I've got centeral controller deployemnt and there are some branch offices with local internet connection. I'm plannig to use RAP for branches which are controlled by central contrellr at HQ office.
How can I route internet request via local internet in branch.
Thanks Victor,I know about using split tunnel but what it’s not fully clear to me is, what should be my default gateway and DHCP server.I’ve gone through different documents and the discussions were confusing or different.
You control this with the firewall rules attached to a role (access-list session). In the example:
ip access-list session <policy>
any any svc-dhcp permit
any alias <name> any permit
user any any route src-nat
The first line will allow DHCP, this DHCP is from the VLAN where the client is placed and will live centrally on the controller. The second line, but basically everything with action permit, will be sent through the tunnel to the controller. The last line, with action route nat will break out on the RAP locally and that traffic source IP will be NATted to the IP address of your RAP. So IP and default gateway will be on or behind the controller, but due to NAT the client traffic can be routed directly to the internet.
So: permit = tunnel to controller, route nat = break out locally.
The problem is my DHCP server is the controller in data centre and the default gateway for guest users is the firewall in branch office,
the default gateway given to the client by the centralised DHCP is not actually used for "internet" traffic. Note the "user any any route src-nat" at the bottom of the ACL which Herman wrote, in this case, all the traffic that doesn't go up the tunnel (e.g. everything other than DHCP) will be source-natted to the branch LAN IP of the AP and thus it will follow the default gateway that the AP itself uses. The client thinks it's sending to the default gateway but the AP intercepts it.
Hence, the only requirement here is that default gateway being given to the APs by whatever DHCP server exists in the branch LAN is also the one that the clients will use to reach the internet, so it must be the firewall.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.