Wireless Access

Hi Airheads.  I've worked some with Aruba controllers but this is a new deployment type for me.  I'm working with a deployment that uses Guest controllers in a DMZ in separate DCs.  My initial question is there are two modes of GRE tunnels I can choose from L2 or L3, and I was wondering if there is a preferred tunnel type that I need for this deployment.

The Mobility Controllers will have the APs on them and broadcast the GUEST and BYOD SSIDs; who's traffic will then be tunneled to the Guest controllers in the DMZ.  I just wasn't certain if I needed L2 or L3 tunnels in this deployment.

Thank you ahead of time.

L2 for VLAN extension is the usual.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 16, 2024 09:02 AM
From: toddflbass
Subject: GRE Tunnel for Guest Controller

Hi Airheads.  I've worked some with Aruba controllers but this is a new deployment type for me.  I'm working with a deployment that uses Guest controllers in a DMZ in separate DCs.  My initial question is there are two modes of GRE tunnels I can choose from L2 or L3, and I was wondering if there is a preferred tunnel type that I need for this deployment.

The Mobility Controllers will have the APs on them and broadcast the GUEST and BYOD SSIDs; who's traffic will then be tunneled to the Guest controllers in the DMZ.  I just wasn't certain if I needed L2 or L3 tunnels in this deployment.

Thank you ahead of time.

Great. Thank you.  That leads me to my next question.  So on my Mobility Controller I will create the guest SSID and point it to a VLAN (say VLAN 1) that isn't in use on the network.  I will include that vlan as part of my GRE tunnel.  The far end of the tunnel, I want users to end up on one of three VLANs.  Does this configuration look correct?  I've included a diagram as well.  Ignore the second pair of guest controllers in the other DC.

Mobility controller:
interface tunnel 201 
    description "Tunnel Interface" 
    tunnel mode gre 1 
    tunnel source 10.1.1.2
    tunnel destination 192.168.1.2
    tunnel keepalive 
    trusted 
    tunnel vlan 1 
    trusted vlan 1 

Guest controller:
interface tunnel 201 
description "Tunnel Interface" 
tunnel mode gre 1 
tunnel source 192.168.1.2
tunnel destination 10.1.1.2
tunnel keepalive 
trusted 
tunnel vlan 178,180,187 
trusted vlan 178,180,187 

Original Message:
Sent: Sep 16, 2024 02:26 PM
From: chulcher
Subject: GRE Tunnel for Guest Controller

L2 for VLAN extension is the usual.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 16, 2024 09:02 AM
From: toddflbass
Subject: GRE Tunnel for Guest Controller

Hi Airheads.  I've worked some with Aruba controllers but this is a new deployment type for me.  I'm working with a deployment that uses Guest controllers in a DMZ in separate DCs.  My initial question is there are two modes of GRE tunnels I can choose from L2 or L3, and I was wondering if there is a preferred tunnel type that I need for this deployment.

The Mobility Controllers will have the APs on them and broadcast the GUEST and BYOD SSIDs; who's traffic will then be tunneled to the Guest controllers in the DMZ.  I just wasn't certain if I needed L2 or L3 tunnels in this deployment.

Thank you ahead of time.

You have to tunnel the VLANs across the GRE tunnel, so the VLAN configuration has to match on both sides.  The tunnel mode gre command should also be specifying the correct protocol type (Transparent Ethernet bridging = 0x6558 or 25,944) that the tunnel is transporting.

https://www.arubanetworks.com/techdocs/CLI-Bank/Content/aos8/interface-tunnel.htm

If you are going to utilize multiple GRE anchor controllers for HA, make sure to configure a tunnel group to handle the redundant tunnels correctly.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message:
Sent: Sep 17, 2024 08:52 AM
From: toddflbass
Subject: GRE Tunnel for Guest Controller

Great. Thank you.  That leads me to my next question.  So on my Mobility Controller I will create the guest SSID and point it to a VLAN (say VLAN 1) that isn't in use on the network.  I will include that vlan as part of my GRE tunnel.  The far end of the tunnel, I want users to end up on one of three VLANs.  Does this configuration look correct?  I've included a diagram as well.  Ignore the second pair of guest controllers in the other DC.

Mobility controller:
interface tunnel 201 
    description "Tunnel Interface" 
    tunnel mode gre 1 
    tunnel source 10.1.1.2
    tunnel destination 192.168.1.2
    tunnel keepalive 
    trusted 
    tunnel vlan 1 
    trusted vlan 1 

Guest controller:
interface tunnel 201 
description "Tunnel Interface" 
tunnel mode gre 1 
tunnel source 192.168.1.2
tunnel destination 10.1.1.2
tunnel keepalive 
trusted 
tunnel vlan 178,180,187 
trusted vlan 178,180,187 

Original Message:
Sent: Sep 16, 2024 02:26 PM
From: chulcher
Subject: GRE Tunnel for Guest Controller

L2 for VLAN extension is the usual.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 16, 2024 09:02 AM
From: toddflbass
Subject: GRE Tunnel for Guest Controller

Hi Airheads.  I've worked some with Aruba controllers but this is a new deployment type for me.  I'm working with a deployment that uses Guest controllers in a DMZ in separate DCs.  My initial question is there are two modes of GRE tunnels I can choose from L2 or L3, and I was wondering if there is a preferred tunnel type that I need for this deployment.

