Wireless Access

I am confused on now to setup a couple of SSID's to provide DHCP addresses to theire wireless clients?

Background:

1.  We have the Controllers setup ans AP's connected. 

2.  I want to create 1 x Guest WLAN that gives out its onwn subnet of priviate IP addresses.

3.  I want to create a Bring Your Own Device (BYOD) SSID for our employee's smartphones and personal devices(tablets, etc.).

4.  My plan to configure these WLAN to dish out IP addresses for the respected clients and to not use the same IP addresses on our corporate side.

I created a question but it gacve very general instructions: Probably need to create a DHCP pool first: MM -> Managed Devices -> Group -> Configuration -> Services - DHCP

Now, my questions are:

1.  How to associate the DHCP pool with the Guest VLAN? 

         a.  I know how to assign the guest Vlan a static IP address.

2.  Or should I configure the DHCP provided by the the Guest VLan another way?

         a.  The DHCP needs to be provided ny the local controller.

To use the controller as DHCP server for multiple VLAN's, you have to create multiple DHCP pools on the controller and enable the DHCP service. An example below:

service dhcp

ip dhcp pool tunnel-node
default-router 10.10.20.1
dns-server 1.1.1.1
network 10.10.20.0 255.255.255.0
authoritative

Next you create a VLAN interface for the respective VLAN. Like

interface vlan 20

   ip address 10.10.20.254 255.255.255.0

   no ip routing

Very basic, but this should be the beginning

Ok, 

Sounds good; but,

Question1:  What settings does the 'Autoritative' description represent?  In the mean time,  will take a look at the existing DHCP Pool settings.

Question2:  The respected VLan ... where is the VLan originating from?

    a.  I would think that the controller is the router for this subnet.

    b. So this VLan shold be something that is not in confolict with anything else in the network.  SO VLan-20 or whatever should not be used anywhere else on teh same network.

    c.  Can we discuss the design of question 2 above?

Question3:  I have to inquire about the current network just to maek sure; but, I beleive that the internet only data is coming to our DMZ (VLan).  And then the controller is giving out private IP addresses to the clients.

I am confused about how to setup Question 3 this way; but, lets focus on quesiton 1-2 until I get clarity on Question 3.

Hi Pkafkas,

Let me try to help as well :) 

Question 1:

'Autoritative' is general DHCP server setting (not Aruba specific) and tells the DHCP server that he is responsible for that specific subnet. Only if you have an Autoritative DHCP server, address assignment is working correctly. 

Question 2:

The VLAN ID should be unique in your network. This helps to make it easy in the future. The IP scope should be unique as well. 

The first question you should ask yourself or the customer, should the Controller the default gateway for that VLAN or should the controller only be the DHCP Server? If the controller should be the gateway, make sure, that you configure your routing accordingly. You might either use static routing or dynamic routing with OSPF. 

You can also NAT the network to the egress network IP of the controller. This will remove the need for routing. 

If you know, which path to follow, we can help with the configuration needed. 

BR

Florian

In our current setup we have 3 SSIDs that give out DHCP.  They are setup similarly, where they send out private IP addresses 

It appears that the  controllers are the DHCP server and the Gateway. The attched screen shot is for our Guest access.  It recevies Internet from a DMZ connection.  See screenshot. I havequestions no how the routing is configured, I can only guess at this point until I veirfy.  But I would image that internet only is routed to this WLAN some how and the WLAN Guest clients are receiving the IP address from the controller.

I need to verify some facts before I can contribute more to this thread.  I am not sure when that wil be.

OK,

Here is how our HP controllers are setup.  They are setup very similarly as an HP ProCurve Switch; but, it only has 2 active Ethernet connections on each local controller.

- 1 X Access Network (Corporate Network).

- 1 x Internet Port (DMZ Internet Only).

The default gateway is the gateway for the DMZ at each site.  There are static routes defined for each IP Scheme that is not defined in the interface.  See Screen shot and anything tht is not defined will get sent to the internet.

I think I will need to have:

- IP routing enabled

- 2 x Vlans and an IP addressed to the each

-  Default Gateway defined

- Static routes defined

See screenshot

Such as:

interface vlan 20<enter>
    ip address XX.XX.XX.XX 255.255.255.0<enter>

ip default-gateway XX.XX.XX.XX<enter>

The 192.XXX.XXX.0 addresses will need to be routed to Default Route (DMZ).  These are our guest networks that receive DHCP from teh controllers where visitors will need to VPN and use FTP and be using theirown devices (not from our company).

My questions are:

1.  How to assign the differnt DHCP-Pools (from the Group - MD - level)to the specific WLAN?

2.  From the Configuration - Services - DHCP - Services - DHCP section, why is there a minimum of 4 hosts required?  What do the 'hosts' actually represent?

