We have an MX84 with Advanced Security and a variety of MR's connected by Aruba PoE switches
Thank you in advance for any help!
Solved! Go to solution.
Leveraging NAT mode on the APs just to get the content filtering at the edge may not be the best option here. Sounds like you might want to approach this with configuring a Guest VLAN on the MX, and then run the Guest SSID in Bridge mode and tag it to the Guest VLAN. That would avoid having every AP become the NAT boundary and you'll be bridging the guest traffic to the guest VLAN, you can simply track by MAC address and have full visibility down to each client (versus the management IP of each AP) and a more meaningful set of events and reports on the MX. And you still have all of the Adv Sec features on the MX, and you also would still have firewall and traffic shaping at the edge on the APs if you wanted to, just not the content filtering, but the MX is better at that anyway. Probably no need to syslog at that point unless you had some other requirement to do so, you can syslog flows and URLs but that's really chatty so plan to have some 3rd party syslog parsing/reporting tool if doing that to make it useful.
Leveraging NAT mode on the APs just to get the content filtering at the edge may not be the best option here. Sounds like you might want to approach this with configuring a Guest VLAN on the MX, and then run the Guest SSID in Bridge mode and tag it to the Guest VLAN. That would avoid having every AP become the NAT boundary and you'll be bridging the guest traffic to the guest VLAN, you can simply track by MAC address and have full visibility down to each client (versus the management IP of each AP) and a more meaningful set of events and reports on the MX. And you still have all of the Adv Sec features on the MX, and you also would still have firewall and traffic shaping at the edge on the APs if you wanted to, just not the content filtering, but the MX is better at that anyway. Probably no need to syslog at that point unless you had some other requirement to do so, you can syslog flows and URLs but that's really chatty so plan to have some 3rd party syslog parsing/reporting tool if doing that to make it useful.
Thanks @NolanHerring for the extra input! @MarshMadness The other thing I should have mentioned, is to note that since it's a guest SSID, if running in Bridge mode, you can still enforce L2 isolation (which is the default for NAT mode SSIDs but not the default for Bridge mode), so be sure to do that for the guests. Hope that helped!
Thank you @MerakiDave and @NolanHerring for the analysis of my setup. As this is a departure from current state, I do have some follow-up questions...
If i understand correctly (forgive me, networking is decidedly NOT my strong suit), i should:
Again, major thanks for taking the time out on a Sunday to help out!
@MarshMadness no worries, happy to help. Correct, on the MX Address and VLANs page, enable VLANs and if they're not already created, create a Student VLAN and a Guest VLAN and assign a VLAN ID and an IP address in each of those subnets. Just for example, let's say 10.1.1.0/24 and VLAN 100 for students and 10.2.2.0/24 and VLAN 200 for guests and assume the MX IPs are 10.1.1.1 and 10.2.2.1. Then on the Wireless Access Control page for each of the SSIDs, change the addressing mode to Bridge (instead of NAT) mode, and further below enable VLAN tagging and in the "all other APs" box put 100 for the Student and 200 for the Guest. (There will be an SSID dropdown box up top).
Also go to the Wireless > Firewall & Traffic Shaping screen and that's where you can enable L2 isolation for each SSID, definitely for the guests, maybe for the student SSID but perhaps not, depends on your needs or policy. That's correct, for at least the Guest VLAN, you would want to deny traffic to the local LAN, so guests would be firewalled off and only allowed out to external/public Internet addresses. You could also add L3 FW rules on the MX firewall page to deny traffic from VLAN 100 to VLAN 200 and vice-versa.
If your Aruba 2530 switches in between create any L3 demarc then you could go back to track by IP, otherwise if that's all L2 then leave it track by MAC and naturally make sure that you have the APs connecting back to dot1q trunk ports on the switch and likewise have trunk interfaces between the 2530s and MX allowing VLANs 1,100,200. Make sure the APs can ping the MX and vice versa and that they're all still online in Dashboard.
Yes, you could still continue to do any L7 stuff you need to at the edge on the APs via the Wireless > Firewall & Traffic Shaping page, except the content filtering which is not available in Bridge mode SSIDs anyway (Q6 below), and that would take place on the MX now on the Content Filtering page. That should give you the better visibility you're looking for and you have all the Adv Sec features on the MX like you mentioned.
Hope that helps!
Thanks again @MerakiDave, this worked out great. I had to take a methodical approach to cutting over specific VLANs first in prep for the guest and student network move, but with them all moved to their new home it appears to be working great. An ancillary benefit that i did not "ask for" but was one that was pointed out in the @NolanHerring response is in regards to impacts for roaming clients (this is looking much better now.)