hate it when you have one of those Doh! Moments? (OK some people call them Eureka - this is definitely a Doh!)

 

It really helps if you remember the basics of networking and for a network engineer to forget that, it's definitely Doh!.

 

So the RAP, set in tunnel mode did just was it was suppose to  - pulled an IP from the local dhcp server - what I was forgetting in testing with a RAP2 at home is well, it had no routes to the remote server so there was no way for traffic to properly flow (hence the doh) Once I remembered that - things went a bit better - tried for real on one of the office aps over the MPLS circuit. Devices did just what we wanted, pulled a local ip from the on site dhcp server - however.... All the security of the Aruba system had now been by passed. Because they had a routable ip from the local server - all user and machine authentication was by passed and the computers all had full access to the entire network - not good from a security stand point. So we have reverted back to the way we had been doing it to keep the security in place and keep non authorized systems from accessing anything on the network.

 

My bad for not thinking about the network routing - at (for the moment) I'll remember that, well until the next fire that takes my focus away and I forget everything.... Such is the way of support.

 

So thank you all

 

Lirria.

What does "security has been bypassed" mean?

 

Because the ips were from the local site, and because we have a MPLs circuit between the two, all local traffic was going over the MPLs line, even if it was a device that did not meet the user and machine authentication. Which makes sense because our routing is based on ip, And the stems pulled local ips. This means that if somebody brings in a computer from home, wants Internet access, they actually ended up with full internal access to all systems. At least that's what he initial testing was showing. Does that make sense? Lirria

Yes, I do.  

 

Thank you.