Wireless Access

Thanks in advance....

 

We have customer with RAPs operating in tunnel mode back to controller.  All traffic goes back to controller so can access other subnets and access the Internet through Web-Filtered Single point.

 

Each RAP location is different VLAN/Subnet on Controller, with Controller as Default GW for each site.  The RAP provides both wired and wireless access into this VLAN using forwarding method tunnel-mode.

 

Some sites also have a wired WIndows Server connects to ethernet port of the RAP that provides File Sharing and other services.

At these sites, there is now high latency for the wireless clients access at the remote site to the wired server at the remote site.

 

Even though both clients are on the same subnet, the wired server and wireless clients seem to be sending traffic back to controller and then back to Remote site.  

 

Am I correct in assuming traffic from wireless clients is tunneling back to Controlller, then back to wired server?  If I am wrong, and the traffic is staying local and switched on the RAP, any ideas on high latency?

 

Is there a better way to configure this topology?

 

Any suggestions or further questions would be appreciated.

 

Thank you.

 

Yes, all user traffic is going back to the controller and then back down to the file server. You could do split-tunnel to keep traffic destined for that server locally bridged.

Thanks.

 

so would be split tunnel with bridge turned on firewall rules destined to local subnet? or local server IP?

 

I was under the impression the bridge would be to subnet the eth0 (WAN) port of RAP is connected to...it would also include the interface the server connects to?

 

thanks

 

od-sysadmin,

 

To keep traffic local in that scenario, you would need to use the rap-local-network-access command in the AP system profile.  This would also involve you configuring your wired and wireless on that RAP as split tunnel, but the ACL in your user role for both of those would be "allowall".  To put a user role on the wired port of the RAP, you would configure the forwaring mode of the wired port as split-tunnel and make it "untrusted" and apply a AAA profile where the initial role is "authenticated".

 

Making a Virtual AP and a wired port split-tunnel, moves the firewall logic into the AP, so that it can decrypt the user traffic at the AP and make decisions there, before client traffic is tunneled back to the controller.  rap-local-network-access would then look to see if a device needs to send traffic to another device that is on the same RAP:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1167

 

Great, this sounds exactly what I was looking for.

 

Question on the ACL in the user role, the Aruba KB article does not mention the ACL.

 

You said to set it to allow all.  That would be a permit rule rule right?

 

So in essense, the user role for both the wired and wireless user would be set to split tunnel and the ACL would have 1 entry - any any any permit.  With the rap-local-network-access command enabled on the RAP system profile, it would know NOT to send traffic between devices to the controller and have it stay local?

 

thanks for clarification.

The ACL has to match that you are tunneling all traffic back.

The forwarding mode of the virtual ap needs to be set to split tunnel. The forwarding mode of the wired ap profile also needs to be split tunnel.

The rap-local-network commands makes the access point first look to see if any clients are physically on the ap. If they are not, it sends it to the controller (the KB article details this).