Vscg SSH tunnels

  • 1
  • Question
  • Updated 2 years ago
Hi Guys,

I have a remote vSCG to which I would like to connect APs located in different sites. I would like also to bridge the traffic locally.
The APs are all behind a firewall and a NAT device, I guess that I should use Ruckus GRE tunnels in order to traverse the NAT. As I am new to the vSCG, I would like to know if the user traffic is also going to be encapsulated in the GRE tunnel or it is just the management traffic that will flow through the tunnel.

Many thanks in advance guys!
Photo of Othmane Douiri

Othmane Douiri

  • 9 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 714 Posts
  • 151 Reply Likes
by default vSCG controlled AP's switch the traffic locally and ONLY management traffic goes to vSCG

you can also tunnel both data and management to Vscg.
Photo of Othmane Douiri

Othmane Douiri

  • 9 Posts
  • 0 Reply Likes
Thank you Monnat!
So, as I understand:
By default the vSCG will communicate with the APs using SSH (TCP/22) and https (TCP/443) for management traffic. these are the ports I should open on my firewall on both sides (AP side and vSCG side). This will work even if my APs and my vSCG are behind NAT devices.

In case I want to tunnel user data, then I have to use GRE+UDP.
Photo of Dionis

Dionis, AlphaDog

  • 63 Posts
  • 34 Reply Likes
Couple of things here, AP to vSZ communication requires ports 91,22,443 and if version 3.2 11443 is then required as well.

Second, only on the vSZ side and inbound direction is this required unless you are blocking these at the AP side as well normally you don't need to open them at the AP side or source.

Third, if vSZ is behind Nat, you need to specify what is the outside public IP that the vSZ should be using when replying to the APs. Otherwise it will send its private IP configured on it and the AP won't be able to form an SSH tunnel to a private IP over the internet. This can be set on the vSZ under system cluster configuration section.

Last, data can't be tunneled to the vSZ directly if you want to tunnel traffic to the controller. You will need to set up a virtual data place for that.
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 714 Posts
  • 151 Reply Likes
well its better you  refer to admin guide for that...there are many ports to be kept open for various reasons...not just SSH and https

download the file from here -- http://s000.tinyupload.com/?file_id=07957357372619860888

page no 503 on pdf file
Photo of Knoop Japan

Knoop Japan

  • 1 Post
  • 0 Reply Likes
Adding to Dionis,

>under system cluster configuration
Configration -> Cluster Planes -> Control Plane Name -> Control NAT IP.

Then examine the AP configuration by termnal command, "get scg" to make sure.

------ SCG Information ------
SCG Service is enabled.
AP is managed by SCG.
State: CONNECTED
SCI is disabled.
Server List:<ControlNatIP>
:

Good luck.