Wireless Access

I have to route internet traffic for our wi-fi guest and corporate network out a DSL connection.  I have an Aruba3400 controller with 4 physical interfaces with 3 of them open to use to connect to the DSL.  I'm running OS 3.3.2.14.  Right now the internet traffic goes out our main corporate internet connection.  Internal LAN traffic for the corporate network will stay the same.  I'm not sure where to make these changes in the controller and would appreciate any helpful advice.

---

@johnpi wrote:

I have to route internet traffic for our wi-fi guest and corporate network out a DSL connection.  I have an Aruba3400 controller with 4 physical interfaces with 3 of them open to use to connect to the DSL.  I'm running OS 3.3.2.14.  Right now the internet traffic goes out our main corporate internet connection.  Internal LAN traffic for the corporate network will stay the same.  I'm not sure where to make these changes in the controller and would appreciate any helpful advice.

---

It sounds like a simple static route option for anthing not internal. You might need to create a static route for internal with a lower cost, then a static route for everything else (eg. 0.0.0.0) at a higher cost.

Take a look at the UG. If you need help beyond that, let me know.

Zach

Connect one of the spare interfaces to the DSL modem and configure the default gateway of the controller to be the IP address of the DSL modem.  Make sure you have static routes for all your internal networks when you do that.

Thanks Mike, I'll try that.

How would you accomplish this if you wanted to route Guest traffic out the DSL connection, and Corporate access would be through the Main internet pipe which corporate wired user use to browse to the internet. Is there a way to do a Policy based route? Would this be something set in the firewall policy?

-ELiasz

How about the following.

Say your guest network is 192.168.0.0/24 and is VLAN 2.

Configure a spare port on your controller as an access port on VLAN 2. 

Configure your DSL router to have an IP in that subnet, say 192.168.0.254

Configure your guest DHCP pool to have a default gateway of 192.168.0.254.

Ensure that inter VLAN routing is not enabled on VLAN 2.

You can use the ESI module for policy routing. In the below example it would route subnet 10.10.x.x out the 172.16.99.7 default gateway, all other traffic would go out the controller's default gateway. You make the trusted and untrusted ip address the same in a policy route. 

Jenga

####

!

netdestination student-networks
network 10.10.0.0 255.255.0.0
!

esi ping health-30sec
frequency 30
timeout 1
retry-count 2
!
esi server student-gateway-1
mode route
trusted-ip-addr 172.16.99.7
untrusted-ip-addr 172.16.99.7
!
esi group student-gateway-group
ping health-30sec
server student-gateway-1
!

ip access-list session "redirect-students"
alias student-networks any any redirect esi-group "student-gateway-group" direction forward
!

user-role student
session-acl logon-control
session-acl redirect-students
!

Hey James,

I'd like to use your method to send my guest traffic out to a different router than the default gateway on my Aruba.  I've set everything up as you've instructed but I don't seem to be able to make it work.

My Aruba 2400 is directly connected to a Cisco 5520 ASA.  I have followed your instructions to configure the ports on both devices.  I can ping from the Aruba (192.168.128.2) CLI to the Cisco (192.168.128.3) and vice versa.  I can also ping the Cisco 5520 (192.168.128.3) from the DHCP client machine.  However, as soon as I change the default route of my DHCP pool to the Cisco, I can no longer ping out to the internet.

According to my Cisco ASA, it never sees the traffic coming in from the source client.

Any ideas as to what I'm missing?

Thanks!

Joel

Further discovered today...

If I manually change the default route on the client connected to the wireless, I can get out through the Aruba and router to the internet. 

When I use the dhcp command "default-router" on the Aruba to set the same exact default gateway, the gateway changes on my client but the traffic does not go out to the internet.

Any ideas what the problem may be?

Thanks

Joel

Policy-Based Routing is used to give clients a different default gateway than that of the controller.  It is normally used when you have a different ISP for guest networks than you would have for your controller.

Please see the thread here:  http://community.arubanetworks.com/t5/Wireless-Access/Setting-AP-PBR-on-controller/m-p/314344 for more information.

I don't know why changing the default gateway in the dhcp scope does not work.  A few things would need to be in place correctly for the client to reliably use the second gateway behind the controller and the router the client is using would have to have knowledge of where the client could be found (client in ARP table) to return that traffic.  PBR is the proper way to do this.

Colin,

Thank you for your reply.  Unforunately I am not able to use PBR because this is an older controller with an older OS.  I was able to fix the problem, however.  The issue was not with the Aruba controller, but instead with the firewall upstream.  Using the default-router on the DHCP pool worked after all.

Thanks again for your reply.

Joel