Recently implmeneted ClearPass for our guest network authentication and had a consultant help us configure it. We had to make some infrastructure changes that I am not clear on. Everything is working I am just not sure how.
We have a guest network 192.168.1.0/24 VLAN 998 going to a Palo Alto PA-500 out to a Comcast (boo) internet circuit. This network is not only used by Aruba for wireless guest. We also use this VLAN for guest access on the LAN as well. The PA does DHCP for VLAN 998. We have 2 650 controllers (on spearate floors) that use this network. Controller 1 an IP of 192.168.1.10 in VLAN 998 and controller 2 has an IP of 192.168.1.9 in VLAN 998.
I am admittedly not 100% clear on why, but our consultant said we had to create a non-routed VLAN on each controller with a different address space and do DHCP for those networks on the Aruba controllers. We also added static routes to our private internal addresses and a default route to 192.168.1.1.
Controller 1 now has 192.168.10.0/24 VLAN 4094 and controller 2 has 192.168.11.0/24 VLAN 4094 (since they aren't routed we used the same VLAN). I see the ip NAT inside on each VLAN so are NATing. I can confirm this on the PA because I don't see traffic for 192.168.10.0/24 or 192.168.11.0/24, I only see traffic for 192.168.1.9 and 192.168.1.10 (amongst other LAN traffic).
I do not see how this is working though. I dont see a statement that translates from VLAN 4094 to the respective IP on VLAN 998. I also cannot see an actual translation table. I have posted some config below.
Thanks in advance.
Controller 1:
interface vlan 4094
ip address 192.168.10.1 255.255.255.0
ip nat inside
interface vlan 998
ip address 192.168.1.10 255.255.255.0
Gateway of last resort is 192.168.1.1 to network 0.0.0.0 at cost 1
S* 0.0.0.0/0 [1/0] via 192.168.1.1*
S 10.0.0.0/8 [1/0] via 172.22.1.1*
S 172.16.0.0/12 [1/0] via 172.22.1.1*
C 172.22.1.0/24 is directly connected, VLAN150
C 192.168.1.0/24 is directly connected, VLAN998
C 192.168.10.0/24 is directly connected, VLAN4094
C 172.21.1.31/32 is an ipsec map default-local-master-ipsecmap
NAT Pools
---------
Name Start IP End IP DNAT IP Flags
---- -------- ------ ------- -----
dynamic-srcnat 0.0.0.0 0.0.0.0 0.0.0.0
Controller 2:
interface vlan 4094
ip address 192.168.11.1 255.255.255.0
ip nat inside
interface vlan 998
ip address 192.168.1.10 255.255.255.0
Gateway of last resort is 192.168.1.1 to network 0.0.0.0 at cost 1
S* 0.0.0.0/0 [1/0] via 192.168.1.1*
S 10.0.0.0/8 [1/0] via 172.22.1.1*
S 172.16.0.0/12 [1/0] via 172.22.1.1*
C 172.22.1.0/24 is directly connected, VLAN150
C 192.168.1.0/24 is directly connected, VLAN998
C 192.168.11.0/24 is directly connected, VLAN4094
C 172.21.1.31/32 is an ipsec map default-local-master-ipsecma
NAT Pools
---------
Name Start IP End IP DNAT IP Flags
---- -------- ------ ------- -----
dynamic-srcnat 0.0.0.0 0.0.0.0 0.0.0.0