Hi Pkafkas,

You cannot apply a DHCP scope to WLAN. This is not possible. Instead of applying the DHCP scope to a WLAN, the DHCP scope is automatically applied to VLAN, which is within the definition of the scope network. Let's assume you have the DHCP scope below:

(host) [mynode] (config) #ip dhcp pool floor1
(host) [mynode] (config-submode) #default-router 10.26.1.1
(host) [mynode] (config-submode) #dns-server 192.168.1.10
(host) [mynode] (config-submode) #domain-name floor1.test.com
(host) [mynode] (config-submode) #lease 0 8 0
(host) [mynode] (config-submode) #network 10.26.1.0 255.255.255.0

To use this scope, you need to create a VLAN interface, with an IP address from that scope. You would normally use the default gateway IP, as the controller should be the default gateway for the clients. 

I'm not sure, what you mean with your second question. 

Hello Florian,

It appears that our current WIFI setup is different from what Aruba has designed.  

1.  We have all of our guest Wifi SSID's using internet from the DMZ Vlan.  

     a.  BYOD SSID: 192.168.102.0

     b.  Guest SSID: 192.168.103.0

2.  Hence, we have different Class - C subnets that are using teh same VLAN.  

You are suggesting to assign the DHCP pool to a VLAN.  Can we have more than 1 DHCP pool assigned to the same VLAN? 

Can we have the same CLass C Subnets that not routable to each other?

How do we assign a DHCP Pool to specific VLan(s)?

Also regarding my hosts question.

Please see attachment.

Question:

Did you Wireless LAN Controller before do all of the routing, firewalling and DHCP for your network?

Hi,

For network IP address type, do not use dynamic, stick with static.  

So, but here is what I would do. I would use the firewall in the DMZ, as the router for the clients and also as the DHCP server or relay. I would also use two different VLAN's for guests and BYOD users. IF this is not possible, you can use different roles for each of them and deny access to each other. Doing so, they are separated as well and you do not have to use multiple IP addresses in one VLAN. 

If you still need to use the controller for all of that, use one VLAN, with one DHCP scope and separate users with roles. 

Hello FlorianBaaske and team,

After putting this to the side and clearing my head I think FlorianBaaske last comment is "right on".  It appears that the currently used controllers do not have an assigned VLan for the DMZ(See screen shot). 

My manager beleives that we can just assign an IP address to an available interface on the Aruba Controller; but, everything that I have been research suggests that we need to:

1.  Create DHCP Pool with specific IP address scheme.

        a.  Beginning and ending to ID Scheme.

        b.  Set an exlude IP address that will eventually be assigned to a Vlan.

2. Crete a VLAN for the DMZ and assign it an IP address that is avalable on the DMZ.

3.  Create a seperate VLANs for each DHCP Pool.

       a.  192.168.XXX.XXX - DHCP1 GUEST

       b.  192.168.XXX.XX - DHCP2 BYOD

       c.  Assign an IP address that is within the specific DHCP Scope and also excluded from DHCP Address range.

4.  Then I will need to create static routes on the Aruba Controller for each Guest Access IP subnet.

       a.  According to prevoius comments and according to: https://community.arubanetworks.com/t5/ArubaOS-and-Controllers/How-to-assign-DHCP-Pool-to-VLAN/td-p/8117

       b.  The controller will be able to route traffic to the wireless clients try to access the DHCP Pools.

       c.  Route IP address for GUEST (IP DHCP Scheme) to DMZ Gateway (not the IP assgned ot the DMZ VLan).

       d.  Same routing rule for BYOD (Look at IP route pic).

5.  The rest of the Corprorate VLans can use the normal controller's Gateway, to route the traffci to the respected VLAN.

Can someone comment or verify if my plan above is correct? 

Also can anyone mention what the 'Hosts' field is representing and why there is a minimum of 4 required?  I am not sure if anyone answered that before. 

In a related but separate question: Can anyone explain to me how we can have 1 group of MAC Addresses to Authenticate to a Specific WLAN; but, not to be accepted to another SSID that also uses MAC authentication as well?  Or is there no way to associate a MAC address user account to 1 specific VLAN (Perhaps by delimeter)?

Hi Pkafkas,

to be sure, about the VLAN, not having an Interface, can you please share a screenshot of the VSC mapping for the Guest SSID. I was deep into the MSM solution years ago and I'm sure, that the MSM controller needs an IP interface to bring up a captive portal. 

BR

Florian

I hope the attached screen shot will give you the infrmation that you are looking for.  The 'guest' SSID uses 192.168.103.0.

 If not let me know and I will try to accoodate.  

The BYOD provides 192.168.102.0

When I login to the HP M760and navigate to the 'Guest' - Overview - VSC mapping section I just seeinformation regarding the: VSC Name, AP Name, SN, SSID, RAdio, BSSID, Clients, Security.  I am not sure if that is what you are looking for.

Attachment(s)

guest_SSID_VSC.docx   147 KB 1 version

I think it was in the AP Group section. There is the VSC binding. With that VSC binding, you define which VSC profile is available for that group and into which VLAN this VSC profile should bridge traffic.

