Wireless Access

Hi,

I wanted to inquire the community to find out if this is a typical setup or not, and if not, what is a typical setup.

So I have a Mobiliy Master/Conductor with 2 7010 controllers in a cluster.  We have a VRRP setup (VLAN 10) between the 2 for APs to find the controllers and establish redundancy.  Our main corporate wireless network is a bridged network because it needs access to local resources that don't necessarily need to tunnel back to the controllers.  This is fine and working great

We want to have a public Wifi network that we want to have go out a separate ISP.  What I'm attempting to do is setup a separate vlan (VLAN 14).  It's an interface vlan.  On

Controller 1 - Vlan 14 IP address - 10.10.10.2

Controller 2 - Vlan 14 IP address - 10.10.10.3

I'm thinking we need to do a VRRP for this vlan give it 10.10.10.1.  Set the default gateway in the DHCP to 10.10.10.1.  This is where I get stuck with VRRP as I can see it in my head if I'm doing ingress traffic like the scenario for the APs to find the controllers, but when it's egress traffic like going out to an ISP, I'm losing proper traffic flow.  One, internet traffic does need to be routed out and I need a way to NAT.

I've come up with 2 ways.  

1) Provide a firewall or another router that does the NAT to the ISP.  (i.e.  10.10.10.1 (VRRP) <--> 10.10.10.10 (firewall) (NAT) <--> ISP)

2) Create another VLAN on the controllers for the ISP information to do the NAT.  

   (Controller 1 10.10.10.2 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

  (Controller 2 10.10.10.3 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

If we do option 2, I have only a single physical connection to the ISP router.  Should I have a layer 2 switch coming out of the controllers (ports in the same vlan) and it go out that way?  Or should VLAN 15 be the VRRP instead of VLAN 14.

It may be way overcomplicating it and option 1 is the better option, but I'm curious on how to perceive this (as well as what others do), but I'm trying to wrap my head on the proper most simplistic way to do all the layer 3 routing for the scenario of having a separate public wifi and route all that traffic out that ISP to segment it all.  Might require PBR, but wanted the communities take.  I would assume this would a common scenario some organizations might undertake to keep corporate and public wifi separate.

Jonathan

Your best bet is to treat the wireless network as layer 2 and stop thinking of the controllers as layer 3 devices in your network.  Dump the guest wireless on a VLAN, let some router/firewall/gateway provide the required default gateway and DHCP.

As for bridging your corporate wireless network...why'd you buy controllers if you aren't going to use them?

Hi,

I wanted to inquire the community to find out if this is a typical setup or not, and if not, what is a typical setup.

So I have a Mobiliy Master/Conductor with 2 7010 controllers in a cluster.  We have a VRRP setup (VLAN 10) between the 2 for APs to find the controllers and establish redundancy.  Our main corporate wireless network is a bridged network because it needs access to local resources that don't necessarily need to tunnel back to the controllers.  This is fine and working great

We want to have a public Wifi network that we want to have go out a separate ISP.  What I'm attempting to do is setup a separate vlan (VLAN 14).  It's an interface vlan.  On

Controller 1 - Vlan 14 IP address - 10.10.10.2

Controller 2 - Vlan 14 IP address - 10.10.10.3

I'm thinking we need to do a VRRP for this vlan give it 10.10.10.1.  Set the default gateway in the DHCP to 10.10.10.1.  This is where I get stuck with VRRP as I can see it in my head if I'm doing ingress traffic like the scenario for the APs to find the controllers, but when it's egress traffic like going out to an ISP, I'm losing proper traffic flow.  One, internet traffic does need to be routed out and I need a way to NAT.

I've come up with 2 ways.  

1) Provide a firewall or another router that does the NAT to the ISP.  (i.e.  10.10.10.1 (VRRP) <--> 10.10.10.10 (firewall) (NAT) <--> ISP)

2) Create another VLAN on the controllers for the ISP information to do the NAT.  

   (Controller 1 10.10.10.2 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

  (Controller 2 10.10.10.3 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

If we do option 2, I have only a single physical connection to the ISP router.  Should I have a layer 2 switch coming out of the controllers (ports in the same vlan) and it go out that way?  Or should VLAN 15 be the VRRP instead of VLAN 14.

It may be way overcomplicating it and option 1 is the better option, but I'm curious on how to perceive this (as well as what others do), but I'm trying to wrap my head on the proper most simplistic way to do all the layer 3 routing for the scenario of having a separate public wifi and route all that traffic out that ISP to segment it all.  Might require PBR, but wanted the communities take.  I would assume this would a common scenario some organizations might undertake to keep corporate and public wifi separate.

Jonathan

We bought controllers FOR the purpose of managing Access Points.  If i didn't have a controller, I'd have to manually configure each individual AP and that would be 40 of them I'd have to touch.   But the only way to include a web portal and other functions IS to treat the controllers for tunneled WLANs as Layer 3.  I've dealt with that problem in the past and the only solution IS to treat them as layer 3.  

