Question: How to assign a VLAN/Subnet to an IAP through IPSec back to the controller?
Below modes could achieve the IAP to change the VLAN or subnet. Here is the details.
IAP DHCP methods
- Local Mode
- Centralized L2 Mode
- Distributed L2 Mode
- Distributed L3 Mode
Local mode provides VPN capabilities using inner IP of RAPNG IPsec tunnel.
Client traffic that has to be forwarded to the corporate destinations is Src-NATed by the Master AP using inner IP of the IPSec tunnel and traffic destined to internet is Src-NATed using localip of the master AP.
We need to make sure controller`s VPN L2TP pool is routable from upstream.
Centralized L2 Mode:-
This method is basically extending corporate VLAN/broadcast domain to remote branches; L2 extension in classic RAP`s.
DHCP server & the gateway for clients reside in data cent; either controller or upstream router can be gateway for clients. Aruba recommends to use an external DHCP server.
Be default, any client traffic destined to data center will be forwarded by Master AP through IPSec tunnel to the client`s
gateway in data center.Traffic destined to local destination is Src-NATed using localip of master AP and bridged locally.
Distributed L2 Mode:-
Distributed L2 mode is similar to Centralized mode except DHCP server for clients is the Master IAP in the cluster itself.
Default-gateway for client is still from data center(Master AP through IPSec) which is the L2 extension of corporate VLAN to remote site.
Traffic destined to local destination is Src-NATed using localip of master AP and bridged locally.
Major difference is that when the WAN link is down, the IAP will proxy-arp for default-gateway in the data center.
Clients can renew their lease and receive ip address even when the WAN link is down which is not possible at Centralized L2 mode.
Distributed L3 Mode:-
Distributed L3 mode is very similar to site-site IPsec VPN where two VPN endpoints connect individual network over a public network
Each branch location has the dedicated subnet. Master AP in branch manages the dedicated subnet and acts as DHCP server
and also as the gateway for clients.
Client traffic to date center is routed to controller through IPSec and local traffic will be Src-NATed locally.
Since controller is in datacenter is aware of L3 subnet at each branch and it can redistribute these routes to upstream router using OSP.
We need to make sure Aruba Instant OS 3.3 are required to support the above ability to do this.