Wireless

I'm investigating upgrading APs from AOS8.10 to AOS10 and trying to figure out how under AOS10 I can GRE tunnel Guest users to our 7210 MC which is not managed by Central. I've confirmed this works fine for 8.10 Central managed IAPs.

The background is we would look to run MSP mode in Central with our customers given a tenancy each. All tenants under our MSP have a guest SSID service on their APs (APs managed by Central) and need to GRE tunnel back to our shared 7210s. It doesn't look like we can migrate our Guest gateways into Central due to the shared nature of the design and the way a tenancy works in Central.

In Central you can only setup a tunnel for an SSID if you have a primary gateway cluster defined in central under the tenant. As mentioned I can't setup a gateway cluster under the tenancy because the 7210s are shared across tenants. I decided I'd try template mode for managing the AOS10 APs and see if I could set it up that way. It's not very well documented and while I've created a template which includes the below and the audit trail says it's applied, when I use tools to get a 'show running-config' I can see it hasn't been applied.

vpn primary x.x.x.x

vpn backup x.x.x.x

vpn fast-failover

vpn monitor-pkt-lost-cnt 2

vpn reconnect-user-on-failover

vpn gre-outside

vpn reconnect-time-on-failover 45

gre per-ap-tunnel

Is this just a limitation of Central and AOS10? Any other thoughts about how I might solve the traffic path issue for Guest without resorting to dedicated gateways per tenant?

That might not be a valid scenario today with AOS10. Because AP and gateway are tightly integrated from a configuration perspective, cross tenant configuration may not be considered as a feature. Please work with your local Aruba SE to discuss the scenario and possibly bring this in as a feature enhancement request.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 10, 2023 09:34 PM
From: Campbell
Subject: AOS10 and GRE tunnels

I'm investigating upgrading APs from AOS8.10 to AOS10 and trying to figure out how under AOS10 I can GRE tunnel Guest users to our 7210 MC which is not managed by Central. I've confirmed this works fine for 8.10 Central managed IAPs.

The background is we would look to run MSP mode in Central with our customers given a tenancy each. All tenants under our MSP have a guest SSID service on their APs (APs managed by Central) and need to GRE tunnel back to our shared 7210s. It doesn't look like we can migrate our Guest gateways into Central due to the shared nature of the design and the way a tenancy works in Central.

In Central you can only setup a tunnel for an SSID if you have a primary gateway cluster defined in central under the tenant. As mentioned I can't setup a gateway cluster under the tenancy because the 7210s are shared across tenants. I decided I'd try template mode for managing the AOS10 APs and see if I could set it up that way. It's not very well documented and while I've created a template which includes the below and the audit trail says it's applied, when I use tools to get a 'show running-config' I can see it hasn't been applied.

vpn primary x.x.x.x

vpn backup x.x.x.x

vpn fast-failover

vpn monitor-pkt-lost-cnt 2

vpn reconnect-user-on-failover

vpn gre-outside

vpn reconnect-time-on-failover 45

gre per-ap-tunnel

Is this just a limitation of Central and AOS10? Any other thoughts about how I might solve the traffic path issue for Guest without resorting to dedicated gateways per tenant?