Your best bet is to treat the wireless network as layer 2 and stop thinking of the controllers as layer 3 devices in your network.  Dump the guest wireless on a VLAN, let some router/firewall/gateway provide the required default gateway and DHCP.

As for bridging your corporate wireless network...why'd you buy controllers if you aren't going to use them?

Hi,

I wanted to inquire the community to find out if this is a typical setup or not, and if not, what is a typical setup.

So I have a Mobiliy Master/Conductor with 2 7010 controllers in a cluster.  We have a VRRP setup (VLAN 10) between the 2 for APs to find the controllers and establish redundancy.  Our main corporate wireless network is a bridged network because it needs access to local resources that don't necessarily need to tunnel back to the controllers.  This is fine and working great

We want to have a public Wifi network that we want to have go out a separate ISP.  What I'm attempting to do is setup a separate vlan (VLAN 14).  It's an interface vlan.  On

Controller 1 - Vlan 14 IP address - 10.10.10.2

Controller 2 - Vlan 14 IP address - 10.10.10.3

I'm thinking we need to do a VRRP for this vlan give it 10.10.10.1.  Set the default gateway in the DHCP to 10.10.10.1.  This is where I get stuck with VRRP as I can see it in my head if I'm doing ingress traffic like the scenario for the APs to find the controllers, but when it's egress traffic like going out to an ISP, I'm losing proper traffic flow.  One, internet traffic does need to be routed out and I need a way to NAT.

I've come up with 2 ways.  

1) Provide a firewall or another router that does the NAT to the ISP.  (i.e.  10.10.10.1 (VRRP) <--> 10.10.10.10 (firewall) (NAT) <--> ISP)

2) Create another VLAN on the controllers for the ISP information to do the NAT.  

   (Controller 1 10.10.10.2 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

  (Controller 2 10.10.10.3 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

If we do option 2, I have only a single physical connection to the ISP router.  Should I have a layer 2 switch coming out of the controllers (ports in the same vlan) and it go out that way?  Or should VLAN 15 be the VRRP instead of VLAN 14.

It may be way overcomplicating it and option 1 is the better option, but I'm curious on how to perceive this (as well as what others do), but I'm trying to wrap my head on the proper most simplistic way to do all the layer 3 routing for the scenario of having a separate public wifi and route all that traffic out that ISP to segment it all.  Might require PBR, but wanted the communities take.  I would assume this would a common scenario some organizations might undertake to keep corporate and public wifi separate.

Jonathan

The APs can run in Instant mode which includes a virtual controller function for centralized management and administration of the WLAN infrastructure up to the limits of the capabilities of the IAP.

I'd recommend you have a conversation with your local account team for direction and assistance on this as what you're describing here is not something that we'd ever recommend.  You asked if this was a typical setup, that answer is no.  Nothing of what you've described is a typical setup.

To provide a guest network you should be dumping guest clients into a VLAN that is behind whatever gateway/firewall/router/modem that you are wanting to use for the guest Internet traffic.  That device or other device on the network should be providing the needed DHCP functionality to support the guest devices.

We bought controllers FOR the purpose of managing Access Points.  If i didn't have a controller, I'd have to manually configure each individual AP and that would be 40 of them I'd have to touch.   But the only way to include a web portal and other functions IS to treat the controllers for tunneled WLANs as Layer 3.  I've dealt with that problem in the past and the only solution IS to treat them as layer 3.  

Your best bet is to treat the wireless network as layer 2 and stop thinking of the controllers as layer 3 devices in your network.  Dump the guest wireless on a VLAN, let some router/firewall/gateway provide the required default gateway and DHCP.

As for bridging your corporate wireless network...why'd you buy controllers if you aren't going to use them?

Hi,

I wanted to inquire the community to find out if this is a typical setup or not, and if not, what is a typical setup.

So I have a Mobiliy Master/Conductor with 2 7010 controllers in a cluster.  We have a VRRP setup (VLAN 10) between the 2 for APs to find the controllers and establish redundancy.  Our main corporate wireless network is a bridged network because it needs access to local resources that don't necessarily need to tunnel back to the controllers.  This is fine and working great

We want to have a public Wifi network that we want to have go out a separate ISP.  What I'm attempting to do is setup a separate vlan (VLAN 14).  It's an interface vlan.  On

Controller 1 - Vlan 14 IP address - 10.10.10.2

Controller 2 - Vlan 14 IP address - 10.10.10.3

I'm thinking we need to do a VRRP for this vlan give it 10.10.10.1.  Set the default gateway in the DHCP to 10.10.10.1.  This is where I get stuck with VRRP as I can see it in my head if I'm doing ingress traffic like the scenario for the APs to find the controllers, but when it's egress traffic like going out to an ISP, I'm losing proper traffic flow.  One, internet traffic does need to be routed out and I need a way to NAT.

I've come up with 2 ways.  

1) Provide a firewall or another router that does the NAT to the ISP.  (i.e.  10.10.10.1 (VRRP) <--> 10.10.10.10 (firewall) (NAT) <--> ISP)

2) Create another VLAN on the controllers for the ISP information to do the NAT.  