If we know the VLAN, the clients are bridged to, we need to check, how this VLAN is then handled on the controller. There are multiple options, but the recommended option was, that the traffic was simply bridged through the internet port (normally as a VLAN) to the wired infrastructure, mostly a firewall. The firewall then has to deal with the clients, e.g. server IP address and be default gateway. 

this is what we need:

1. What is the VLAN for the clients?

2. Who is the default gateway in that VLAN?

3. Who is the DHCP Server for that VLAN? 

Are the attached screen shots what you are looking for?

VAST is the guest SSID but there is a reference to a Bridge.

Perhaps VLan-252 is the Bridge?   

I have also attached a screen shot of:

- Network profiles

- VSC Profile of 'Bridge

- Radius server profiles

All Radius server profiles use the same primary and secondary servers (IP addresses ar ethe same).

The Bridge VSC Profile uses a Radius server for Authentication.  The BYOD SSID prompts the user with a web page login screen where they must enter their employee username and password.

See screen shots.

Hi Pkafkas,

Sorry for the late response. Just needed to bring my old MSM Controller back to life. 

In your VSC config for VAST, you define a DHCP Server. This one is giving IP's to the clients in this SSID. The Controller is the default gateway for those clients and will route the traffic using his routing table. So most of the traffic will go the default gateway of the controller. 

You can simply recreate this setup on the Aruba Controller. Just create a VLAN, which is not used anywhere else and apply an IP to that VLAN. Create a DHCP Pool on the controller, matching the IP in the created VLAN. 

The last step is to assign this VLAN to the new Guest SSID. Make sure, that the role of the guest denies access to the internal network. 

It sounds like we are on the same page with the VLan that using the VLans with an assigned IP address for each VLan is better design.

When you mentioned creating a "VLAN Pool" , I found instructions for creating a VLan Pool from: https://www.arubanetworks.com/techdocs/ArubaOS_62_Web_Help/Content/ArubaFrameStyles/Network_Parameters/Configuring_VLANs.htm

I would image that I will still need to create a DHCP Pool matching the IP address as well?  Just as I mentioned in my comments above correct?   Just like how Renee Joissen suggested earlier in this question:

We do have multiple ports available on the controllers. Perhaps the best thing to do is plug in a connection from the DMZ VLan to an available port on the Aruba Controller and assign an IP address / Subnet Mask from the DMZ link and create a VLAN.  Then use that DMZ port for all Guest internet traffic while leaving the company internet traffic alone.  It was mentioned in https://community.arubanetworks.com/t5/Wireless-Access/Need-help-routing-internet-traffic-from-our-guest-and-corporate/td-p/16759   that one may just try to add static route for internal with a lower cost, then a static route for everything else (eg. 0.0.0.0) at a higher cost.  

Hi Pkafkas,

VLAN pool was a mistake, I meant DHCP pool. a VLAN pool is not needed in this scenario. 

You can either use a dedicated port for the DMZ connection, or just a VLAN on the normal uplink. 

But still you should figure out who is the gateway for the clients. My recommendation is to use the firewall in the DMZ as the router and simply bridge the clients on a L2 VLAN to the DMZ and the firewall there has to handle the rest. 

If the Controller is the geteway, you need a connection from the controller to the DMZ firewall and you would use Policy based routing to redirect traffic from the guest VLAN to this firewall. 

BR

Florian

I found a refence to PBR in the ArubaOS 8.3.0.x User Guide.pdf

It is over 11,000 pages.  For our purposes it is just as simple as:

1.  Setup DHCP Pools for each guest SSID.

      a.  Setup 2 SSID (WLans).

2.  Setup 2 Vlans, 1 for each guest/byod SSID.

     a.  Assign the default 192.168... address fromt eh DHCP Pool to the VLan's IP address.

3.  Setup a L2 connection on an available port on the Aruba Controller to connect to the DMZ.

      a.  Create a VLAN on the Aruba Controller for the DMZ

      b.  Assign an available DMZ IP address to that new DMZ VLAn on the Aruba Controller.

4.  Creating a PBR policy for the 2 x IP schemes used for guest and BYOD access to route access level to the DMZ Destination?

      a.  As indicated in the Microsoft Workd Document attached?

      b.  Indicate the source and desitinattion networks.

      c.  Indicate the user role an the Aruba COntroller.

Attachment(s)

Policy Based Routing_01.docx   177 KB 1 version

I spoke to Aruba Support regarding Policy Based Routing.  The instructions that I found were not showing up when trying to implement the policy.

Aruba support informed me that for my situation a PBR was not necessary and actually was overcomplicating the confguration.  Aruba Support informed me that static routing for 0.0.0.0 / 0.0.0.0 DMZ_IP is all I need to do for internet routing.

I should proceed with teh DHCP Pools and the VLANs as was previously planned.

Hi Pkafkas,

sure, you can point the default route of the controller to the DMZ firewall. But keep in mind to create static routes for the internal networks as well, to make sure that the controller is reachable from within the internal network, if not possible using the DMZ firewall. 

In this case, you need also to make sure, that you deny access to internal networks for guests. 

That's why I would go with PBR. but doing it the other way around works as well.