Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP 5WN

This thread has been viewed 0 times

  • 1.  RAP 5WN

    Posted Apr 10, 2012 07:14 AM

    Dears,

    Here is my situation:

    1- I have multiple brand new RAP 5wn in a branch office

    2- This branch office is connected to our main site through a WAN connection (MPLS)

    3- guest users in This Branch office uses a separate DSL line to surf The internet. This DSL line is physically separated from branch's local LAN

     

    what I want to accomplish is to create two SSIDs. One of them used for reach corporate resources in our main office through The MPLS cloud and The other for guest internet access through The separate DSL line.

    The problem I facing now is that The RAP 5WN has only One routed port (port0) and The other 4 ports are switched ports. So I could only connect port 0 to our MPLS router and get The corporate SSID working fine. But I can't connect The ADSL router to One of The other 4ports as they are layer two ports.

     

    Any ideas to get this works and maintain the separation between the DSL and Corporate network.  



  • 2.  RE: RAP 5WN
    Best Answer

    Posted Apr 10, 2012 12:07 PM

    You can try this if you like.

     

    1.  Create an L2 VLAN on your controller, say vlan 888.  No VLAN interface needed

    2.  Create a wired AP profile and assign it to vlan 888, bridge mode, access

    3.  Create a AAA profile and make the inital role to be "authenticated"

    4.  Create a wired port profile and assign your new wired AP profile and AAA profile to it

    5.  Assign one of the ports in the RAP-5's AP group to your new wired port profile, connect the LAN port of your DSL modem to that port

    6.  Create a guest SSID and a AAA profile with initial role "authenticated" (this assumes a PSK SSID)

    7.  Create a VAP, bridge mode, VLAN 888, assign your new guest SSID and wireless AAA profile

    8.  Assign the VAP to your RAP's AP group

    9.  Make sure your DSL modem is acting as a DHCP server

     

    Save the config, give it a whirl.  You can try to tweak the initial role if you like to lock things down a bit, but I just used "authenticated" in my lab for test purposes.



  • 3.  RE: RAP 5WN

    Posted Apr 11, 2012 02:28 AM

    But will this grantee that the guest users traffic will be routed directly to the DSL router not to the main office controller then to the DSL router?



  • 4.  RE: RAP 5WN

    Posted Apr 11, 2012 08:50 AM

    As long as the DSL router is the only layer 3 device in the VLAN you define for guests, yes.



  • 5.  RE: RAP 5WN

    Posted Apr 11, 2012 10:39 AM

    Yes, using the steps I outlined, anyone connected to VLAN 888 will have the default gateway of the DSL modem and will use it for all Internet access.



  • 6.  RE: RAP 5WN

    Posted Apr 12, 2012 08:56 AM

    Thanks All, I did what Mike said exactly and it worked just fine, but I have one more question regarding the wireless operational mode. I want my guest SSID to be functional even if the RAP lost communication with the main office controller. I tried to change the wireless operational mode of my AP to always or persist with no success. I also tried to configure the guest SSID with a PSK and as an open system but Also without Any success. Any help?

     

    Also I want to ask about one thing for my info, is it possible to use a captive portal for guest SSID in my situation or not?



  • 7.  RE: RAP 5WN

    Posted Apr 12, 2012 10:36 AM

    Ismail - When you say you had no luck when you changed the VAP operational mode to persistant or always, do you mean AOS wouldn't let you change it to that or it just didn't function as you expected?

     

    Captive portal in this kind of setup would be very complex if even possible.



  • 8.  RE: RAP 5WN

    Posted Apr 12, 2012 11:41 AM

    What I mean is when I change the VAP operational mode to Always or persistent and my RAP lose communication to the mobility controller in the main office I don't be even able to ping my DSL router although I am already connected to the Guest SSID. However, the persistent mode works just fine for my corporate SSID.



  • 9.  RE: RAP 5WN

    Posted Apr 12, 2012 01:36 PM

    That doesn't sound right.  What version of code are you on?



  • 10.  RE: RAP 5WN

    Posted Apr 15, 2012 01:55 AM

    sorry for my late reply, we are running software version ArubaOS 5.0.4.4



  • 11.  RE: RAP 5WN

    Posted Apr 19, 2012 02:13 AM

    Hi All,

    the problem is solved now and my guest ESSID is working just as expected. I only disabled the AP-Backup option under interface wired 1 (connected to my DSL router).

    Thanks all



  • 12.  RE: RAP 5WN

    Posted Apr 10, 2012 12:56 PM

    You're asking quite a bit of a RAP. Really, this needs a small controller in those offices.

     

    You can do some of what you want I suspect, but not all.

     

    A RAP can't route (although it can src-nat/route which is different).

     

    With that in mind, you could define the VAPs as bridged, and connect the RAP to your branch switch on a 802.1q trunk/tagged port (or setup another port on the RAP for the different VLAN access mode). Then setup a VLAN for guest ingress (and put the DSL router in that VLAN via the access port you picked or off the network on that VLAN). Create another for trusted or just make it "native"/untagged. Then setup the bridged VAPs to ingress the appropriate VLANs. This should work, but...

     

    Captive portal for guests for instance is most likely out of the question as you'd have to be tunnelling, or split-tunneling (which would mean the RAP would src-nat-route out of the primary IP network it was attached to).