   (Controller 1 10.10.10.2 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

  (Controller 2 10.10.10.3 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

If we do option 2, I have only a single physical connection to the ISP router.  Should I have a layer 2 switch coming out of the controllers (ports in the same vlan) and it go out that way?  Or should VLAN 15 be the VRRP instead of VLAN 14.

It may be way overcomplicating it and option 1 is the better option, but I'm curious on how to perceive this (as well as what others do), but I'm trying to wrap my head on the proper most simplistic way to do all the layer 3 routing for the scenario of having a separate public wifi and route all that traffic out that ISP to segment it all.  Might require PBR, but wanted the communities take.  I would assume this would a common scenario some organizations might undertake to keep corporate and public wifi separate.

Jonathan

I find it hard to believe that this isn't typical.  Maybe the setup isn't typical, but i'm sure the problem is.  Right now we have 2 controllers clustered to 1 mobility master.  When we first went to Aruba, this is the way that was RECOMMENDED to us by our account rep and sales engineer.  Changing it now to using Instant Mode is not a solution so an AP can get elected to be a controller (or however that works).  So I'm kindly asking that if you don't have a solution towards what we have currently in place, then either please don't respond or defer it to someone else as I'm asking because with our setup and scenario, like I said when we moved to Aruba, we were recommended controllers and a mobility master and that our coroporate network should either be tunneled or bridged AND if we go with a guest network that it be tunneled for the best security.  It might be I could bridge the guest network and do all the routing that way now we utilize OSPF in the backbone of our network, but even in that scenario I wouldn't know how to uitlize the function for a captive portal for guests to sign in through.

The APs can run in Instant mode which includes a virtual controller function for centralized management and administration of the WLAN infrastructure up to the limits of the capabilities of the IAP.

I'd recommend you have a conversation with your local account team for direction and assistance on this as what you're describing here is not something that we'd ever recommend.  You asked if this was a typical setup, that answer is no.  Nothing of what you've described is a typical setup.

To provide a guest network you should be dumping guest clients into a VLAN that is behind whatever gateway/firewall/router/modem that you are wanting to use for the guest Internet traffic.  That device or other device on the network should be providing the needed DHCP functionality to support the guest devices.

We bought controllers FOR the purpose of managing Access Points.  If i didn't have a controller, I'd have to manually configure each individual AP and that would be 40 of them I'd have to touch.   But the only way to include a web portal and other functions IS to treat the controllers for tunneled WLANs as Layer 3.  I've dealt with that problem in the past and the only solution IS to treat them as layer 3.  

Your best bet is to treat the wireless network as layer 2 and stop thinking of the controllers as layer 3 devices in your network.  Dump the guest wireless on a VLAN, let some router/firewall/gateway provide the required default gateway and DHCP.

As for bridging your corporate wireless network...why'd you buy controllers if you aren't going to use them?

Hi,

I wanted to inquire the community to find out if this is a typical setup or not, and if not, what is a typical setup.

So I have a Mobiliy Master/Conductor with 2 7010 controllers in a cluster.  We have a VRRP setup (VLAN 10) between the 2 for APs to find the controllers and establish redundancy.  Our main corporate wireless network is a bridged network because it needs access to local resources that don't necessarily need to tunnel back to the controllers.  This is fine and working great

We want to have a public Wifi network that we want to have go out a separate ISP.  What I'm attempting to do is setup a separate vlan (VLAN 14).  It's an interface vlan.  On

Controller 1 - Vlan 14 IP address - 10.10.10.2

Controller 2 - Vlan 14 IP address - 10.10.10.3

I'm thinking we need to do a VRRP for this vlan give it 10.10.10.1.  Set the default gateway in the DHCP to 10.10.10.1.  This is where I get stuck with VRRP as I can see it in my head if I'm doing ingress traffic like the scenario for the APs to find the controllers, but when it's egress traffic like going out to an ISP, I'm losing proper traffic flow.  One, internet traffic does need to be routed out and I need a way to NAT.

I've come up with 2 ways.  

1) Provide a firewall or another router that does the NAT to the ISP.  (i.e.  10.10.10.1 (VRRP) <--> 10.10.10.10 (firewall) (NAT) <--> ISP)

2) Create another VLAN on the controllers for the ISP information to do the NAT.  

   (Controller 1 10.10.10.2 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

  (Controller 2 10.10.10.3 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

If we do option 2, I have only a single physical connection to the ISP router.  Should I have a layer 2 switch coming out of the controllers (ports in the same vlan) and it go out that way?  Or should VLAN 15 be the VRRP instead of VLAN 14.

It may be way overcomplicating it and option 1 is the better option, but I'm curious on how to perceive this (as well as what others do), but I'm trying to wrap my head on the proper most simplistic way to do all the layer 3 routing for the scenario of having a separate public wifi and route all that traffic out that ISP to segment it all.  Might require PBR, but wanted the communities take.  I would assume this would a common scenario some organizations might undertake to keep corporate and public wifi separate.

Jonathan