Wireless Access

Reply
Regular Contributor I
Posts: 186
Registered: ‎03-22-2013

Can I redirect application traffic to an ESI?

We have two internet links, one is the default route out of out network, the other is for guests.  I use the route-to-esi feature to redirect guest traffic out of an interface that connects into a dmz, the gateway of which is the firewall for this link.. all works great.

 

However, Ive now been asked if we can do this, for BYOD devices that connect to our corporate lan.

 

By defautl, like our corp pcs, byod devices will use our pirmary internet link, however, Ive been asked if we could redirect traffice to say Dropbox, so it goes out of the ESI interface?  I know the controllers have visitibility of applicaitons, I just dont know if this can be used to create such a policy....

 

Thought id ask the q to see if technically possible....

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Can I redirect application traffic to an ESI?

You can use the new AppRF 2.0 features in 6.4 to do this. In your session ACLs, use the application and/or application category source/destination options.

Note: this will only work on 7000 and 7200 controllers with deep packet inspection and DNS lookups enabled.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 186
Registered: ‎03-22-2013

Re: Can I redirect application traffic to an ESI?

Unfortunatley I dont think we can upgrade to 6.4 as I was told support for some of our older APs would not go beyond 6.3!

 

 

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Can I redirect application traffic to an ESI?

The only other option would be to use DNS names but this will not be reliable due to the heavy use of CDNs these days.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 186
Registered: ‎03-22-2013

Re: Can I redirect application traffic to an ESI?

Ok thnks for that.. we will have to look at other options..

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Can I redirect application traffic to an ESI?

[ Edited ]

Unfortunately, when setting rules for applications or application categories, you can only permit or drop; you cannot apply other actions.  It may be a limitation of the DPI process; you can try and put this on the Idea Portal. 

 

(aruba-7210) (config-sess-test)#user any app dropbox ?
deny                    Specify packets to reject
permit                  Specify packets to forward

 

vs.

 

(arbua-7210) (config-sess-test)#user any svc-http ?
deny                    Specify packets to reject
dst-nat                 Perform destination NAT on packets
dual-nat                Perform both source and destination NAT on packets
permit                  Specify packets to forward
redirect                Redirect packets
route                   Route packets
src-nat                 Perform source NAT on packets

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: