Solved

Same policy, different rules how do I manage

  • 19 November 2020
  • 9 replies
  • 71 views

Userlevel 6
Badge

Hi,

Scenario is that I have 2 x EWC’s. Each of these are in different locations.

Each location has its own internet connection for bridge@ewc for guest internet traffic.

DHCP is being provided by EWC. One large scope has been created and split between each of the controllers.

The issue is the VLAN ID is different in each location. That means the contain to VLAN is different for the same roles on each controller.

The ‘sync’ on the EWC has been removed for those roles between each of the controller because the VLAN ID’s are different. 

The problem is this is creating an issue with policy because you have the same policy with different configuration on each controller, so the policy verification is failing and I can’t get EWC and Policy to sync with that configuration.

Only solution I can think of is change the VLAN ID on both sides to match.

Just wondering if anyone had a better idea, save the trouble I could have in getting the VLAN changed.

Many thanks in advance.

icon

Best answer by Miguel-Angel RODRIGUEZ-GARCIA 20 November 2020, 12:45

Martin,

Here my understanding:

  • two sites with their own internet access VLAN666 and VLANxxx
  • One WLAN “Guest-WiFi” B@EWC NOT SYNCHRONIZED
    • This means that the two WLANs are independent
    • so we can have the same SSID (for consistency) with different VLAN IDs and different subnets and DHCP scopes
  • What I would suggest is to:
    • Synchronize all objects (for redundancy) but the WLAN “Guest-Internet”
    • Create 4 roles keeping the ACLs only for the local CP:
      • Guest Unauthenticated-Site1
        • VLAN = 666
      • Guest Unauthenticated-Site2
        • VLAN = xxx
      • Guest Access-Site1
        • VLAN = 666
      • Guest Access-Site2
        • VLAN = XXX
    • Create two different VNS
      • Guest-Internet-Site1
        • WLAN = Guest-WiFi
        • Non Auth Role = Unauthenticated-Site1
        • Auth Role = Access-Site1
      • Guest-Internet-Site2
        • WLAN = Guest-WiFi
        • Non Auth Role = Unauthenticated-Site2
        • Auth Role = Access-Site2
  • It has been a while I migratd to XCA/XCC so I don’t remember by heart the captive portal settings. If I remeber well you’ll have to create one captive portal per site pointing to the ip address of the local topology (666 or xxx)

With this you should have a synchronized infra except for the WLAN pointing to the local CP/VLAN/Roles.

 

One point not clear is the subnet of the CP.

If it is a different VLAN, the DHCP scope cannot be part of the same subnet. You should have two different subnets/scopes/VLANs and of course, firewalls (one on each site).

I’m still missing the topology diagram.

Mig

View original

9 replies

Userlevel 6
Badge

Hello Martin,

 

If you have Radius/Nac in place you can use two different Roles and take the same topology for both Roles.

 

 

 

Userlevel 3
Badge

Are you using guest-portal of ewc?

I’m a big fan from separating Policy and VLAN (not using contain to vlan) in case of enterprise-ssid.

There you can send RFC3580 VLAN Tunnel attribute and policy-role via filter-id attribute from radius-server. But I think this wouldn’t help in your case.

 

Another Idea: Changing VLAN to untagged at ewc you solve your problem, if this is possible.

Userlevel 6
Badge +1

Hi Martin,

I see a lot of solutions but you should clarify a little bit your architecture:

  • Why did you broken the synchronisation between the EWc’s?
    • Is that done on the whole config or only on specific objects?
    • And the main reason is why? 
  • Do you use a captive portal?
    • If so we need the details of the topology. A second captive portal could be needed in case of conflicting parameters
  • Can you share a topology diagram including EWC, Firewall, routers ?
  • What is the connectivity between the two sites?
    • L2 or L3?
  • Do you have the Extreme Access Control? If so, you could perfectly use the same rule pointing to the same policy but send, based on the location, different:
    • roles
    • or VLANs using the RFC3580 feature 

Basically you should rephrase your concerns in terms of what you want to achieve instead of what are the issues you see. The second way is closing doors that could let be open.

I’m confident there are ways to achieve what I could feel in your description.

Regards

Mig

Userlevel 6
Badge

Thanks all for posting a reply.

Hi Mig, thanks also. Will aim to answer your questions. Apologies, was trying keep it simple but get your point. 

What I  was trying to achieve predominantly was to clear the error I was getting with policy verification on XMC.

This was due to the fact the synchronisation was broken between the EWC’s to accommodate the difference in VLAN. This further lead me to consider what would be the best approach to configuring redundant internal EWC captive portal that is not managed by ExtremeControl (more detail below) but the Guest polices are managed by XMC i.e. the answer would lead to a variation in approaches I could consider.

Bear in mind I am coming into something already there, rather than from scratch. 

So the customer has two EWC in two different geographic locations. The introduction of Guest internet access via EWC  internal captive portal was introduced, but customer only had one internet connection at one location at the time, so all the AP’s had been homed to one controller to provide the service. 

Later internet connectivity was introduced to the other location. Seems the VLAN ID’s where different at the other location, so to combat that the synchronisation was disabled on the guest polices to accommodate the difference in VLAN ID. 

The same subnet range is being used in both locations, the EWC just splits the DHCP scope into two, one half one side one half the other side. This means the topology cannot be sync’ed either. 

That said the failover works really well, albeit not completely straight under the hood.

The guest traffic bridges at the controller to esa1, which I believe is VLAN’ed to a dedicated internet firewall in the network somewhere. I unfortunately do not have much detail on this, other then so long as I drop traffic onto the guest internet VLAN, supply the default gateway (firewall) to hosts via EWC DHCP scope, its good to go

There is only L3 connectivity between the two sites.

