As the gateway for the client is not controller, by design controller bridge the traffic. If we do not have route between the server on client's vlan, we would need to NAT+Redirect the traffic of the client to the server using one of the routable
interface on the controller. This could not be achieved by using only src-nat ACL. We have to configure the server as ESI server in route mode and use the acl to redirect and NAT specific traffic.
Verification : I have used RDP to demonstrate the TCP session
Client IP : 192.168.2.3
Server : 10.13.15.40
(Aruba-2) #show datapath session table 10.13.15.40
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
192.168.2.3 10.13.15.40 6 52076 3389 0/0 0 0 0 local 1 4 191 SRC
10.13.15.40 10.17.224.66 6 3389 52076 0/0 0 0 0 local 1 3 151 N
We could see that the traffic is Natted and redirected to the server. Without ESI the traffic would be bridged to uplink switch or the client's gateway.