SD-WAN

Hello community!

Is it possible to assign a role to a "non-directly attached" vlan/subnet in a gateway?

Consider the following network diagram:



I need to assign a role to ClientA who is connected to a L3 switch over Vlan10. Gateway 7010 doesn't know about VLAN10.

I know It is possible to assign a policy to the interface facing the incoming traffic, but it would be great if I can assign roles to different subnet networks.

Thanks in advance :)

no that VLAN should be available on the gateway. you need to authenticate the user to be able to put them in a user role.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jun 16, 2021 12:37 PM
From: Gaston Gabas
Subject: Assign role to subnet

Hello community!

Is it possible to assign a role to a "non-directly attached" vlan/subnet in a gateway?

Consider the following network diagram:



I need to assign a role to ClientA who is connected to a L3 switch over Vlan10. Gateway 7010 doesn't know about VLAN10.

I know It is possible to assign a policy to the interface facing the incoming traffic, but it would be great if I can assign roles to different subnet networks.

Thanks in advance :)

The scenario that Vario described in in the Aruba SD-LAN Validated Solution Guide.

If you can't assign a gateway user role to clients on subnets that aren't layer 3 connected to the gateway, ​I don't know, it doesn't seem quite right.

Obviously you could just assign a role to the VLAN assigned to the gateway interface which connects to the L3 switches, but that's far from ideal as you may have many different client types (management, employee, IoT, etc) which should have different levels of access.


------------------------------
James Whitehead
------------------------------

Original Message:
Sent: Jun 16, 2021 07:47 PM
From: Ariya Parsamanesh
Subject: Assign role to subnet

no that VLAN should be available on the gateway. you need to authenticate the user to be able to put them in a user role.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 16, 2021 12:37 PM
From: Gaston Gabas
Subject: Assign role to subnet

Hello community!

Is it possible to assign a role to a "non-directly attached" vlan/subnet in a gateway?

Consider the following network diagram:



I need to assign a role to ClientA who is connected to a L3 switch over Vlan10. Gateway 7010 doesn't know about VLAN10.

I know It is possible to assign a policy to the interface facing the incoming traffic, but it would be great if I can assign roles to different subnet networks.

Thanks in advance :)

It is not recommended to set the port/VLAN to untrusted when there is a L3 hop away from the clients. Today, there is no means to map to a user role but it depends on what you are looking to accomplish. User roles are available on the switches/APs in a routed scenario such as this. If you are looking to accomplish WAN side data path manipulation, then you could always use source IP/network context in DPS, PBR, and session ACL based constructs.

------------------------------
Seth Fiermonti
------------------------------

Original Message:
Sent: Jan 24, 2022 04:01 AM
From: James Whitehead
Subject: Assign role to subnet

The scenario that Vario described in in the Aruba SD-LAN Validated Solution Guide.

If you can't assign a gateway user role to clients on subnets that aren't layer 3 connected to the gateway, ​I don't know, it doesn't seem quite right.

Obviously you could just assign a role to the VLAN assigned to the gateway interface which connects to the L3 switches, but that's far from ideal as you may have many different client types (management, employee, IoT, etc) which should have different levels of access.


------------------------------
James Whitehead

Original Message:
Sent: Jun 16, 2021 07:47 PM
From: Ariya Parsamanesh
Subject: Assign role to subnet

no that VLAN should be available on the gateway. you need to authenticate the user to be able to put them in a user role.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jun 16, 2021 12:37 PM
From: Gaston Gabas
Subject: Assign role to subnet

Hello community!

Is it possible to assign a role to a "non-directly attached" vlan/subnet in a gateway?

Consider the following network diagram:



I need to assign a role to ClientA who is connected to a L3 switch over Vlan10. Gateway 7010 doesn't know about VLAN10.

I know It is possible to assign a policy to the interface facing the incoming traffic, but it would be great if I can assign roles to different subnet networks.

Thanks in advance :)