Yes, there is an Extreme Control sitting behind the scenes, but as the EWC is using internal captive portal and the customer doesn’t need to be aware of end-system joining that network (ie be visiable in XMC) so its not being used for guest traffic.

That said, EWC with NAC is being used for corporate SSID’s, so polices are being managed by XMC, including guest polices, hence the query.

I’ve provided some screenshots, so hopefully the above and these provide the detail you need, let me know if you need anything else. The screenshots are taken from one controller but they are pretty much the same on both sides except the topology, the other side has a different L3 IP (172.31.255.202) and the other half of the DHCP scope for the same subnet.

In the screen shots the Guest polices are now in sync, as although the topology for the guest VLAN shows tagged on this controller the other side wasn’t. That meant I could just change the ID to be the same. Now they are in sync.

That does answer my primary question but I don’t think this is the best approach, hence opening up the conversation for ideas.


Many thanks in advance.

 

 

Userlevel 6
Badge +1

Hi Martin,

Why do we all use the VLAN 666 for Internet ? :sweat_smile:

Is the authentication done via the NAC?

Could you share the screenshots concerning the config and the authentication of the captive portal?

What is the role and the VLANID/DHCP subnet at the second location?

Mig

Userlevel 6
Badge

Hi Mig,

No idea, seems its asking for trouble being 666 :)

Regarding guest access, no NAC involvement at all, just internal EWC captive portal using guest splash. Screenshot below.

The other corporate SSID’s due use NAC extensively, hence why I need to manage all the polices including Guest Access via XMC. The polices are just being assigned to end-systems based on the roles defined in the VNS settings (added below)

Screenshots also added showing the other controllers topology configuration

The topology below used to have a VLAN ID of 466 configured, but because it was untagged I just changed to match the other of 666.

Thanks

 

 

Userlevel 6
Badge +1

Martin,

Here my understanding:

  • two sites with their own internet access VLAN666 and VLANxxx
  • One WLAN “Guest-WiFi” B@EWC NOT SYNCHRONIZED
    • This means that the two WLANs are independent
    • so we can have the same SSID (for consistency) with different VLAN IDs and different subnets and DHCP scopes
  • What I would suggest is to:
    • Synchronize all objects (for redundancy) but the WLAN “Guest-Internet”
    • Create 4 roles keeping the ACLs only for the local CP:
      • Guest Unauthenticated-Site1
        • VLAN = 666
      • Guest Unauthenticated-Site2
        • VLAN = xxx
      • Guest Access-Site1
        • VLAN = 666
      • Guest Access-Site2
        • VLAN = XXX
    • Create two different VNS
      • Guest-Internet-Site1
        • WLAN = Guest-WiFi
        • Non Auth Role = Unauthenticated-Site1
        • Auth Role = Access-Site1
      • Guest-Internet-Site2
        • WLAN = Guest-WiFi
        • Non Auth Role = Unauthenticated-Site2
        • Auth Role = Access-Site2
  • It has been a while I migratd to XCA/XCC so I don’t remember by heart the captive portal settings. If I remeber well you’ll have to create one captive portal per site pointing to the ip address of the local topology (666 or xxx)

With this you should have a synchronized infra except for the WLAN pointing to the local CP/VLAN/Roles.

 

One point not clear is the subnet of the CP.

If it is a different VLAN, the DHCP scope cannot be part of the same subnet. You should have two different subnets/scopes/VLANs and of course, firewalls (one on each site).

I’m still missing the topology diagram.

Mig

Userlevel 6
Badge

Hi Mig,

Thanks for taking the time to look at this, its been extremely helpful and believe I have the detail I need now. 

The network is vast and don’t have much detail on it, although it is inconsequential in this case. The sites are joined together at layer 3 but it does not matter as guest traffic is bridging out to a VLAN / Network and firewall that are completely independent of each other.

The DHCP scope was something I was aware of and do use, whether its right or wrong is up for question.

The way it works is because the two VLANs either the same or different ID’s are effectively not joined in anyway, they are just VLANs that go to two completely independent firewalls and circuits. This means they can be configured with the same subnet and not clash with one another.

The way it works is that you take one large scope, you split the allocation of addresses in half. One side provides address in one range (lower half), the other side does the same (higher half). The primary reason is that when the APs fail from one side to the other (whether 50/50 split or all home to one) the client can keep the same IP, it wont clash with anything on the controller, the DHCP scope keeps them separate. In addition if a client gets an IP when in failover, when it fails back it can keep it until lease runs-out and still work without clashing.

That way the failover is seamless, the device doesn’t need to re-ip and client carries on working without being aware of the fail-over. It isn’t completely fall-proof, but think it takes best advantage of the fact traffic has effectively moved to a completely different location and firewall.

What do you think, maybe not the best idea?

Cheers.

Userlevel 6
Badge +1

Hi Martin,

The main issue I see is that we are cheating with the controller to make it think that the network behind (fw) is the same in both sites while it is not.

We are in fact abusing the system and taking advantage of a “working but not expected behaviour”.

The risk is that at some point in time something changes in the infrastructure (VLAN/subnet/scope/default gw) and then the sh*t hits the fan…

In such simple environment I encourage the customer to put the splash screen and the DHCP scope on the firewall. The WLAN is the just a L2 bridge with no L3/CP/DHCP/etc. Here it would be a dedicated splash/subnet/scope per FW.

I wouldn’t care about a smooth/transparent fail-over for a guest Internet with no authentication.Ì would on the other SSIDs with authentication.

In your specific case, the EWC has no added value and in fact it is increasing the entropy of your system.

Cheers

Mig

Reply