cancel
Showing results for 
Search instead for 
Did you mean: 

GRE tunnel between AP and VGVA

GRE tunnel between AP and VGVA

RobertD1
Contributor II

Hello,

Trying to understand how to setup a GRE tunnel between an AP and VGVA so the Guest SSID traffic is forwarded to the internet via the VGVA. The VGVA and AP are onboarded in XIQ and the AP has a Network Policy with a Guest SSID configured. 

Do I use the same Network Policy on VGVA so they have the same SSID and can tunnel between each other?

Or do I use a different Network Policy which sets up VGVA as a Bridge Router with VPN service?

Basically, I need to understand the VGVA mode as well and how I can use Eth0 and Eth1. Eth0 is used for management and access to XIQ. It will also need to terminate the GRE tunnel. Eth1 will need to be connected to the internet LAN where the Firewall / DHCP Server is.

Any guidance appreciated.

Thanks,

Rob

1 ACCEPTED SOLUTION

Ash_Finch
Contributor III

Hello,

From what you're saying I think a L2 mode for the VGVA would suffice where you tunnel the user profile of the SSID, though doesn't use two interfaces (think that's L3 mode) if I remember correctly. I have the attached L2 guide from a while back, a bit outdated but the same theory applies and config is the same (but just looks a little different) - not sure if that helps?

View solution in original post

3 REPLIES 3

Ash_Finch
Contributor III

Hello,

From what you're saying I think a L2 mode for the VGVA would suffice where you tunnel the user profile of the SSID, though doesn't use two interfaces (think that's L3 mode) if I remember correctly. I have the attached L2 guide from a while back, a bit outdated but the same theory applies and config is the same (but just looks a little different) - not sure if that helps?

Hi Ash,

Thank you for your replay and the document. The document covers L2 VPN but not GRE tunneling unfortunately. I will test using a Network Policy with and SSID and User Profile with  Identity-Based Traffic Tunneling and deploy to an AP and VGVA to see if this works. 

I may have to use two interfaces, one to terminate the tunnel and one into the DMZ.

Oh yes of course, sorry!
I've done identity based tunnelling before at the user profile and it did work, though I can't remember if it had two interfaces or not at the VGVA end....

GTM-P2G8KFN