Restricted corporate access feature on IAP 4.0

Aruba Employee
Aruba Employee

Advantages and Features of Restricted Corporate access 4.0

1. IAP currently supports corporate access from upstream devices using the master AP as the VPN gateway.
2. In single AP VPN deployments using a shared unmanaged switch, this can be exploited by rogue clients/IAPs to gain corporate access.
3. This feature provides a way to restrict corporate access (through VPN tunnel ) to clients/Slave APs on upstream.
4. The feature works by changing the permit/src-nat rule on uplink ACL (ACL 106) to deny traffic to corporate subnet.
rtaImage (1).png
WEBUI Configuration:-
CLI configuration:-

Configuration CLI -->restrict-corp-access
Show CLI > “show summary” includes information about configured restricted management subnets

6c:f3:7f:c3:67:4a (config) # restrict-corp-access
6c:f3:7f:c3:67:4a (config) # end
6c:f3:7f:c3:67:4a# commit apply
committing configuration...
configuration committed.
6c:f3:7f:c3:67:4a# show summary | include "Restrict Corporate Access"
Restrict Corporate Access:enable

Debug & Troubleshooting Example:-
Find below screen shot to debug.

ACL hits on ACL 106 can be used to check functionality.
Packet Dump to collect more information
Version history
Revision #:
1 of 1
Last update:
‎06-27-2014 02:13 PM
Updated by:
Labels (1)

I would really like to understand this feature, but I find this explanation very confusing. Could you elaborate more on the principle please.

I'm not following the explenation either. If this is an Instant AP, how does the GRE tunnel & controller come into play? What am I missing here?

Search Airheads
Showing results for 
Search instead for 
Did you mean: