Wireless Access

Hi,

I wanted to inquire the community to find out if this is a typical setup or not, and if not, what is a typical setup.

So I have a Mobiliy Master/Conductor with 2 7010 controllers in a cluster.  We have a VRRP setup (VLAN 10) between the 2 for APs to find the controllers and establish redundancy.  Our main corporate wireless network is a bridged network because it needs access to local resources that don't necessarily need to tunnel back to the controllers.  This is fine and working great

We want to have a public Wifi network that we want to have go out a separate ISP.  What I'm attempting to do is setup a separate vlan (VLAN 14).  It's an interface vlan.  On

Controller 1 - Vlan 14 IP address - 10.10.10.2

Controller 2 - Vlan 14 IP address - 10.10.10.3

I'm thinking we need to do a VRRP for this vlan give it 10.10.10.1.  Set the default gateway in the DHCP to 10.10.10.1.  This is where I get stuck with VRRP as I can see it in my head if I'm doing ingress traffic like the scenario for the APs to find the controllers, but when it's egress traffic like going out to an ISP, I'm losing proper traffic flow.  One, internet traffic does need to be routed out and I need a way to NAT.

I've come up with 2 ways.  

1) Provide a firewall or another router that does the NAT to the ISP.  (i.e.  10.10.10.1 (VRRP) <--> 10.10.10.10 (firewall) (NAT) <--> ISP)

2) Create another VLAN on the controllers for the ISP information to do the NAT.  

   (Controller 1 10.10.10.2 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

  (Controller 2 10.10.10.3 (Int VLAN14) <--> 10.10.10.1 (VLAN 14) (VRRP) <--> (NAT) (VLAN 15) Public ISP address)

If we do option 2, I have only a single physical connection to the ISP router.  Should I have a layer 2 switch coming out of the controllers (ports in the same vlan) and it go out that way?  Or should VLAN 15 be the VRRP instead of VLAN 14.

It may be way overcomplicating it and option 1 is the better option, but I'm curious on how to perceive this (as well as what others do), but I'm trying to wrap my head on the proper most simplistic way to do all the layer 3 routing for the scenario of having a separate public wifi and route all that traffic out that ISP to segment it all.  Might require PBR, but wanted the communities take.  I would assume this would a common scenario some organizations might undertake to keep corporate and public wifi separate.

Jonathan

-------------------------------------------

Your best bet is to treat the wireless network as layer 2 and stop thinking of the controllers as layer 3 devices in your network.  Dump the guest wireless on a VLAN, let some router/firewall/gateway provide the required default gateway and DHCP.

As for bridging your corporate wireless network...why'd you buy controllers if you aren't going to use them?

------------------------------
Carson Hulcher, ACEX#110
------------------------------

We bought controllers FOR the purpose of managing Access Points.  If i didn't have a controller, I'd have to manually configure each individual AP and that would be 40 of them I'd have to touch.   But the only way to include a web portal and other functions IS to treat the controllers for tunneled WLANs as Layer 3.  I've dealt with that problem in the past and the only solution IS to treat them as layer 3.  

-------------------------------------------

Original Message:
Sent: Jan 30, 2026 02:26 PM
From: chulcher
Subject: Separate ISP setup for 2 Controllers

Your best bet is to treat the wireless network as layer 2 and stop thinking of the controllers as layer 3 devices in your network.  Dump the guest wireless on a VLAN, let some router/firewall/gateway provide the required default gateway and DHCP.

As for bridging your corporate wireless network...why'd you buy controllers if you aren't going to use them?

------------------------------
Carson Hulcher, ACEX#110
------------------------------

The APs can run in Instant mode which includes a virtual controller function for centralized management and administration of the WLAN infrastructure up to the limits of the capabilities of the IAP.

I'd recommend you have a conversation with your local account team for direction and assistance on this as what you're describing here is not something that we'd ever recommend.  You asked if this was a typical setup, that answer is no.  Nothing of what you've described is a typical setup.

To provide a guest network you should be dumping guest clients into a VLAN that is behind whatever gateway/firewall/router/modem that you are wanting to use for the guest Internet traffic.  That device or other device on the network should be providing the needed DHCP functionality to support the guest devices.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message:
Sent: Feb 04, 2026 11:00 AM
From: JB712
Subject: Separate ISP setup for 2 Controllers

We bought controllers FOR the purpose of managing Access Points.  If i didn't have a controller, I'd have to manually configure each individual AP and that would be 40 of them I'd have to touch.   But the only way to include a web portal and other functions IS to treat the controllers for tunneled WLANs as Layer 3.  I've dealt with that problem in the past and the only solution IS to treat them as layer 3.  

I find it hard to believe that this isn't typical.  Maybe the setup isn't typical, but i'm sure the problem is.  Right now we have 2 controllers clustered to 1 mobility master.  When we first went to Aruba, this is the way that was RECOMMENDED to us by our account rep and sales engineer.  Changing it now to using Instant Mode is not a solution so an AP can get elected to be a controller (or however that works).  So I'm kindly asking that if you don't have a solution towards what we have currently in place, then either please don't respond or defer it to someone else as I'm asking because with our setup and scenario, like I said when we moved to Aruba, we were recommended controllers and a mobility master and that our coroporate network should either be tunneled or bridged AND if we go with a guest network that it be tunneled for the best security.  It might be I could bridge the guest network and do all the routing that way now we utilize OSPF in the backbone of our network, but even in that scenario I wouldn't know how to uitlize the function for a captive portal for guests to sign in through.

