Controllerless Networks

Hello, i want to tunnel a Guest SSID on IAP back to the Company Controller via VPN while using Local Traffic from the Corperate SSID in the branch. So my question is how is the Guest SSID matched to the Tunnel. The Documentation is not really clear i mean. I only find a VPN Routing Table, but in this Table it is not possible to assosiate only the Guest SSID to be tunneled while the rest is bridged in branche. Is there a PDF available that explaine the Config. It seems that it works over the DHCP Config but for me the Manual is also not really clear on that.

Best Regards

Do you need captive portal for this ssid?  If not, you can use the the IAP-VPN configuration.  The IAP must be whitelisted on the controller and the controller must be running 6.2 or above.  In the 6.3 user guide, this config is detailed in Chapter 41. The instant user guide includes details on that end how to set it up.  

There are multiple VPN modes you can run in.  Please read the docs (or enlist a partner/Aruba SE help) to pick the best one.  The "hooks" if you will in this design are specified in the VPN section on the IAP.  First, you select the controller VPN termination points and then the routes into corp.  If you want to tunnel ALL traffic put a 0.0.0.0/0 route in this table:

2. Then you select DHCP server and select the mode and addressing you wish to have (L3/local modes) The VLAN ID you select here is CRUCIAL

3. In your SSID settings, the VLAN from step #2 above is mirrored here.  That is the "hook" between the WLAN config and the VPN config and how the IAPs know to place clients into a VPN configuration.

Thanks a lot.

For my understanding. Its the same for all DHCP Modes. Wich Traffic is send back to the Controller is configured by the matching VLAN ID or via the VPN Routing Table?

So i can use the CP on Controller or on the IAP and all other Functions like common. Only the Vlan Entry on the VPN Tab shows the AP what is sent via VPN. correct?

best Regards

Yes...you specify what goes into the tunnel via the VPN routing table

Yes...the VLAN entry matching on BOTH the SSID and VPN "bind" the logic together.  In terms of a CP, you can use the one on the IAP, an external URL like ClearPass, OR you might be able to use one on the controller via an untrusted port/VLAN but that would have to be tested as it is something that I would consider out of scope.

One additional Question. If i have the bind between the VPN and the SSID with the Vlan, is the VPN Routing Table necessary to use or only the bind.

Because in the Case of Guest Vlan to be send through the Tunnel i had to use destination any.... and that would be a Problem if a Corperate SSID has to be local. or if the VPN Routing Table is necessary it is only used for the Vlan that is bind?

Thanks a lot

ok so is the Table then used for all Traffic from AP or only for the Traffic that is in the bind Vlan?