Wireless Access

last person joined: 12 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

DMZ Controller questions

This thread has been viewed 12 times

  • 1.  DMZ Controller questions

    Posted Apr 21, 2016 01:38 PM

    Hello im doing a deployment of a WLAN in which in the design we do have a controller which is on the DMZ

    We have to tunnel all the guest traffic from all the other controllers

    All the other controllers would be:

    2 Master controller one active one standby with vrrp

    x ammount of local controllers in different sites

     

    Now i know that you have to create a GRE tunnel from each controller i maen from every local controller to that DMZ controller for the Guest network that will just exist in that DMZ Controller.

     

    1-Does this Controller can be a local controller of the pair of Master controllers ill have in the data center? it just that i would like to use the centrilized licensing.

    2-do i need an extra license here a firewalll license or something like that for example a PEFNG license?

    3-Ports that i need to open between the DMZ controllers and ALL the other controllers would be:

     

    • PAPI (udp/8211 and tcp/8211)
    • IP-IP (protocol 4) - if L3 mobility is enabled

     

    • IPSEC/NAT-T (udp/4500) -
    • GRE (protocol 47)
    • HTTPS (tcp/443 and tcp/4343)
    • SSH (tcp/22)
    • SNMP (udp/161 and udp/162)

    I am missing any port????

     

    Cheers

    Carlos

     

     



  • 2.  RE: DMZ Controller questions

    EMPLOYEE
    Posted Apr 21, 2016 03:34 PM

     

    1-Does this Controller can be a local controller of the pair of Master controllers ill have in the data center? it just that i would like to use the centrilized licensing.

    It can be a local or masters.  Most people use a master controller so that configuration on that device is not tied to any other controllers, if there is an outage.  I would not bother trying to use centralized licensing, because the licensing would be like 1 AP license, 1 PEF license would be minimal.  You would be only configuring policy on wired traffic, not AP traffic.

    2-do i need an extra license here a firewalll license or something like that for example a PEFNG license?

    For maximum flexibility, you would need the PEF license, yes.  Since you would not terminate any access points on that controller, you would only need a 1 AP and 1 PEF license.

    3-Ports that i need to open between the DMZ controllers and ALL the other controllers would be:

    If you are tunneling Gre you would need protocol 47 between those DMZ controllers and your other controllers.



  • 3.  RE: DMZ Controller questions

    Posted Apr 21, 2016 03:47 PM

    Hello Collin

    If they do not have this extra license.

    Is there any issue if we put it as a local controller besides depending on the Master controller to do some configs?



  • 4.  RE: DMZ Controller questions

    Posted Apr 21, 2016 03:56 PM

    Collin

    If i have 50 licenase and 50 APS

     

    Even if i do centrilized license i would need 1 EXTRA license of AP and PEFNG to do this? right?

     

    So it doesnt really matter if i used centralized license or not

     

    Cheers

    Carlos



  • 5.  RE: DMZ Controller questions

    EMPLOYEE
    Posted Apr 21, 2016 04:00 PM

    Making it a local controller would mean that you would have to allow other ports between the DMZ controller and the other controllers.  Also if anything would happen to the master controller, you would lose the ability to configure the DMZ controllers, unless you change them to masters and reboot them.  You honestly don't want the DMZ controllers tied to any other controllers;  that is why you have them in the DMZ.  

     

    Alternatively, you could just have WLAN controllers tunnel the guest VLAN to the DMZ controllers, but have the WLAN controllers do all of the policy enforcement, so that the DMZ controllers would not need any PEF licenses.   You would not need centralized licensing and you would only need GRE opened between the DMZ controllers and the WLAN controllers.  A side benefit of this is that the guest users will show up on the WLAN controllers and APs and not in the wired user table of the DMZ controllers, so Airwave will correctly show what APs guest users are connected to.  The DMZ controllers would provide DHCP and route the guest traffic wherever it needs to go, but the Captive Portal would be provided by the WLAN controllers....



  • 6.  RE: DMZ Controller questions

    Posted Apr 21, 2016 09:43 PM

    Thanks Collin

     

    Thats looks like a nice solution.  Would this impact in any way in the security? having the captive portal on the master(which is on the internal network) instead of the captive portal on the DMZ controller?

    I guess not because thats interface is still on a vlan which just can go out of that vlan trhough the firewall that is connected to the DMZ controller but still... it never hurt asking for a second opinion.

     

    Cheres

    CArlos



  • 7.  RE: DMZ Controller questions

    EMPLOYEE
    Posted Apr 21, 2016 09:51 PM
    The WLAN controllers would have an IP address on the subnet that is provided by the DMZ controllers and would bring up the Captive Portal on that interface (IP cp-redirect-address). That IP address would not be routable and the default gateway would be in the DMZ. On top of that the initial and guest roles on the wlan controller would block traffic to any destination that you do not want it to go through using firewall policies.


  • 8.  RE: DMZ Controller questions

    Posted Apr 21, 2016 10:42 PM

    Thanks Collin

    One last question

    For the GRE tunnels you woudl do them from the local controllers to the Master- Stanby controller and another GRE tunnel fromt he Master- Stanbd By controller to the DMZ controller?

     

    For the GRE Tunnels to  the Master-Stand by controller do i point i guess to the Virtual IP of the HA right?

     

    Cheers

    Carlos



  • 9.  RE: DMZ Controller questions

    EMPLOYEE


  • 10.  RE: DMZ Controller questions

    Posted Apr 22, 2016 03:32 PM

    hahah

    Thank you Collin you just saved me a lot of time..  Ill have that in mind when configuring this!

     

    Thanks again!!!

     

    Cheers

    Carlos



  • 11.  RE: DMZ Controller questions

    Posted May 09, 2016 06:26 PM

    Collin

    Question

    If you got many controllers and you need to build many tunnels to the DMZ controller

    On the DMZ controller you build a tunnel for each one?Also do you use the same source for each tunnel?

    For example

    On DMZ Controller

    interface tunnel 60
        tunnel source 10.10.10.5
        tunnel mode gre 0
        tunnel destination 10.10.20.5
            tunnel vlan 5
            trusted

     

    interface tunnel 61
        tunnel source 10.10.10.5
        tunnel mode gre 0
        tunnel destination 10.10.30.5
            tunnel vlan 5
            trusted

     

     

    On local controller 1

    interface tunnel 60
        tunnel source 10.10.20.5
        tunnel mode gre 0
        tunnel destination 10.10.10.5
            tunnel vlan 5
            trusted

    On local  local controller 2

    interface tunnel 61
        tunnel source 10.10.30.5
        tunnel mode gre 0
        tunnel destination 10.10.10.5
            tunnel vlan 5
            trusted

    This would be a correct cofig for the tunnel?

     

    Cheers

    Carlos 



  • 12.  RE: DMZ Controller questions

    Posted Jun 08, 2016 02:31 PM

    Anyone?