With the release of the 3.4 stream of IAP code, Aruba introduced support for CALEA or Lawful Intercept. This is a growing requirement in the areas of public wifi, hotspots and QSR restaurants so thought I'd post some detail given I get asked this alot.
This was problematic before with controllers and RAP's as port mirroring was not supported on Split-Tunnel RAP's unless you re-provision and set forward mode to tunnel and do not NAT on the controller. (port mirror works fine on CAP/Tunnel).
Each IAP can be configured to use an individual GRE tunnel to the CALEA server and replicate client traffic within the GRE tunnel. Each IAP performs GRE encapsulation only for its associated or connected clients. You can also deploy CALEA server with a controller and configure an additional IPSec tunnel for corporate access. The IPSec configuration is transparent to each slave IAP.
When CALEA server is configured with controller, client traffic is replicated by the slave IAP and client data is encapsulated by GRE on slave, and routed to the master IAP, which then sends the IPsec client traffic to controller. The controller handles the IPSec client traffic while GRE data is routed to the CALEA server.
Config stub
(IAP-AK)(config)# calea <---CALEA Sub mode
(IAP-AK)(calea)# ip 192.168.175.25 <--- CALEA dump server
(IAP-AK)(calea)# encapsulation-type gre <--- Only GRE supported right now
(IAP-AK)(calea)# gre-type 25944
(IAP-AK)(calea)# end
(IAP-AK)# commit apply