01-16-2024 01:39 AM - edited 01-16-2024 01:42 AM
Hello,
Trying to understand how to setup a GRE tunnel between an AP and VGVA so the Guest SSID traffic is forwarded to the internet via the VGVA. The VGVA and AP are onboarded in XIQ and the AP has a Network Policy with a Guest SSID configured.
Do I use the same Network Policy on VGVA so they have the same SSID and can tunnel between each other?
Or do I use a different Network Policy which sets up VGVA as a Bridge Router with VPN service?
Basically, I need to understand the VGVA mode as well and how I can use Eth0 and Eth1. Eth0 is used for management and access to XIQ. It will also need to terminate the GRE tunnel. Eth1 will need to be connected to the internet LAN where the Firewall / DHCP Server is.
Any guidance appreciated.
Thanks,
Rob
Solved! Go to Solution.
01-16-2024 05:56 AM
Hello,
From what you're saying I think a L2 mode for the VGVA would suffice where you tunnel the user profile of the SSID, though doesn't use two interfaces (think that's L3 mode) if I remember correctly. I have the attached L2 guide from a while back, a bit outdated but the same theory applies and config is the same (but just looks a little different) - not sure if that helps?
01-16-2024 05:56 AM
Hello,
From what you're saying I think a L2 mode for the VGVA would suffice where you tunnel the user profile of the SSID, though doesn't use two interfaces (think that's L3 mode) if I remember correctly. I have the attached L2 guide from a while back, a bit outdated but the same theory applies and config is the same (but just looks a little different) - not sure if that helps?
01-16-2024 08:25 AM
Hi Ash,
Thank you for your replay and the document. The document covers L2 VPN but not GRE tunneling unfortunately. I will test using a Network Policy with and SSID and User Profile with Identity-Based Traffic Tunneling and deploy to an AP and VGVA to see if this works.
I may have to use two interfaces, one to terminate the tunnel and one into the DMZ.
01-17-2024 05:25 AM
Oh yes of course, sorry!
I've done identity based tunnelling before at the user profile and it did work, though I can't remember if it had two interfaces or not at the VGVA end....