The Mobility Controllers will have the APs on them and broadcast the GUEST and BYOD SSIDs; who's traffic will then be tunneled to the Guest controllers in the DMZ.  I just wasn't certain if I needed L2 or L3 tunnels in this deployment.

Thank you ahead of time.

Original Message:
Sent: 9/17/2024 9:55:00 AM
From: chulcher
Subject: RE: GRE Tunnel for Guest Controller

You have to tunnel the VLANs across the GRE tunnel, so the VLAN configuration has to match on both sides.  The tunnel mode gre command should also be specifying the correct protocol type (Transparent Ethernet bridging = 0x6558 or 25,944) that the tunnel is transporting.

https://www.arubanetworks.com/techdocs/CLI-Bank/Content/aos8/interface-tunnel.htm

If you are going to utilize multiple GRE anchor controllers for HA, make sure to configure a tunnel group to handle the redundant tunnels correctly.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 17, 2024 08:52 AM
From: toddflbass
Subject: GRE Tunnel for Guest Controller

Great. Thank you.  That leads me to my next question.  So on my Mobility Controller I will create the guest SSID and point it to a VLAN (say VLAN 1) that isn't in use on the network.  I will include that vlan as part of my GRE tunnel.  The far end of the tunnel, I want users to end up on one of three VLANs.  Does this configuration look correct?  I've included a diagram as well.  Ignore the second pair of guest controllers in the other DC.

Mobility controller:
interface tunnel 201 
    description "Tunnel Interface" 
    tunnel mode gre 1 
    tunnel source 10.1.1.2
    tunnel destination 192.168.1.2
    tunnel keepalive 
    trusted 
    tunnel vlan 1 
    trusted vlan 1 

Guest controller:
interface tunnel 201 
description "Tunnel Interface" 
tunnel mode gre 1 
tunnel source 192.168.1.2
tunnel destination 10.1.1.2
tunnel keepalive 
trusted 
tunnel vlan 178,180,187 
trusted vlan 178,180,187 

Original Message:
Sent: Sep 16, 2024 02:26 PM
From: chulcher
Subject: GRE Tunnel for Guest Controller

L2 for VLAN extension is the usual.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 16, 2024 09:02 AM
From: toddflbass
Subject: GRE Tunnel for Guest Controller

Hi Airheads.  I've worked some with Aruba controllers but this is a new deployment type for me.  I'm working with a deployment that uses Guest controllers in a DMZ in separate DCs.  My initial question is there are two modes of GRE tunnels I can choose from L2 or L3, and I was wondering if there is a preferred tunnel type that I need for this deployment.

The Mobility Controllers will have the APs on them and broadcast the GUEST and BYOD SSIDs; who's traffic will then be tunneled to the Guest controllers in the DMZ.  I just wasn't certain if I needed L2 or L3 tunnels in this deployment.

Thank you ahead of time.

That looks workable.

Original Message:
Sent: 9/17/2024 9:55:00 AM
From: chulcher
Subject: RE: GRE Tunnel for Guest Controller

You have to tunnel the VLANs across the GRE tunnel, so the VLAN configuration has to match on both sides.  The tunnel mode gre command should also be specifying the correct protocol type (Transparent Ethernet bridging = 0x6558 or 25,944) that the tunnel is transporting.

https://www.arubanetworks.com/techdocs/CLI-Bank/Content/aos8/interface-tunnel.htm

If you are going to utilize multiple GRE anchor controllers for HA, make sure to configure a tunnel group to handle the redundant tunnels correctly.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 17, 2024 08:52 AM
From: toddflbass
Subject: GRE Tunnel for Guest Controller

Great. Thank you.  That leads me to my next question.  So on my Mobility Controller I will create the guest SSID and point it to a VLAN (say VLAN 1) that isn't in use on the network.  I will include that vlan as part of my GRE tunnel.  The far end of the tunnel, I want users to end up on one of three VLANs.  Does this configuration look correct?  I've included a diagram as well.  Ignore the second pair of guest controllers in the other DC.

Mobility controller:
interface tunnel 201 
    description "Tunnel Interface" 
    tunnel mode gre 1 
    tunnel source 10.1.1.2
    tunnel destination 192.168.1.2
    tunnel keepalive 
    trusted 
    tunnel vlan 1 
    trusted vlan 1 

Guest controller:
interface tunnel 201 
description "Tunnel Interface" 
tunnel mode gre 1 
tunnel source 192.168.1.2
tunnel destination 10.1.1.2
tunnel keepalive 
trusted 
tunnel vlan 178,180,187 
trusted vlan 178,180,187 

Original Message:
Sent: Sep 16, 2024 02:26 PM
From: chulcher
Subject: GRE Tunnel for Guest Controller

L2 for VLAN extension is the usual.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Sep 16, 2024 09:02 AM
From: toddflbass
Subject: GRE Tunnel for Guest Controller

Hi Airheads.  I've worked some with Aruba controllers but this is a new deployment type for me.  I'm working with a deployment that uses Guest controllers in a DMZ in separate DCs.  My initial question is there are two modes of GRE tunnels I can choose from L2 or L3, and I was wondering if there is a preferred tunnel type that I need for this deployment.

The Mobility Controllers will have the APs on them and broadcast the GUEST and BYOD SSIDs; who's traffic will then be tunneled to the Guest controllers in the DMZ.  I just wasn't certain if I needed L2 or L3 tunnels in this deployment.

Thank you ahead of time.