Generally, the routing table mentioned in the IAP will be applicable to all SSID's. The configuration mentioned in this is considered in use cases, where you you have two or more SSID's and for SSID-1 you wanted the users corporate and internet traffic to get into VPN tunnel towards controller and then to Internet. Whereas, for the SSID-2, you want corporate traffic to get into tunnel and remaining outbound Internet Traffic to bridge locally.
- Any destination / service can be configured to have direct Internet access (bypassing tunnel) via ACL
- Achieved via src-nat for the defined rule in the ACL
- Src-NAT done by Virtual Controller using its uplink IP
- Overrides the routing profile configuration
- Provides functionality of different forwarding policies for different SSIDs
Environment : This article applies to all Aruba Instant Access Points running Aruba InstantOS version 18.104.22.168-22.214.171.124 or later.
Login to Web Interface of Instant AP
Create a New SSID or edit the existing SSID
On the "Access" tab, we would add a new rule to allow any service to specific corporate network.
Add an other rule that would Src-NAT and bridge rest of the outbound Internet traffic. As shown below:
VPN status from IAP to Controller:
Show VPN Config
Show VPN Status
To verify the SSID configuration:
- Show running-config
- Show access-rule <rule name>
- Show datapath session
(Filter with the Client IP address and look for Src-Nat flag)