Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

core-remote failover

This thread has been viewed 0 times

  • 1.  core-remote failover

    Posted Jan 19, 2015 05:07 AM
      |   view attached

    I'm trying to figure out a failover solution for a rather complicated guest setup and wondered if anyone had an ideas for redundancy in my setup. Picture attached shows a simplified setup where we need to build in redundancy at both ends for guest traffic to/from a clearpass at the core DMZ. Issue I have is that I cannot build the VPN tunnel between the two VRRP addresses.



  • 2.  RE: core-remote failover

    EMPLOYEE
    Posted Jan 19, 2015 05:41 AM

    MattF,

     

    If it is a guest network, what is the importance of tunneling guest traffic back to the DMZ?  Why is it not just split out locally?

     

    If it is an option, give the ClearPass server a public address and have everyone hit the guest page in that manner, rather than trying to tunnel guest traffic to a DMZ.  Have the guest traffic then exit locally to the remote site.

     



  • 3.  RE: core-remote failover

    Posted Jan 19, 2015 05:54 AM

    We need to tunnel the guest back to the core because that is where the Clearpass is and it cannot be Internet facing for security reasons.



  • 4.  RE: core-remote failover

    EMPLOYEE
    Posted Jan 19, 2015 06:17 AM

    MattF, Clearpass is a security box. You can say what IP addresses can and cannot be serviced by the guest page, period, so from a security perspective, you can use https and protect any authentication traffic that you want.

     

    Is there already a site to site VPN for wired traffic between the remote site and the core?  If so, maybe the guest traffic can ride than tunnel and get split out in the DMZ.  If there is no site to site VPN for wired traffic, you should just use a public ip address for CPPM and protect it, just like everyone else does.  Its only for authenticating guest traffic, right?  You pretty much do not care about any of the other traffic, so why force all the traffic to go back to the core over a tunnel for guest traffic, when you can just use https?  Why build all of that infrastructure and then put redundancy on top of it, just for guest traffic.  If that option has not been given, I would certainly present it.

     

     



  • 5.  RE: core-remote failover

    Posted Jan 19, 2015 06:23 AM

    Customer will not allow connections from the internet, so this cannot be done. There is a site to site which carries the Aruba VPN between the controllers, however the guest must be kept off the corporate network which is why it needs to go thorugh the VPN built between the controllers. The VPN between the controllers was pretty much the only option. If there hadn't been the Site-to-site between the controllers then there would have been no guest.



  • 6.  RE: core-remote failover

    EMPLOYEE
    Posted Jan 19, 2015 06:48 AM
    MattF,

    Technically, a site to site VPN is a connection from the internet. The only difference is that it is spelled VPN and not https.

    You can possibly make a redundant tunnel, but between monitoring the status of the tunnel, configuring routing and probably going through the exact same thing to add an additional site, I would ask the customer why they would not consider https to clearpass locked down from only specific sites. You have (1) clients coming from network with a stateful firewall, (2) clearpass, which can be locked down by IP address and ultimate flexibility to extend this anywhere. It is hard to defend or advise someone building a redundant VPN solution.