-------------------------------------------

Original Message:
Sent: Feb 05, 2026 04:04 AM
From: chulcher
Subject: Separate ISP setup for 2 Controllers

The APs can run in Instant mode which includes a virtual controller function for centralized management and administration of the WLAN infrastructure up to the limits of the capabilities of the IAP.

I'd recommend you have a conversation with your local account team for direction and assistance on this as what you're describing here is not something that we'd ever recommend.  You asked if this was a typical setup, that answer is no.  Nothing of what you've described is a typical setup.

To provide a guest network you should be dumping guest clients into a VLAN that is behind whatever gateway/firewall/router/modem that you are wanting to use for the guest Internet traffic.  That device or other device on the network should be providing the needed DHCP functionality to support the guest devices.

------------------------------
Carson Hulcher, ACEX#110
------------------------------


Original Message:
Sent: Feb 04, 2026 11:00 AM
From: JB712
Subject: Separate ISP setup for 2 Controllers

We bought controllers FOR the purpose of managing Access Points.  If i didn't have a controller, I'd have to manually configure each individual AP and that would be 40 of them I'd have to touch.   But the only way to include a web portal and other functions IS to treat the controllers for tunneled WLANs as Layer 3.  I've dealt with that problem in the past and the only solution IS to treat them as layer 3.  

Original Message:
Sent: Jan 30, 2026 02:26 PM
From: chulcher
Subject: Separate ISP setup for 2 Controllers

Your best bet is to treat the wireless network as layer 2 and stop thinking of the controllers as layer 3 devices in your network.  Dump the guest wireless on a VLAN, let some router/firewall/gateway provide the required default gateway and DHCP.

As for bridging your corporate wireless network...why'd you buy controllers if you aren't going to use them?

------------------------------
Carson Hulcher, ACEX#110

Hi Jonathan, as Carson mentioned, you should use the controllers as L2 devices and tunnel user traffic. This is the approach recommended by Aruba for the use of WLAN controllers.

This means that the WLAN traffic should be tunneled from the AP to the controller, the controller tags the traffic with the corresponding VLAN and sends it on to the wired network. All L3 services such as DHCP, DNS, routing should be made available on the upstream devices.

You are using two controllers in the cluster, which means that the APs and users are dynamically load balanced. In order for the user traffic to flow, however, you still have to change the routing in your network. You must inform the upstream router of your controller that the IP network 10.10.10.0/24 is located behind the IP of the controller by routing the network 10.10.10.0/24 to the VLAN 14 IP-Addres of the controller. But you have a cluster with two controllers, with user and AP load balancing. Where do you want to route the network to? To the first controller or to the second?

I can therefore only recommend that you use an upstream firewall and a DHCP server in VLAN 14 and do not use this function on the controllers.

By the way, we are here in the Airhead Community, where community members help each other on a voluntary basis. Within the scope of this assistance, it is very complicated to provide a complete solution. If you are unsure about Aruba WLAN, contact your local Aruba partner or open a case with Aruba TAC.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Feb 08, 2026 01:59 PM
From: JB712
Subject: Separate ISP setup for 2 Controllers

I find it hard to believe that this isn't typical.  Maybe the setup isn't typical, but i'm sure the problem is.  Right now we have 2 controllers clustered to 1 mobility master.  When we first went to Aruba, this is the way that was RECOMMENDED to us by our account rep and sales engineer.  Changing it now to using Instant Mode is not a solution so an AP can get elected to be a controller (or however that works).  So I'm kindly asking that if you don't have a solution towards what we have currently in place, then either please don't respond or defer it to someone else as I'm asking because with our setup and scenario, like I said when we moved to Aruba, we were recommended controllers and a mobility master and that our coroporate network should either be tunneled or bridged AND if we go with a guest network that it be tunneled for the best security.  It might be I could bridge the guest network and do all the routing that way now we utilize OSPF in the backbone of our network, but even in that scenario I wouldn't know how to uitlize the function for a captive portal for guests to sign in through.

Original Message:
Sent: Feb 05, 2026 04:04 AM
From: chulcher
Subject: Separate ISP setup for 2 Controllers

The APs can run in Instant mode which includes a virtual controller function for centralized management and administration of the WLAN infrastructure up to the limits of the capabilities of the IAP.

I'd recommend you have a conversation with your local account team for direction and assistance on this as what you're describing here is not something that we'd ever recommend.  You asked if this was a typical setup, that answer is no.  Nothing of what you've described is a typical setup.

To provide a guest network you should be dumping guest clients into a VLAN that is behind whatever gateway/firewall/router/modem that you are wanting to use for the guest Internet traffic.  That device or other device on the network should be providing the needed DHCP functionality to support the guest devices.

------------------------------
Carson Hulcher, ACEX#110


Original Message:
Sent: Feb 04, 2026 11:00 AM
From: JB712
Subject: Separate ISP setup for 2 Controllers

We bought controllers FOR the purpose of managing Access Points.  If i didn't have a controller, I'd have to manually configure each individual AP and that would be 40 of them I'd have to touch.   But the only way to include a web portal and other functions IS to treat the controllers for tunneled WLANs as Layer 3.  I've dealt with that problem in the past and the only solution IS to treat them as layer 3.